| Thread overview | |||||||
|---|---|---|---|---|---|---|---|
|
October 19, 2016 Request: Hardened system tutorial/patch | ||||
|---|---|---|---|---|
| ||||
 | Hi! As you might have noticed, Ubuntu 16.10 joins the community of hardened systems by shipping GCC 6.2 with PIE enabled by default. This is a wonderful security choice, but it comes with some problems when one tries to use DMD. Here is what happened to me. 1) Trying to unittest std.experimental.xml: I got tons of failed relocations, but I was kind of expecting that. I was using DUB, so I added `"lflags": ["-no-pie"]`, but it didn't do anything and I really don't know why. Then I tried setting "dflags" with "-fPIC", but it didn't suffice, as I had to set "-defaultlib" to "libphobos2.so". Ok, this finally worked, but it produced PIE executables. What if I want to use a plain old fixed-position executable? I didn't manage to do that. Also, the "default" dmd call, without any option, should really work out of the box. I don't really care if by default it produces PIE or not. I care that I don't have to think about it unless it's an important decision for me. And I care that if I want, I can switch to whatever with a command line option. 2) Trying to use DUB seriously: This is a good reason to have a working default configuration. While working on the xml library, I used `dub -b ddox`. Being the first time on the new system, DUB fetched ddox and tried to build it. But of course it failed! And that's because ddox (as every dub package) does not specify "-fPIC -defaultlib=libphobos2.so", as it has never been necessary. I still don't know how to make this work without hacking ddox. So, what we really need is either a good tutorial on how to setup everything so that it "just works", or even better the compiler should recognize if the linker has hardening enabled by default, and take actions to either compile with PIC or call the linker with -no-pie. | |||
Permalink
ReplyOctober 19, 2016 Re: Request: Hardened system tutorial/patch | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to Lodovico Giaretta | Dne 19.10.2016 v 14:51 Lodovico Giaretta via Digitalmars-d napsal(a): > Hi! > > As you might have noticed, Ubuntu 16.10 joins the community of hardened systems by shipping GCC 6.2 with PIE enabled by default. This is a wonderful security choice, but it comes with some problems when one tries to use DMD. Here is what happened to me. > > 1) Trying to unittest std.experimental.xml: > > I got tons of failed relocations, but I was kind of expecting that. I was using DUB, > so I added `"lflags": ["-no-pie"]`, but it didn't do anything and I really don't know > why. Then I tried setting "dflags" with "-fPIC", but it didn't suffice, as I had to > set "-defaultlib" to "libphobos2.so". > Ok, this finally worked, but it produced PIE executables. What if I want to use a plain > old fixed-position executable? I didn't manage to do that. Also, the "default" dmd > call, without any option, should really work out of the box. I don't really care if by > default it produces PIE or not. I care that I don't have to think about it unless it's > an important decision for me. And I care that if I want, I can switch to whatever with > a command line option. This is possible, it is on package maintainers to do this (compile druntime and phobos itself with -fPIC and add -fPIC to /etc/dmd.conf) > > 2) Trying to use DUB seriously: > > This is a good reason to have a working default configuration. While working on the > xml library, I used `dub -b ddox`. Being the first time on the new system, DUB fetched > ddox and tried to build it. But of course it failed! And that's because ddox (as every > dub package) does not specify "-fPIC -defaultlib=libphobos2.so", as it has never been > necessary. I still don't know how to make this work without hacking ddox. > > So, what we really need is either a good tutorial on how to setup everything so that it "just works", or even better the compiler should recognize if the linker has hardening enabled by default, and take actions to either compile with PIC or call the linker with -no-pie. same as above just add -fPIC to dmd.conf | |||
October 19, 2016 Re: Request: Hardened system tutorial/patch | ||||
|---|---|---|---|---|
| ||||
Posted in reply to Daniel Kozak | On Wednesday, 19 October 2016 at 13:16:08 UTC, Daniel Kozak wrote:
> [...]
Thank you. I didn't know about dmd.conf.
Do you happen to know which options should I use to disable PIE generation? -L-no-pie does not work, so I'm stuck with producing PIE executables (which is not bad per se, but as I said I care that I can easily switch back and forth when needed).
| |||
October 20, 2016 Re: Request: Hardened system tutorial/patch | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to Lodovico Giaretta | On Wednesday, 19 October 2016 at 12:51:46 UTC, Lodovico Giaretta wrote: > Hi! > > As you might have noticed, Ubuntu 16.10 joins the community of hardened systems by shipping GCC 6.2 with PIE enabled by default. This is a wonderful security choice Maybe it is not so perfect security choice http://www.cs.ucr.edu/~nael/pubs/micro16.pdf | |||
October 20, 2016 Re: Request: Hardened system tutorial/patch | ||||
|---|---|---|---|---|
| ||||
Posted in reply to Daniel Kozak | On Thursday, 20 October 2016 at 11:12:24 UTC, Daniel Kozak wrote: > On Wednesday, 19 October 2016 at 12:51:46 UTC, Lodovico Giaretta wrote: >> Hi! >> >> As you might have noticed, Ubuntu 16.10 joins the community of hardened systems by shipping GCC 6.2 with PIE enabled by default. This is a wonderful security choice > > Maybe it is not so perfect security choice > http://www.cs.ucr.edu/~nael/pubs/micro16.pdf https://news.slashdot.org/story/16/10/19/2358209/researchers-bypass-aslr-protection-on-intel-haswell-cpus | |||
Copyright © 1999-2021 by the D Language Foundation