# Hardened missing features

## NTU

ATTENTION!

I decided to run $ hardening-check (app-admin/hardening-check) and discovered that wget did not have read-only relocations. To my already quite crazy CFLAGS which are not supported (that's fine, this isn't about that) I added these:

```
SECOPT="-Wformat -Wformat-security -Werror=format-security --param ssp-buffer-size=4"

LDFLAGS="${LDFLAGS} -Wl,-z,now -Wl,-z,relro"
```

CFLAGS called in SECOPT, voila, all happy days.

Few questions.

Question 1: What is the pre-defined ssp-buffer-size in Gentoo Hardened with SSP? Grepping for "ssp-buffer-size" showed no results in /usr/portage/profiles/hardened.

Question 2: This section of this page right here I believe is incorrect:

https://wiki.gentoo.org/wiki/Hardened/FAQ#Do_I_need_to_pass_any_flags_to_LDFLAGS.2FCFLAGS_in_order_to_turn_on_hardened_building.3F

 *Quote:*   

> No, the current toolchain implements the equivalent of CFLAGS="-fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-z,now -Wl,-z,relro"

 

If that's true, then wget would already have had read-only relocations, I had to recompile with my new options set. On a lot of binaries, all is well. Hardening-check on X however returns this:

```
/usr/bin/X:

 Position Independent Executable: yes

 Stack protected: yes

 Fortify Source functions: yes

 Read-only relocations: no, not found!

 Immediate binding: no, not found!

```

mkdir, rm, file, find, make, curl, socat, pv, less, most, gcc, ranlib, ld, gimp, blender, etc etc do not have read-only relocations. Firefox does though!

Some more binaries I found, caja-sendto and canberra-gtk-play do not have their functions fortified, nor have read-only relocations.

```
Manually enabling the hardening flags it is not recommended.
```

Whelp, they're not on.  :Laughing: 

Question 3: Are we sure that Gentoo Hardened does in fact enable -fstack-protector-all? When you compile programs, that flag never shows up for me whenever I build a package, doesn't matter what it is. Say I wanted to change the magic -fstack-protector-all (if present) to -fstack-protector-strong? How do I go about this and remove what Gentoo has (if it even exists?) If both are specified, does one take priority or what? To avoid that problem (just in case it is one) I'd like to just have -fstack-protector-strong set instead of -fstack-protector-all (again, if its set somewhere hidden)

Last question, -D_FORTIFY_SOURCE=2 doesn't show up at all /usr/portage/profiles either (unless I'm missing something?) so how do we know that's being enabled too? That one also doesn't show up at compile time with the rest of the CFLAGS, and if it is actually applied, but not showing up in the console (fancy stripping?) then how come the warnings below don't show up at compile time? Hidden magic in Gentoo? When I manually specify -D_FORTIFY_SOURCE=2 in make.conf I get a bunch of warnings like these:

```
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined

<built-in>: note: this is the location of the previous definition
```

Thanks, I'm surprised nobody has asked any of my questions before..

Edit: I made new discovery! I've been messing around here: https://wiki.debian.org/Hardening#Environment_variables

Decided to try some things out for myself to see what's going on. I selected the x86_64-pc-linux-gnu-5.4.0-vanilla GCC profile, ran gcc --verbose:

```
Using built-in specs.

Reading specs from /usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/vanilla.specs

Reading specs from /usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/hardenednossp.specs

Reading specs from /usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/hardenednopie.specs
```

Why is vanilla GCC still reading specs from other profiles? Those should be disabled, no? Anyways, so I compiled trivial.c several times, with several compilers, stock, hardenednopiessp, and vanilla. Same results on all of them, regardless of CFLAGS when building trivial.c,

source here:

https://alioth.debian.org/scm/loggerhead/hardening/master/annotate/head:/example/trivial.c

I modified the Makefile a bit:

```
CFLAGS=-O0

all: trivial

clean:

   rm -f trivial
```

Running the following:

```
make clean && make && ./trivial $(perl -e 'print "A"x100')
```

Regardless of GCC profile, it will detect a buffer overflow at any optimization level >=1. Stock hardened GCC profile will detect stack smashing at -O0 with no additional flags. Vanilla GCC profile will seg fault. Clearly there are hardened options that are being enabled specifically by the hardened compiler, but why some of the LDFLAGS change on the fly, per package and remove -z,now -z,relro?

-fstack-protector (whether it's all, strong or just standalone) is in fact being enabled by the compiler by default, flags of which we cannot see.

All that shows up for us when we run "make" is cc -O0 trivial.c -o trivial.

stack protection aside, as that part seems to be consistent (at least in this case) "-Wl,-z,now -Wl,-z,relro" are flakey, as well as -D_FORTIFY_SOURCE=2.

What is going on??? Thanks guys, the support here has been really helpful, I highly appreciate it!Last edited by NTU on Sat Oct 08, 2016 11:08 pm; edited 1 time in total

----------

