blhc (build log hardening check) is a small tool which checks build logs for
missing hardening flags. It's licensed under the GPL 3 or later.
+Hardening flags enable additional security features in the compiler to prevent
+e.g. stack overflows, format string vulnerabilities, GOT overwrites, etc.
+
+Because most build systems are quite complicated there are many places where
+compiler flags from the environment might be ignored. The parser verifies that
+all compiler commands use the correct hardening flags and thus all hardening
+features are correctly used.
+
It's designed to check build logs generated by Debian's dpkg-buildpackage (or
-tools using dpkg-buildpackage like pbuilder or the official buildd build logs)
-to help maintainers detect missing hardening flags in their packages.
+tools using dpkg-buildpackage like pbuilder or sbuild (which is used for the
+official buildd build logs)) to help maintainers detect missing hardening
+flags in their packages.
At the moment it works only on Debian and derivatives but it should be easily
-extendable for other systems as well.
+extendable to other systems as well. Patches are welcome.
+
+Only gcc is detected as compiler at the moment. If other compilers support
+hardening flags as well, please report them.
For more information about hardening flags have a look at [1].
- Perl
- Dpkg::Arch
- Dpkg::Version
+ - Term::ANSIColor >= 2.01
+ Bundled with perl. A recent version is only necessary for build logs with
+ ANSI colors which is rare, blhc works fine without if the build log
+ doesn't use colors. Not required for buildd mode.
USAGE
blhc path/to/log/file
+blhc can be run directly from the source tree (`bin/blhc`) or copied anywhere
+on the system. It doesn't have to be explicitly installed. To read the man
+page use `perldoc bin/blhc`.
+
+If there's no output, no flags are missing and the build log is fine.
+
For more examples see the man page.
blhc generates the following warnings because all hardening flags are missing:
- CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -O2 -o test test.c
+ CFLAGS missing (-fstack-protector-strong -Wformat -Werror=format-security): gcc -g -O2 -o test test.c
CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -o test test.c
LDFLAGS missing (-Wl,-z,relro): gcc -g -O2 -o test test.c
The available hardening flags are adapted to the architecture because some
architectures don't support certain hardening options.
+Some checks check the build dependencies for certain packages. The following
+lines are used to get the build dependencies. The first two are used in buildd
+build logs (the second was used in older logs), the third by pbuilder logs,
+all are detected:
+
+ Filtered Buildd-Depends: ...
+ Build-Depends: ...
+ Depends: ...
+
LIMITATIONS
-----------
dpkg-buildpackage: ...
If it's not present no compiler commands are detected. In case you don't use
-dpkp-buildpackage but still want to check a build log adding it as first line
+dpkg-buildpackage but still want to check a build log, adding it as first line
should work fine.
+To prevent false positives when checking debug builds, compiler lines
+containing '-OO' or '-Og' are considered debug builds and are not checked for
+'-O2', even though fortification doesn't work without '-O2'.
+
The following non-verbose builds can't be detected:
gcc -o test
blhc is licensed under GPL version 3 or later.
-Copyright (C) 2012 Simon Ruderich
+Copyright (C) 2012-2020 Simon Ruderich
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+// vim: ft=asciidoc
ruderich.org/simon / blhc / blhc.git / blobdiff