Toolchain
Launchpad entry: none yet
Created: 2006-08-02 by JohnMoser
Contributors: JohnMoser
Packages affected:
Summary
This spec defines a hardened toolchain aspect of the Ubuntu Hardened Team specified in HardenedUbuntu: The Ubuntu Hardened Toolchain Team.
Rationale
In the course of building an Ubuntu Linux package, numerous security enhancements can be applied such as GccSsp or PositionIndependentExecutables. The toolchain should enable these by default and they should be disabled in specific packages.
Use cases
GccSsp defines a strategy for building all of Ubuntu with stack smash protection, using a modified compiler specs file.
PositionIndependentExecutables can be implemented with a modified compiler specs file.
Scope
The scope of the hardened toolchain includes any enhancements made to the toolchain that can do any of the following without harming run-time performance unreasonably:
- Trap exploitable bugs at run-time and prevent the program from being compromised during an attack.
- Detect exploitable bugs during compilation and warn or error so that they can be fixed.
Design
Implementation
Currently GccSsp is implemented. In the future Ubuntu should consider using PositionIndependentExecutables and also should take advantage of using FORTIFY_SOURCE strictly for compile-time checks.
Code
Typically this involves specs file hacking.
Data preservation and migration
Unresolved issues
BoF agenda and discussion
HardenedUbuntu/Toolchain (last edited 2008-08-06 16:37:20 by localhost)