Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add hardening flags #6

Open
1 of 5 tasks
marcusmueller opened this issue May 23, 2018 · 11 comments
Open
1 of 5 tasks

Add hardening flags #6

marcusmueller opened this issue May 23, 2018 · 11 comments
Assignees
@marcusmueller

Comments

@marcusmueller
Copy link
Member

marcusmueller commented May 23, 2018
edited by noc0lour
Loading

Fedora 28 introduced

https://fedoraproject.org/wiki/Changes/HardeningFlags28

  • 1. Compile all binaries with stack clash protection (-fstack-clash-protection). As a result, attempts to jump the stack guard (a requirement for stack clash attacks) will reliably result in a crash rather than giving the attacker control over stack/heap objects.
  • 2. Enable C++ standard library hardening with -D_GLIBCXX_ASSERTIONS. This turns on cheap range checks for C++ arrays, vectors, and strings.
  • 3. Enable control flow protection on x86-64 using -fcf-protection=full -mcet.
  • 4. Enable .got.plt isolation in binutils, to support a read-only GOT with lazy binding on systems which provide support for memory protection keys.
  • 5. Use --enable-default-pie to ensure PIE support is enabled across all architectures.

I want that shit, too!

Not all of these flags exist on not-very-extremely-recent GCCs, but especially 2. is available everywhere and will jump into our face a lot.
@noc0lour
Copy link
Member

noc0lour commented Jun 1, 2018

We might consider pulling 1. & 5. into the main GNU Radio flags?

noc0lour added a commit that referenced this issue Jun 1, 2018
@noc0lour
builders: implements #6 partly due to unclear flag availibility
f43adb6 
If one can find out if all flags are available on all supported
compilers we can enable them
@noc0lour
Copy link
Member

noc0lour commented Jun 2, 2018

Is this:

 argv: [b'cmake', b'/data/src/pull/1806/maint-3.7', b'-DPYTHON_EXECUTABLE=/usr/bin/python2', b'-DDESIRED_QT_VERSION=4', b'-DCMAKE_CXX_COMPILER_FLAGS=-D_GLIBCXX_ASSERTIONS']```

correct in the case of GLIBCXX_ASSERTIONS?

@marcusmueller
Copy link
Member Author

@noc0lour no, not really.

This overrides CMake's own CXX flags. I've searched up and down, and it seems CMake simply doesn't allow to specify additional flags on the command line.

We'll need to add a CMake directive that adds these flags.

@noc0lour
Copy link
Member

noc0lour commented Jul 8, 2018

Meh, I should use: CMAKE_CXX_FLAGS, that's what one wants.

@noc0lour
Copy link
Member

noc0lour commented Jul 8, 2018

https://cmake.org/cmake/help/latest/variable/CMAKE_LANG_FLAGS.html#variable:CMAKE_%3CLANG%3E_FLAGS

@noc0lour
Copy link
Member

noc0lour commented Jul 8, 2018

Which usually takes CXXFLAGS from the environment, but if you specify it on the cmdline it will take in the flags as well and append them to the internal cmake flags.

@noc0lour
Copy link
Member

noc0lour commented Jul 8, 2018

And currently the flags are not added.

marcusmueller added a commit to marcusmueller/gnuradio that referenced this issue Jul 8, 2018
@marcusmueller
Adding a CMake option -DENABLE_GLIBCXX_ASSERTIONS
95a3230 
This allows setting of the _GLIBCXX_ASSERTIONS macro, which enables
"cheap" runtime checks for things like vector access bounds.

This is related to gnuradio#1774.

It allows for implementation of gnuradio/gnuradio-buildbot#6
marcusmueller added a commit to marcusmueller/gnuradio that referenced this issue Jul 8, 2018
@marcusmueller
Adding a CMake option -DENABLE_GLIBCXX_ASSERTIONS
fdba671 
This allows setting of the _GLIBCXX_ASSERTIONS macro, which enables
"cheap" runtime checks for things like vector access bounds.

This is related to gnuradio#1774.

It allows for implementation of gnuradio/gnuradio-buildbot#6
@marcusmueller marcusmueller mentioned this issue Jul 8, 2018
Closed
@noc0lour
Copy link
Member

noc0lour commented Jul 8, 2018

@marcusmueller -DCMAKE_CXX_FLAGS=-D_GLIBCXX_ASSERTIONS works equally well and we don't need to touch unrelated GNU Radio cmake code .

@noc0lour
Copy link
Member

noc0lour commented Jul 8, 2018

or even setting the appropriate environment variable works as well.

@marcusmueller
Copy link
Member Author

Ah, too mirror what @noc0lour and I have been talking off-site about this: yes, that works just as well. @noc0lour can we do that in the builders for maint-3.7 and master, then?

@noc0lour
Copy link
Member

noc0lour commented Jul 8, 2018

Done, so, to recap: cmake might exhibit strange behaviour if you use the flag on subsequent runs. But since the build directory is only used once for each build, we don't run into trouble here

@noc0lour noc0lour assigned marcusmueller and unassigned noc0lour Aug 1, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusmueller marcusmueller

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marcusmueller @noc0lour