Re: gnucobol-3.1-rc1 and -U_FORTIFY

bug-gnucobol

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gnucobol-3.1-rc1 and -U_FORTIFY_SOURCE

From:	Jeffrey Walton
Subject:	Re: gnucobol-3.1-rc1 and -U_FORTIFY_SOURCE
Date:	Tue, 14 Jul 2020 06:51:41 -0400

On Tue, Jul 14, 2020 at 6:31 AM Edward Hart <edward.dan.hart@gmail.com> wrote:
>
> Hi James,
>
> Thanks for bringing this up; this is an interesting topic.
>
> Do you think it would be worth hardening builds by default? The Debian and 
> Red Hat articles you link don't mention many downsides (other than maybe 
> performance). It shouldn't be too hard to extend configure to check for the 
> hardening options. But I'm not sure if package maintainers have any 
> expectations for what should be in default CFLAGS/LDFLAGS.

Debian and Fedora often apply the hardening through a GCC spec file.
The rub is, it usually only applies to the more recent releases.

With that said, older compilers, non-GCC compat compilers and older
platforms often lack some of the flags. Older platforms can have a
newer compiler, too. The BSDs are legendary for security but notorious
for missing hardening, like PIE/ASLR. Just try running checksec on
cobc on FreeBSD, OpenBSD or NetBSD.

What I prefer to do is, enable hardening by default. If a user wishes,
they can turn off hardening with --disable-hardening configure option.
It keeps the auditors happy because it is a firm security posture out
of the box. Users don't have to do anything special to get the
hardening.

It looks something like this in configure.ac
(https://github.com/BLAKE2/BLAKE2/pull/64/files):

# These are for the BSDs. Legendary for security, but missing secure flags.
AX_CHECK_COMPILE_FLAG([-fstack-protector-all], [AM_CFLAGS="$AM_CFLAGS
-fstack-protector-all"], [
  AX_CHECK_COMPILE_FLAG([-fstack-protector], [AM_CFLAGS="$AM_CFLAGS
-fstack-protector"])
])
AX_CHECK_COMPILE_FLAG([-fstack-clash-protection],
[AM_CFLAGS="$AM_CFLAGS -fstack-clash-protection"])
AX_CHECK_COMPILE_FLAG([-mcet -fcf-protection], [AM_CFLAGS="$AM_CFLAGS
-mcet -fcf-protection"])
AX_CHECK_COMPILE_FLAG([-fplugin=annobin], [AM_CFLAGS="$AM_CFLAGS
-fplugin=annobin"])
AX_CHECK_COMPILE_FLAG([-fexceptions], [AM_CFLAGS="$AM_CFLAGS -fexceptions"])
AX_CHECK_COMPILE_FLAG([-fPIC], [AM_CFLAGS="$AM_CFLAGS -fPIC"])

# These are for the BSDs. Legendary for security, but missing secure flags.
AX_CHECK_COMPILE_FLAG([-pie], [AM_CFLAGS="$AM_CFLAGS -pie"])
AX_CHECK_COMPILE_FLAG([-Wl,-z,relro], [AM_CFLAGS="$AM_CFLAGS -Wl,-z,relro"])
AX_CHECK_COMPILE_FLAG([-Wl,-z,now], [AM_CFLAGS="$AM_CFLAGS -Wl,-z,now"])
AX_CHECK_COMPILE_FLAG([-Wl,-z,defs], [AM_CFLAGS="$AM_CFLAGS -Wl,-z,defs"])
AX_CHECK_COMPILE_FLAG([-Wl,-z,noexecstack], [AM_CFLAGS="$AM_CFLAGS
-Wl,-z,noexecstack"])

BLAKE2 builds a program, so it uses -fPIC/-pie. A shared object would
use -fPIC/-shared.

Jeff

[Prev in Thread]

Current Thread

[Next in Thread]

gnucobol-3.1-rc1 and -U_FORTIFY_SOURCE, Jeffrey Walton, 2020/07/12
- Re: gnucobol-3.1-rc1 and -U_FORTIFY_SOURCE, James K. Lowden, 2020/07/13
  - Re: gnucobol-3.1-rc1 and -U_FORTIFY_SOURCE, Jeffrey Walton, 2020/07/13
    - Re: gnucobol-3.1-rc1 and -U_FORTIFY_SOURCE, Edward Hart, 2020/07/14
    - Re: gnucobol-3.1-rc1 and -U_FORTIFY_SOURCE, Jeffrey Walton <=

Prev by Date: Re: gnucobol-3.1-rc1 and -U_FORTIFY_SOURCE
Next by Date: MAX_PATH (or PATH_MAX) assumed to be ~255
Previous by thread: Re: gnucobol-3.1-rc1 and -U_FORTIFY_SOURCE
Next by thread: gnucobol-3.1-rc1 and one failure on Solaris
Index(es):
- Date
- Thread