blhc path/to/log/file ...
Last updated 2024-02-28
blhc (build log hardening check) is a small tool which checks build logs for missing hardening flags.
Hardening flags enable additional security features in the compiler to prevent e.g. stack overflows, format string vulnerabilities, GOT overwrites, etc.
Because most build systems are quite complicated there are many places where compiler flags from the environment might be ignored. The parser verifies that all compiler commands use the correct hardening flags and thus all hardening features are correctly used.
It’s designed to check build logs generated by Debian’s dpkg-buildpackage (or tools using dpkg-buildpackage like pbuilder or sbuild (which is used for the official buildd build logs)) to help maintainers detect missing hardening flags in their packages.
At the moment it works only on Debian and derivatives but it should be easily extendable to other systems as well. Patches are welcome, see README for details.
Only gcc is detected as compiler at the moment. If other compilers support hardening flags as well, please report them.
blhc can be run directly from the source tree (bin/blhc
) or copied anywhere
on the system. It doesn’t have to be explicitly installed. To read the man
page use perldoc bin/blhc
.
blhc is licensed under GPL 3 (or later).
If you have suggestions please tell me at simon@ruderich.org, for bugs please use the Debian bug tracker.
Perl
Dpkg::Arch
Dpkg::Version
blhc path/to/log/file ...
If there’s no output, no flags are missing and the build log is fine.
Also see README and man page in tarball.
Current development happens in the git repository (also browsable as Gitweb):
git clone https://ruderich.org/simon/blhc/blhc.git
blhc is also packaged in Debian.
Version 0.14 (2024-02-28):
Update moc handling for Qt6; reported by Ben Westover, patch from Ross Vandegrift (Debian bug #1019521).
Support -D_FORTIFY_SOURCE=3 added in glibc 2.35; reported by Christian Göttsche (Debian bug #1027084).
Fix false positive when using nvcc
; reported by Andreas Beckmann (Debian
Bug #1033027).
Fix tests in sid/testing by removing avr32 which is no longer supported (Debian Bug #1050942).
Accept -g3 instead of -g which enables more debug information; reported in IRC OFTC/#debian-mentors.
Properly ignore cargo/rust output; reported by Alexander Kjäll via email.
Fix another false positives from cmake which probes for compiler flags without setting CPPFLAGS; reported by Marco Mattiolo and Soren Stoutner (Debian Bugs #1043522 and #1054882).
Check for stack clash protection (-fstack-clash-protection); requested by Emanuele Rocca (Debian Bug #1050909).
Check for branch protection (amd64: -fcf-protection, arm64: -mbranch-protection=standard); requested by Emanuele Rocca (Debian Bug #1050912).
Download: blhc-0.14.tar.gz, blhc-0.14.tar.gz.asc
Version 0.13 (2021-10-09):
Also split commands on && and || (not only on ;) to detect more false negatives. This could also trigger more false positives.
Fix false positive when calling make; reported by Fabian Wolff (Debian Bug #975650).
Fix false positives from cmake which probes for compiler flags without setting CPPFLAGS; reported and suggested fix by Joao Eriberto Mota Filho (Debian Bug #994422).
Properly handle quoted flags; reported by Olek Wojnar (see Debian Bug #975650 message 45).
Strip (basic) environment variables before compiler detection to reduce false positives; reported by Fabian Wolff (Debian Bug #975650)
Download: blhc-0.13.tar.gz, blhc-0.13.tar.gz.asc
Version 0.12 (2020-07-29):
Add support to dynamically ignore lines from within the build log by embedding the string "blhc: ignore-line-regexp:" (Debian Bug #725484).
Fix false positive for meson build; reported by Yangfl (Debian Bug #953335).
Fix false positive with embedded gcc -print-* commands; reported by Andreas Beckmann (Debian Bug #964160)
Detect non-verbose commands in waf builds.
