additional compiler hardening flags

Iain Morgan imorgan at nas.nasa.gov
Thu Apr 18 09:03:11 EST 2013 

Hello Darren,

Seeing as no one has responded on the list regarding this, I wanted to
give a brief response. I applied your proposed changes to the 6.2p1
release and have been running it for some time now. I'm not prepared to
comment on the individual compiler/linker options, but they seem
reasonable at a glance.

The only complication which I encountered was that it failed to link a
local build of OpenSSL. Once I rebuilt OpenSSL with -fPIC, everything
was find.

On Fri, Mar 22, 2013 at 00:08:15 -0500, Darren Tucker wrote:
> Hi all.
> 
> Any reason not to turn these on if the system supports them?  They're
> cheap but not free (a bit under 1% slower to run the complete regress
> suite in a completely unscientific test).
> 
> They're based on info from these places:
> https://wiki.ubuntu.com/ToolChain/CompilerFlags
> http://wiki.debian.org/Hardening
> http://www.gentoo.org/proj/en/hardened/gnu-stack.xml
> and I've attempted to take the ones that make sense for openssh.
> 
> >From my reading, -fPIE should be sufficient since we're not building a
> shared library, however having -fPIC to does not seem to hurt.
> 
> Things in those pages that I don't think are needed:
>  -Wa,--noexecstack (don't have any assembler sources) .
>  --param=ssp-buffer-size=4 (superceded by -fstack-protector-all)
> 
> Tests/comments/corrections welcome.
> 
> Index: Makefile.in
> ===================================================================
> RCS file: /home/dtucker/openssh/cvs/openssh/Makefile.in,v
> retrieving revision 1.336
> diff -u -p -r1.336 Makefile.in
> --- Makefile.in	7 Mar 2013 15:37:13 -0000	1.336
> +++ Makefile.in	22 Mar 2013 02:42:20 -0000
> @@ -383,7 +383,7 @@ uninstall:
>  
>  regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
>  	[ -d `pwd`/regress ]  ||  mkdir -p `pwd`/regress; \
> -	$(CC) $(CPPFLAGS) -o $@ $? \
> +	$(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $? \
>  	$(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
>  
>  tests interop-tests:	$(TARGETS) regress/modpipe$(EXEEXT)
> Index: aclocal.m4
> ===================================================================
> RCS file: /home/dtucker/openssh/cvs/openssh/aclocal.m4,v
> retrieving revision 1.8
> diff -u -p -r1.8 aclocal.m4
> --- aclocal.m4	20 May 2011 01:45:25 -0000	1.8
> +++ aclocal.m4	22 Mar 2013 02:42:20 -0000
> @@ -21,6 +21,23 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
>  	)
>  }])
>  
> +dnl OSSH_CHECK_CFLAG_LINK(check_flag[, define_flag])
> +dnl Check that $LD accepts a flag 'check_flag'. If it is supported append
> +dnl 'define_flag' to $LDFLAGS. If 'define_flag' is not specified, then append
> +dnl 'check_flag'.
> +AC_DEFUN([OSSH_CHECK_LDFLAG_LINK], [{
> +	AC_MSG_CHECKING([if $LD supports $1])
> +	saved_LDFLAGS="$LDFLAGS"
> +	LDFLAGS="$LDFLAGS $1"
> +	_define_flag="$2"
> +	test "x$_define_flag" = "x" && _define_flag="$1"
> +	AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
> +		[ AC_MSG_RESULT([yes])
> +		  LDFLAGS="$saved_LDFLAGS $_define_flag"],
> +		[ AC_MSG_RESULT([no])
> +		  LDFLAGS="$saved_LDFLAGS" ]
> +	)
> +}])
>  
>  dnl OSSH_CHECK_HEADER_FOR_FIELD(field, header, symbol)
>  dnl Does AC_EGREP_HEADER on 'header' for the string 'field'
> Index: configure.ac
> ===================================================================
> RCS file: /home/dtucker/openssh/cvs/openssh/configure.ac,v
> retrieving revision 1.519
> diff -u -p -r1.519 configure.ac
> --- configure.ac	22 Mar 2013 01:49:15 -0000	1.519
> +++ configure.ac	22 Mar 2013 04:45:37 -0000
> @@ -138,6 +138,13 @@ if test "$GCC" = "yes" || test "$GCC" = 
>  	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
>  	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
>  	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
> +	OSSH_CHECK_CFLAG_COMPILE([-ftrapv])
> +	OSSH_CHECK_CFLAG_COMPILE([-fPIC])
> +	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
> +	OSSH_CHECK_LDFLAG_LINK([-pie])
> +	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
> +	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
> +	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
>  	AC_MSG_CHECKING([gcc version])
>  	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
>  	case $GCC_VER in
> -- 
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 
Iain Morgan

More information about the openssh-unix-dev mailing list