I would like to propose enabling[1] the GCC hardening patches that Ubuntu
uses[2].  Ubuntu has used it successfully for 1.5 years now (3 releases),
and many of the issues have already been fixed in packages that needed
adjustment[3].  After all this time, use of the hardening-wrapper[4]
package is still very low, so I think the right thing to do is to just fix
this in the compiler and everyone wins.  I'm not suggesting that there
won't be added work to fix problems, but I believe that for Debian the
benefits now out-weigh the risks.

I do not expect to reach consensus with all developers on this, so I'm
not sure who I need to convince to move it forward.  (Perhaps just the
GCC maintainers?)  Regardless, if you agree with this, please speak up.
I think it's very important that this change happens.

My candid commentary and possible trolling...

Arguments for:
    - users of Debian become safer (real[5] security vulnerabilities are
      either non-issues or reduced to a DoS).
    - security team has less work to do.
    - software quality improves by finding subtle bugs (and not just
      packaged software -- anything compiled with the Debian gcc).

Arguments against:
    - makes the compiler's behavior different than stock compiler.
        Rebuttal: honestly, I don't care -- it seems like such a
                  huge win for safety and is easy to debug.  Debian
                  already carries plenty of patches anyway -- there
                  is no such thing as the "stock compiler".
    - makes more work for dealing with warnings.
        Rebuttal: those warnings are there for a reason -- they can
                  be real security issues, and should be fixed.
    - lacks documentation.
        Rebuttal: that may have been true a while ago, but I've worked
                  hard to document the features and how to handle
                  problems.  See [2].  Even the gcc man pages are patched.
    - makes running Debian slower.
        Rebuttal: no, nothing supports this.  The bulk of _FORTIFY_SOURCE
                  is compile-time.  Run-time checks, including those from
                  -fstack-protector are just not measurable.  The burden of
                  evidence for anyone claiming this is on them.  I'm not
                  suggesting we turn on PIE; that option can be a problem.

Inflammatory observation: Debian may be the single remaining major Linux
distribution that does not use the stack protector and _FORTIFY_SOURCE
when building its packages.  I find this embarrassing.  Check[6] for



[1] http://outflux.net/hardening-for-all.patch
    (Note that the gcc hardening does NOT turn on PIE, which has
     measurable performance problems on some architectures.)

[2] https://wiki.ubuntu.com/CompilerFlags

[3] Sampling of bugs I've personally filed:

[4] http://wiki.debian.org/Hardening

[5] Many vulnerabilities have been blocked in Ubuntu, but I will give one
    good example of a remote root vulnerability with functional exploits
    in the wild that was a non-issue on versions of Ubuntu with the
    hardened compiler defaults:

[6] Are there _chk functions in common binaries?
    $ objdump -R /bin/df | grep _chk
    0000000000612048 R_X86_64_JUMP_SLOT  __fprintf_chk
    0000000000612068 R_X86_64_JUMP_SLOT  __printf_chk
    00000000006120c0 R_X86_64_JUMP_SLOT  __memcpy_chk
    00000000006121c0 R_X86_64_JUMP_SLOT  __stack_chk_fail
    0000000000612220 R_X86_64_JUMP_SLOT  __sprintf_chk
    0000000000612230 R_X86_64_JUMP_SLOT  __snprintf_chk

Kees Cook                                            @debian.org

To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to