Download: blhc-0.12.tar.gz, blhc-0.12.tar.gz.asc
Version 0.11 (2020-01-05):
Fix false positive in dwz
lines; reported by Raphaël Hertzog (Debian Bug
#948009).
Download: blhc-0.11.tar.gz, blhc-0.11.tar.gz.asc
Version 0.10 (2019-10-06):
Sync architecture specific hardening support with dpkg 1.19.7.
Fix architecture detection with recent dpkg-buildpackage versions; reported by Ross Vandegrift, patch from Mathieu Parent (Debian bug #929503).
Fix false positive in non-verbose check for python setuptools; reported by Simon McVittie (Debian Bug #930993).
Fix special handling of format CFLAGS for Ada/Fortran with build logs not generated pbuilder/sbuild (pbuilder and sbuild provide build dependencies but other do not); reported by Christoph Berg and Rafael Laboissière (Debian bug #924387).
Fix false positive in non-verbose check for cython’s .pyx files; reported by Picca Frédéric-Emmanuel (Debian Bug #939632).
Fix false positive in libtool detection when the path to the libtool binary is quoted; Yves-Alexis reported by Perez (Debian Bug #941836).
Download: blhc-0.10.tar.gz, blhc-0.10.tar.gz.asc
Version 0.09 (2018-08-28):
Detect restore of -D_FORTIFY_SOURCE=2 after it was overwritten by -D_FORTIFY_SOURCE=0 or 1 or -U_FORTIFY_SOURCE; reported by Mike Hommey (Debian bug #898332).
Detect overwrite of -fstack-protector options with -fno-stack-protector (same for -fstack-protector-all and -fstack-protector-strong).
Don’t treat hexdumps which contain "cc" as compiler lines; reported by Kurt Roeckx (Debian bug #899137).
Download: blhc-0.09.tar.gz, blhc-0.09.tar.gz.asc
Version 0.08 (2018-03-02):
Support new dpkg versions which replaced Dpkg::Arch’s debarch_to_debtriplet with debarch_to_debtuple (Debian Bug #844393), reported by Johannes Schauer.
Support Open MPI mpicc/mpicxx compiler wrappers to prevent false positives in non-verbose-build detection, reported by Boud Roukema and Nico Schlömer (Debian Bug #853265).
Add better support for Fortran (c.f. Debian Bug #853265).
Don’t report missing PIE flags in buildd mode if GCC defaults to PIE (c.f. Debian Bug 845339).
Add new --debian option to handle PIE flags like buildd mode, thanks to Eriberto Mota for the suggestion. This is not enabled per default to prevent false negatives as the flags are missing from the build log and blhc can’t detect if the compiler applied PIE internally (c.f. Debian Bug 845339).
Add --line-numbers command line option
Sync architecture specific hardening support with dpkg 1.19.0.5.
Use proper look back for non-verbose detection if DEB_BUILD_OPTIONS=parallel is present. Previously it was too small causing false-positives if the option was detected.
Download: blhc-0.08.tar.gz, blhc-0.08.tar.gz.asc
Version 0.07 (2016-09-11):
Sync architecture specific hardening support with dpkg 1.18.10.
Fix false positive in "gcc > file" (Debian Bug #828789), reported by Mathieu Parent.
Fix another Ada false positive for format flags (Debian Bug #833939), reported by Nicolas Boulenguez.
Download: blhc-0.07.tar.gz, blhc-0.07.tar.gz.asc
Version 0.06 (2016-06-05):
Sync architecture specific hardening support with dpkg 1.18.2.
Fix false positive in "libtool: link: g++ -include test.h .." (Debian Bug #784959), reported by Raphaël Hertzog.
Fix false positive with gcc -v
(Debian Bug #765756), reported by Andreas
Beckmann.
Fix false positive in rm
lines (Debian Bug #772853), reported by Jakub
Wilk.
Sync architecture specific hardening support with dpkg 1.17.18.
