On Fri, Jun 17, 2011 at 07:30:43AM -0700, Ian Lance Taylor wrote: > Jack Howarth <howa...@bromo.med.uc.edu> writes: > > > What is the current state of supporting hardened operating systems > > that default to -fpie/-fPIE/-pie in gcc trunk? Do those releases still use > > their own patches for gcc or has all of those changes been committed to gcc > > trunk? > > If so, does anyone recall the specific commits? In particular, I am > > interested > > in any fixes to boehm-gc, libffi and pch to support PIE. > > I know there are variants of gcc out there which default to -fPIE when > compiling and -pie when linking. As far as I know there is no support > for that in trunk, unless you count the --with-specs configure option > which may be used to implement these defaults. > > I don't see why -pie should make any difference for boehm-gc or libffi. > Is there some known problem with them? > > For PCH what matters is not whether gcc defaults to generating PIE, but > whether gcc itself is compiled as a PIE. In general I believe that a > PIE gcc will not support PCH--it will work most of the time, but will > occasionally fail. However, I have not actually tested this. If I'm > right about this limitation, it would be quite difficult to fix given > the current PCH implementation. Fortunately, as far as I can see, the > kind of attacks which PIE protects against are unimportant when > attacking gcc, as gcc simply runs under your own user ID on your own > system. Anything the user can somehow suborn gcc into doing, the user > can do anyhow. So I see no reason to build gcc as a PIE. Of course > those considerations would change if somebody is running a compilation > server on the net which invokes gcc; such a setup might get some small > benefit from building gcc as a PIE, but such a setup would be unlikely > to support PCH in any case. > > Ian
Ian, I found some interesting information on what Gentoo Hardened Linux is doing with their toolchain here... http://www.gentoo.org/proj/en/hardened/hardened-toolchain.xml It appears that they consider JIT to be a major security risk and disable it by default... http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#jitflag as well as passing... CFLAGS="-fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-z,now -Wl,-z,relro" automatically on builds. Also, apparently -O3 is considered problematic when SSP is in use. http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#Othreessp Jack
