Bug 4761 - Enable common binary hardening flags
Summary: Enable common binary hardening flags
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Build system (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: MediumPrio
Assignee: Pierre Ossman
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-26 15:29 CEST by Karl Mikaelsson
Modified: 2022-01-21 11:00 CET (History)
0 users

See Also:
Acceptance Criteria:


Attachments

Description Karl Mikaelsson cendio 2013-07-26 15:29:17 CEST
Quoting from the Fedora Packaging Guidelines (https://fedoraproject.org/wiki/Packaging:Guidelines#PIE)

> PIE adds security to executables by composing them entirely of position-
> independent code. Position-independent code (PIC) is machine instruction code
> that executes properly regardless of where in memory it resides. PIE allows
> Exec Shield to use address space layout randomization to prevent attackers from 
> knowing where existing executable code is during a security attack using 
> exploits that rely on knowing the offset of the executable code in the binary, 
> such as return-to-libc attacks.

More info at the link above. Pierre wants this. :)
Comment 1 Pierre Ossman cendio 2022-01-21 11:00:43 CET
Fedora now does a whole bunch of things to harden binaries that we should probably look at:

 * PIE/PIC
 * -D_FORTIFY_SOURCE=2 (extra memory checks in C APIs)
 * -D_GLIBCXX_ASSERTIONS (extra memory checks in STL)
 * -z,now (check all binary symbols on start)

Note You need to log in before you can comment on or make changes to this bug.