blhc (build log hardening check) is a small tool which checks build logs for missing hardening flags.
Hardening flags enable additional security features in the compiler to prevent e.g. stack overflows, format string vulnerabilities, GOT overwrites, etc.
Because most build systems are quite complicated there are many places where compiler flags from the environment might be ignored. The parser verifies that all compiler commands use the correct hardening flags and thus all hardening features are correctly used.
It’s designed to check build logs generated by Debian’s dpkg-buildpackage (or tools using dpkg-buildpackage like pbuilder or sbuild (which is used for the official buildd build logs)) to help maintainers detect missing hardening flags in their packages.
At the moment it works only on Debian and derivatives but it should be easily extendable to other systems as well. Patches are welcome, see README for details.
Only gcc is detected as compiler at the moment. If other compilers support hardening flags as well, please report them.
blhc can be run directly from the source tree (bin/blhc) or copied anywhere on the system. It doesn’t have to be explicitly installed. To read the man page use perldoc bin/blhc.
blhc is licensed under GPL 3 (or later).
If you find any bugs or have suggestions please tell me at email@example.com.
blhc path/to/log/file ...
If there’s no output, no flags are missing and the build log is fine.
Also see README and man page in tarball.
Current development happens in the git repository (also browsable as Gitweb):
git clone http://ruderich.org/simon/blhc/blhc.git
Version 0.04 (2013-03-01):
Fix many false positives, this includes compiled header files, lines with only CC=gcc but no other compiler commands and moc-qt4/moc-qt5 commands.
Accept -Wformat=2 because it implies -Wformat.
Accept --param ssp-buffer-size=4 (space instead of equals sign).
Fix build dependency related checks (Ada, hardening-wrapper) for pbuilder build logs.
Fix architecture detection in old buildd build logs which use an additional "is" in the "dpkg-buildpackage: host architecture" field.
Updated output in buildd mode.
Only return non-zero exit codes for errors in buildd mode, not for warnings.
Minor performance improvements.
Support for Ada files.
Version 0.03 (2012-05-27):
Fix --ignore-flag with -fPIE.
Detect overwrite of -D_FORTIFY_SOURCE=2 with -D_FORTIFY_SOURCE=0 or 1 or -U_FORTIFY_SOURCE.
Add --ignore-arch-flag and --ignore-arch-line options to ignore flags and lines on certain architectures only.
Buildd tags "no-compiler-commands" and "invalid-cmake-used" are now information (I-) instead of warning (W-).
Ignore false positives when using moc-qt4.
Version 0.02 (2012-04-28):
Version 0.01 (2012-04-13):
The following links provide additional information about Debian’s hardening process and general information about available hardening options.
https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags: Debian hardening release goal.
https://wiki.debian.org/HardeningWalkthrough: Walkthrough to enable hardening flags for a Debian package.
https://wiki.debian.org/Hardening: General information about hardening flags.
https://buildd.debian.org/~brlink/: Debian’s buildd log parser. It uses blhc to check packages for missing hardening flags.