|
|
@ -51,12 +51,17 @@ LIBS+= \ |
|
|
|
# Hardening |
|
|
|
# Hardening |
|
|
|
# Make some classes of vulnerabilities unexploitable in case one is discovered. |
|
|
|
# Make some classes of vulnerabilities unexploitable in case one is discovered. |
|
|
|
# |
|
|
|
# |
|
|
|
|
|
|
|
# This is a workaround for Ubuntu bug #691722, the default -fstack-protector causes |
|
|
|
|
|
|
|
# -fstack-protector-all to be ignored unless -fno-stack-protector is used first. |
|
|
|
|
|
|
|
# see: https://bugs.launchpad.net/ubuntu/+source/gcc-4.5/+bug/691722 |
|
|
|
|
|
|
|
HARDENING=-fno-stack-protector |
|
|
|
|
|
|
|
|
|
|
|
# Stack Canaries |
|
|
|
# Stack Canaries |
|
|
|
# Put numbers at the beginning of each stack frame and check that they are the same. |
|
|
|
# Put numbers at the beginning of each stack frame and check that they are the same. |
|
|
|
# If a stack buffer if overflowed, it writes over the canary number and then on return |
|
|
|
# If a stack buffer if overflowed, it writes over the canary number and then on return |
|
|
|
# when that number is checked, it won't be the same and the program will exit with |
|
|
|
# when that number is checked, it won't be the same and the program will exit with |
|
|
|
# a "Stack smashing detected" error instead of being exploited. |
|
|
|
# a "Stack smashing detected" error instead of being exploited. |
|
|
|
HARDENING=-fstack-protector-all -Wstack-protector |
|
|
|
HARDENING+=-fstack-protector-all -Wstack-protector |
|
|
|
|
|
|
|
|
|
|
|
# Make some important things such as the global offset table read only as soon as |
|
|
|
# Make some important things such as the global offset table read only as soon as |
|
|
|
# the dynamic linker is finished building it. This will prevent overwriting of addresses |
|
|
|
# the dynamic linker is finished building it. This will prevent overwriting of addresses |
|
|
|