Does anyone know how to compile bash with ASLR, Address space layout randomization
I have tried to hack in -fPIE -fPic and -pie flags in Makefile but it always fail during linking
Can you give "configure" a directive to use ASLR?
How to compile BASH with ASLR?
-
stevenhoneyman1
- Posts: 4
- Joined: Sun 28 Sep 2014, 11:50
ASLR is a PITA to apply manually at the moment. Luckily compiler wrappers exist 
You could borrow one from Debian (it's just a perl script) (https://packages.debian.org/source/sid/ ... ng-wrapper) or write your own shell script based on this logic:
EDIT: forgot to mention; strip your CFLAGS of "-fuse-ld=gold" or similar... that angers ./configure + pie. A symlink should sort things out if you really need to use a specific linker
You could borrow one from Debian (it's just a perl script) (https://packages.debian.org/source/sid/ ... ng-wrapper) or write your own shell script based on this logic:- - loop through the parameters 1 at a time
- assume -fPIE and -pie are going to be added
- if it matches any of these, remove both: (-fno-PIC|-fno-pic|-fno-PIE|-fno-pie|-nopie|-static|--static|-shared|--shared|-D__KERNEL__|-nostdlib|-nostartfiles)
- if it matches any of these, remove -fPIE: (-fPIC|-fpic|-fPIE|-fpie)
- if it matches any of these, remove -pie: (-c|-E)
Code: Select all
$ hardening-check /bin/bash
/bin/bash:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
I checked out the debian hardening_wrapper
And I couldn't figure out what is being done in preinst
The question is what dpkg-divert does with original gcc file
see code below
If you assume $1 is gcc-4.8 what will happen to it?
will it be gcc-4.8.real ?
Also on my system gcc is called just gcc I guess on debian they are named with version?
I am not sure how to tweak in that
And I couldn't figure out what is being done in preinst
The question is what dpkg-divert does with original gcc file
see code below
If you assume $1 is gcc-4.8 what will happen to it?
will it be gcc-4.8.real ?
Code: Select all
dpkg-divert --package hardening-wrapper --add --rename \
--divert /usr/bin/"$1".real /usr/bin/"$1"Also on my system gcc is called just gcc I guess on debian they are named with version?
I am not sure how to tweak in that
-
stevenhoneyman1
- Posts: 4
- Joined: Sun 28 Sep 2014, 11:50
Honestly, I don't know. I knew debian had a hardening wrapper... but not sure on their naming conventions etc. Hopefully this little (silly!) example will explain how it works:
So your symlink "fake bin" directory contains "gcc" "g++" "ld.gold" etc which are all symlinks pointing to the wrapper. Fake bin dir goes at the start of your $PATH. With the example above, if you set it up and run
it will auto-add "--enable-colours"
You just need to swap out sheep and chickens for fstack-protector and fPIE (and so on
)
Code: Select all
#!/bin/bash
flag1=0
flag2=0
for flag; do
case $flag in
-cow|-chicken|-sheep)
flag1=1
;;
-blue|-red|-green)
flag2=1
;;
esac
done
[[ $flag1 -eq 1 ]] && args+=(--enable-animals)
[[ $flag2 -eq 1 ]] && args+=(--enable-colours)
# pretend this was "exec" instead of "echo"
echo "$0" "${args[@]}" "$@"
Code: Select all
gcc -green not_real_file.cYou just need to swap out sheep and chickens for fstack-protector and fPIE (and so on
)I did a search and found out that a hardening-wrapper in bash was added to arch repo
at 2014-09-28
https://www.archlinux.org/packages/comm ... g-wrapper/
Since I use arch roll back machine of an earlier date it did not show up in package manager
Tried it out and worked splendidly.
Had to upgrade gcc to 4.9 enable -fstack-protector
And I have options in conf file
at 2014-09-28
https://www.archlinux.org/packages/comm ... g-wrapper/
Since I use arch roll back machine of an earlier date it did not show up in package manager
Tried it out and worked splendidly.
Had to upgrade gcc to 4.9 enable -fstack-protector
Code: Select all
> hardening-check ./bash
./bash:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Code: Select all
HARDENING_BINDNOW=1
HARDENING_PIE=1
HARDENING_FORTIFY=2
HARDENING_RELRO=1
HARDENING_STACK_CHECK=1
HARDENING_STACK_PROTECTOR=2-
stevenhoneyman1
- Posts: 4
- Joined: Sun 28 Sep 2014, 11:50
Glad you got it working. That script is pretty much a copy-paste job of the debian wrapper you know. Check the early commits - even the variable names were the same
EDIT: link might be useful https://projects.archlinux.org/svntogit ... ng-wrapper
EDIT: link might be useful https://projects.archlinux.org/svntogit ... ng-wrapper
Which distro are you on?
if puppy see below
Check out thread http://murga-linux.com/puppy/viewtopic.php?t=95819
there are several versions of patched Bash pets for different puppies
if puppy see below
Check out thread http://murga-linux.com/puppy/viewtopic.php?t=95819
there are several versions of patched Bash pets for different puppies