Dear Jan,
I've run through what I'd wrote and I have a feeling, that it can be
misleading.
So here is an actual example output of the command "gcc-config -l":
"
hostname ~ # gcc-config -l
[1] i686-pc-linux-gnu-4.2.4 *
[2] i686-pc-linux-gnu-4.2.4-nofortify
[3] i686-pc-linux-gnu-4.2.4-nopie
[4] i686-pc-linux-gnu-4.2.4-nossp_all
[5] i686-pc-linux-gnu-4.2.4-strict
[6] i686-pc-linux-gnu-4.2.4-vanilla
"
Here you can see, that the same version of gcc has several profiles. The
one without any additional tag is the default hardened profile. Compiles
hardened executables by default. The vanilla profile is intended to
implement the original non-hardened behavior.
I'm running the experimental hardened toolchain, which is the reason I
have entries 2, 4 and 5. If you are not using the experimental hardened
toolchain you should probably have to have 3.4.6, -nopie, -nossp and
-vanilla. If you have gcc-4+ and you are not using the experimental
hardened toolchain you are probably missing hardened toolchain features
(some developers tend to neglect and/or treat useless - I don't understand
why).
Regards,
Dw.
--
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962
On Hét, November 24, 2008 20:40, [EMAIL PROTECTED] wrote:
> Let's start with this command: "gcc-config -l". You should see multiple
> favors of each version of hardened gcc you installed. If the green mark is
> beside the one without any additional tag at the end: that means you
> compile executables hardened by default if you are running gcc (either
> through make or executing g++). If you do not have -nopie and -vanilla
> tags appended to the end of the particular version of gcc, that means your
> gcc of that version is not hardened. You can switch back to the original
> behavior with gcc-config selecting the vanilla profile. Just don't forget
> to flip it back to the default hardened. Ebuilds can switch some features
> (pie, ssp) on and off at compile time.
>
> If you want to make sure, that your executable is hardened you can use the
> binutils executable called "readelf". Some examples:
> "readelf -h <executable> | grep DYN" - shows if the executable is PIE
> "readelf -s <executable> | grep {guard|stack}" - shows if the executable
> is SSP-enabled (use guard for the old-, and stack for the new ssp
> implementation)
> "readelf -l <executable> | grep RELRO" and "readelf -d <executable> | grep
> BIND" shows that some linker options were applied on the executable, which
> make the hardening more complete.
>
> Is it clearer now?
>
> Regards,
> Dw.
> --
> dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057,
> 06-30-5962-962
> Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962
>
> On Hét, November 24, 2008 21:06, Jan Klod wrote:
>> Please, could someone give a short introduction in how should I make
>> sure,
>> I
>> am compiling with hardened features support? And if I do manually with
>> some "make" or "gcc" or "g++"?
>> Thank you...
>>
>
>
>
