Hello, I would like to propose enabling the GCC hardening patches that Ubuntu uses. Ubuntu has used it successfully for 1.5 years now (3 releases), and many of the issues have already been fixed in packages that needed adjustment. After all this time, use of the hardening-wrapper package is still very low, so I think the right thing to do is to just fix this in the compiler and everyone wins. I'm not suggesting that there won't be added work to fix problems, but I believe that for Debian the benefits now out-weigh the risks.
I do not expect to reach consensus with all developers on this, so I'm not sure who I need to convince to move it forward. (Perhaps just the GCC maintainers?) Regardless, if you agree with this, please speak up. I think it's very important that this change happens. My candid commentary and possible trolling... Arguments for: - users of Debian become safer (real security vulnerabilities are either non-issues or reduced to a DoS). - security team has less work to do. - software quality improves by finding subtle bugs (and not just packaged software -- anything compiled with the Debian gcc). Arguments against: - makes the compiler's behavior different than stock compiler. Rebuttal: honestly, I don't care -- it seems like such a huge win for safety and is easy to debug. Debian already carries plenty of patches anyway -- there is no such thing as the "stock compiler". - makes more work for dealing with warnings. Rebuttal: those warnings are there for a reason -- they can be real security issues, and should be fixed. - lacks documentation. Rebuttal: that may have been true a while ago, but I've worked hard to document the features and how to handle problems. See . Even the gcc man pages are patched. - makes running Debian slower. Rebuttal: no, nothing supports this. The bulk of _FORTIFY_SOURCE is compile-time. Run-time checks, including those from -fstack-protector are just not measurable. The burden of evidence for anyone claiming this is on them. I'm not suggesting we turn on PIE; that option can be a problem. Inflammatory observation: Debian may be the single remaining major Linux distribution that does not use the stack protector and _FORTIFY_SOURCE when building its packages. I find this embarrassing. Check for yourself. Thanks, -Kees  http://outflux.net/hardening-for-all.patch (Note that the gcc hardening does NOT turn on PIE, which has measurable performance problems on some architectures.)  https://wiki.ubuntu.com/CompilerFlags  Sampling of bugs I've personally filed: Closed http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521108 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529074 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=479398 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488456 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488457 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497833 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497865 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505734 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505233 Open http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523807 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488460 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488462  http://wiki.debian.org/Hardening  Many vulnerabilities have been blocked in Ubuntu, but I will give one good example of a remote root vulnerability with functional exploits in the wild that was a non-issue on versions of Ubuntu with the hardened compiler defaults: http://www.debian.org/security/2009/dsa-1833  Are there _chk functions in common binaries? $ objdump -R /bin/df | grep _chk 0000000000612048 R_X86_64_JUMP_SLOT __fprintf_chk 0000000000612068 R_X86_64_JUMP_SLOT __printf_chk 00000000006120c0 R_X86_64_JUMP_SLOT __memcpy_chk 00000000006121c0 R_X86_64_JUMP_SLOT __stack_chk_fail 0000000000612220 R_X86_64_JUMP_SLOT __sprintf_chk 0000000000612230 R_X86_64_JUMP_SLOT __snprintf_chk -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org