This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
Re: Add compiler and linker hardening after the fact
Jeffrey Walton <noloader@gmail.com> writes:
> I'm working on a system which includes binaries (not source code)
> which do not utilize hardening techniques such as -z,relro -z,now,
> -z,noexecstack, -znoexecheap, and -fPIE.
>
> Does Binutils offer a tool to set the relevant bits (assuming the
> binary is not signed nor integrity checked)? I'm not sure what needs
> to be done for RELRO, NOW and PIE. I know -z,noexecstack, -znoexecheap
> need new sections added for PT_GNU_STACK and PT_GNU_HEAP markings (and
> no-exec heaps might not be available).
It is impossible to turn a non-relro executable into a relro
executable. Relro requires specific alignment.
It is impossible to turn a non-PIE into a PIE. PIE requires dynamic
relocations.
Adding -z now requires adding another dynamic tag. Most executables
will have space for this.
Marking an executable as noexecstack or noexecheap requires adding
another segment. Some executables will have space for this, some will
not.
Ian