Update t/tests.t for new output of Pod::Usage in 1.65 (Debian Bug #825428), reported by Niko Tyni, patch by Gregor Herrmann.
Fix false positives for comment lines (Debian Bug #825671), reported by Fabian Wolff.
Improve non-verbose detection for parallel builds (Debian Bug #801492), reported by Mattia Rizzolo, initial patch by Julien Lamy.
Download: blhc-0.06.tar.gz, blhc-0.06.tar.gz.asc
Version 0.05 (2014-08-20):
Fix false positive in configure output if $CC contains options (Debian bug #710135), reported by Bastien Roucariès.
Handle another case of Qt’s moc
(Debian bug #710780), reported by Felix
Geyer.
Fix detection of build dependencies for buildd logs (Debian bug #719656), reported by Nicolas Boulenguez.
Fix buildd architecture detection. Only relevant if the chroot setup fails and dpkg-buildpackage is never run; therefore a minor issue.
Fix false positive when "compiling" python files (Debian bugs #714630 and #753080), reported by Matthias Klose, patch by James McCoy.
Don’t check for hardening flags in non-verbose compiler commands spanning multiple lines.
Better handling of libtool commands (Debug bug #717598), reported by Stefan Fritsch.
Sync architecture specific hardening support with dpkg 1.17.13.
Check for -fstack-protector-strong on supported platforms (since dpkg 1.17.11) (Debian bug #757885), reported by Markus Koschany.
Consider lines with -O0 or -Og debug builds and disable checks for -O2 (Debian bug #714628), reported by Matthias Klose. Also don’t check for fortification in those lines as it requires optimization (Debian bug #757683), also reported by Matthias Klose.
Download: blhc-0.05.tar.gz, blhc-0.05.tar.gz.asc
Version 0.04 (2013-03-01):
Fix many false positives, this includes compiled header files, lines with
only CC=gcc but no other compiler commands and moc-qt4
/moc-qt5
commands.
Accept -Wformat=2 because it implies -Wformat.
Accept --param ssp-buffer-size=4 (space instead of equals sign).
Fix build dependency related checks (Ada, hardening-wrapper) for pbuilder build logs.
Fix architecture detection in old buildd build logs which use an additional "is" in the "dpkg-buildpackage: host architecture" field.
Updated output in buildd mode.
Only return non-zero exit codes for errors in buildd mode, not for warnings.
Minor performance improvements.
Support for Ada files.
Download: blhc-0.04.tar.gz, blhc-0.04.tar.gz.asc
Version 0.03 (2012-05-27):
Fix --ignore-flag with -fPIE.
Detect overwrite of -D_FORTIFY_SOURCE=2 with -D_FORTIFY_SOURCE=0 or 1 or -U_FORTIFY_SOURCE.
Add --ignore-arch-flag and --ignore-arch-line options to ignore flags and lines on certain architectures only.
Buildd tags "no-compiler-commands" and "invalid-cmake-used" are now information (I-) instead of warning (W-).
Ignore false positives when using moc-qt4.
Download: blhc-0.03.tar.gz, blhc-0.03.tar.gz.asc
Version 0.02 (2012-04-28):
Fix --version, --help.
Remove -Wformat-security from expected CFLAGS because it’s already implied by -Werror=format-security (removed in dpkg-dev >= 1.16.3).
Download: blhc-0.02.tar.gz, blhc-0.02.tar.gz.asc
Version 0.01 (2012-04-13):
First release.
Download: blhc-0.01.tar.gz, blhc-0.01.tar.gz.asc
The following links provide additional information about Debian’s hardening process and general information about available hardening options.
https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags: Debian hardening release goal.
https://wiki.debian.org/HardeningWalkthrough: Walkthrough to enable hardening flags for a Debian package.
https://wiki.debian.org/Hardening: General information about hardening flags.
https://qa.debian.org/bls/: Debian’s buildd log parser. It uses blhc to check packages for missing hardening flags.
Last updated 2024-02-28