Tor hardening at compile time
Linus Nordberg
linus at nordberg.se
Sat May 8 08:24:44 UTC 2010
Jacob Appelbaum <jacob at appelbaum.net> wrote
Fri, 07 May 2010 15:15:07 +0200:
| ./autogen.sh && ./configure --enable-gcc-warnings --enable-gcc-hardening
| --enable-linker-hardening && make && sudo make install
I can report that this works well on NetBSD (5.0.2) @ i386 as well.
I'm using gcc 4.1.3, the one shipped with NetBSD.
| The end result on Debian Lenny is a slightly hardened build when checked
| with checksec.sh[0].
|
| This is weasel's build on my x86 machine:
| RELRO STACK CANARY NX PIE
| Partial RELRO Canary found NX enabled PIE enabled
|
| This is a build with my new options on the same machine:
| RELRO STACK CANARY NX PIE
| Full RELRO Canary found NX enabled PIE enabled
|
| This is a build without my new options on the same machine:
| RELRO STACK CANARY NX PIE
| No RELRO No canary found NX enabled No PIE
My observations are as follow.
- I see the GNU_RELRO header but not the BIND_NOW header. This would
have been displayed by checksec.sh as "Partial RELRO".
- Canary is found.
- I don't see GNU_STACK so NX is not there.
- PIE is enabled
| This seems like a useful improvement for people building from source.
Indeed. Thanks!
I'll look into why BIND_NOW and GNU_STACK aren't present. Do you have
any ideas?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20100508/a2715a97/attachment.pgp>
More information about the tor-dev
mailing list