[guardian-dev] using -Werror=format-security

Hans-Christoph Steiner hans at guardianproject.info
Thu Dec 5 12:44:13 EST 2013 

On 12/04/2013 10:25 AM, Jacob Appelbaum wrote:
> Abel Luck:
>> -Werror=format-security
>>     "Once this flag is enabled, GCC will refuse to compile code that could be
>> vulnerable to a string format security flaw."
>>
>> We should investigate adding this flag to our native builds, as well as other hardening
>> flags. Not sure if it is available in the NDK though.
>>
> 
> If you have a chance, I encourage you to look at the build hardening
> we've done in tor and in other projects such as tlsdate:
> 
>   https://github.com/ioerror/tlsdate/blob/master/configure.ac#L450
> 
> Basically, I suggest you add the following if your compiler supports
> these options:
> 
>   -D_FORTIFY_SOURCE=2 -fstack-protector-all
>   -fwrapv -fPIE -Wstack-protector
>   --param=ssp-buffer-size=1
> 
> Also, I suggest the following for your linker:
> 
>   -z relro -z now
>   -pie
> 
> All the best,
> Jake

Some of these might automatically be set by the NDK gcc.  For example Debian
and Ubuntu automatically include -D_FORTIFY_SOURCE=2 when things are compiled
with -O2.

It would be a project on its own to test the support for all these flags on
Android.  Anyone have any good info on this? For example, some are only
supported one quite new Android versions:


http://www.kandroid.org/ndk/docs/APPLICATION-MK.html
APP_PIE
    Starting from Jelly Bean (4.1), Android's dynamic linker supports
    position-independent executables (PIE), which are built with -fPIE.
    This flag makes it harder to exploit memory corruption bugs by
    randomization the location of the code.
    By default, ndk-build will automatically set this value to 'true' if
    your project targets android-16 or higher. You may set it manually
    to either 'true' or 'false'.

    IMPORTANT: PIE executables *cannot* run on Android releases prior to 4.1.

Debian has been making a big push to include all of these flags in all builds.
 They have decent docs on the topic:
https://wiki.debian.org/Hardening

.hc

-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81

More information about the Guardian-dev mailing list