X-Git-Url: https://ruderich.org/simon/gitweb/?p=blhc%2Fblhc.git;a=blobdiff_plain;f=README;h=60a43705cfb46501e3d883293cb6f04d402e8499;hp=a2adcb8adb761092146c17ee0b2b7350a9a04269;hb=refs%2Fheads%2Fmaster;hpb=2839b145ae987b823227ba569e140f413b84b303 diff --git a/README b/README index a2adcb8..1a93f4c 100644 --- a/README +++ b/README @@ -4,12 +4,24 @@ README blhc (build log hardening check) is a small tool which checks build logs for missing hardening flags. It's licensed under the GPL 3 or later. +Hardening flags enable additional security features in the compiler to prevent +e.g. stack overflows, format string vulnerabilities, GOT overwrites, etc. + +Because most build systems are quite complicated there are many places where +compiler flags from the environment might be ignored. The parser verifies that +all compiler commands use the correct hardening flags and thus all hardening +features are correctly used. + It's designed to check build logs generated by Debian's dpkg-buildpackage (or -tools using dpkg-buildpackage like pbuilder or the official buildd build logs) -to help maintainers detect missing hardening flags in their packages. +tools using dpkg-buildpackage like pbuilder or sbuild (which is used for the +official buildd build logs)) to help maintainers detect missing hardening +flags in their packages. At the moment it works only on Debian and derivatives but it should be easily -extendable for other systems as well. +extendable to other systems as well. Patches are welcome. + +Only gcc is detected as compiler at the moment. If other compilers support +hardening flags as well, please report them. For more information about hardening flags have a look at [1]. @@ -22,6 +34,10 @@ DEPENDENCIES - Perl - Dpkg::Arch - Dpkg::Version + - Term::ANSIColor >= 2.01 + Bundled with perl. A recent version is only necessary for build logs with + ANSI colors which is rare, blhc works fine without if the build log + doesn't use colors. Not required for buildd mode. USAGE @@ -29,6 +45,12 @@ USAGE blhc path/to/log/file +blhc can be run directly from the source tree (`bin/blhc`) or copied anywhere +on the system. It doesn't have to be explicitly installed. To read the man +page use `perldoc bin/blhc`. + +If there's no output, no flags are missing and the build log is fine. + For more examples see the man page. @@ -45,7 +67,7 @@ Consider the following compiler line: blhc generates the following warnings because all hardening flags are missing: - CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -O2 -o test test.c + CFLAGS missing (-fstack-protector-strong -Wformat -Werror=format-security): gcc -g -O2 -o test test.c CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -o test test.c LDFLAGS missing (-Wl,-z,relro): gcc -g -O2 -o test test.c @@ -79,6 +101,15 @@ following line (output of dpkg-buildpackage): The available hardening flags are adapted to the architecture because some architectures don't support certain hardening options. +Some checks check the build dependencies for certain packages. The following +lines are used to get the build dependencies. The first two are used in buildd +build logs (the second was used in older logs), the third by pbuilder logs, +all are detected: + + Filtered Buildd-Depends: ... + Build-Depends: ... + Depends: ... + LIMITATIONS ----------- @@ -89,9 +120,13 @@ real compile process (output of dpkg-buildpackage): dpkg-buildpackage: ... If it's not present no compiler commands are detected. In case you don't use -dpkp-buildpackage but still want to check a build log adding it as first line +dpkg-buildpackage but still want to check a build log, adding it as first line should work fine. +To prevent false positives when checking debug builds, compiler lines +containing '-OO' or '-Og' are considered debug builds and are not checked for +'-O2', even though fortification doesn't work without '-O2'. + The following non-verbose builds can't be detected: gcc -o test @@ -139,7 +174,7 @@ LICENSE blhc is licensed under GPL version 3 or later. -Copyright (C) 2012 Simon Ruderich +Copyright (C) 2012-2024 Simon Ruderich This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -153,3 +188,5 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . + +// vim: ft=asciidoc