This is the mail archive of the binutils@sourceware.org mailing list for the binutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Add compiler and linker hardening after the fact

From: Ian Lance Taylor <iant at google dot com>
To: noloader at gmail dot com
Cc: Binutils <binutils at sourceware dot org>
Date: Fri, 23 Mar 2012 18:14:06 -0700
Subject: Re: Add compiler and linker hardening after the fact
References: <CAH8yC8nLsTYth0e+J9ADLdfthQ44xyPDfjG=optdXee+G+ZE_A@mail.gmail.com>

Jeffrey Walton <noloader@gmail.com> writes:

> I'm working on a system which includes binaries (not source code)
> which do not utilize hardening techniques such as -z,relro -z,now,
> -z,noexecstack, -znoexecheap, and -fPIE.
>
> Does Binutils offer a tool to set the relevant bits (assuming the
> binary is not signed nor integrity checked)? I'm not sure what needs
> to be done for RELRO, NOW and PIE. I know -z,noexecstack, -znoexecheap
> need new sections added for PT_GNU_STACK and PT_GNU_HEAP markings (and
> no-exec heaps might not be available).

It is impossible to turn a non-relro executable into a relro
executable.  Relro requires specific alignment.

It is impossible to turn a non-PIE into a PIE.  PIE requires dynamic
relocations.

Adding -z now requires adding another dynamic tag.  Most executables
will have space for this.

Marking an executable as noexecstack or noexecheap requires adding
another segment.  Some executables will have space for this, some will
not.

Ian

Follow-Ups:
- Re: Add compiler and linker hardening after the fact
  - From: John Reiser

References:
- Add compiler and linker hardening after the fact
  - From: Jeffrey Walton

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]