Difference between revisions of "hardening"
From Lazarus wiki
Jump to navigationJump to search (first cut) |
(making progress.) |
||
Line 3: | Line 3: | ||
==Overview== | ==Overview== | ||
− | For our purpose here, "hardening" means making your binary harder to hack | + | For our purpose here, "hardening" means making your binary harder to hack while running. Key is [https://en.wikipedia.org/wiki/Position-independent_code PIE], Position Independent Executable. FPC supports PIE with a couple of options on most platforms. Some environments require it and it makes good sense, especially in a server application. Its suggested that PIE Hardening increases the size of an executable and slows it down marginally. |
Most projects only require the following extra FPC command line switches - | Most projects only require the following extra FPC command line switches - | ||
− | -Cg -k-pie -znow | + | <syntaxhighlight lang="bash">-Cg -k-pie -znow</syntaxhighlight> |
However, there are some corner cases - | However, there are some corner cases - | ||
* Lazarus application will probably already have the "-Cg" in its compile line. | * Lazarus application will probably already have the "-Cg" in its compile line. | ||
− | * Small, command line applications that would generate a | + | * Small, command line applications that would generate a '''statically linked binary''' will compile fine but not run. ("No such file or directory"). The difficulty is that FPC does not bother to embed instructions about portable linking in such a binary because it appears unnecessary. The solution is to add "{$linklib c}" without the inverted commas to your source. This requests LibC be linked, forceing a dynamically linked binary and FPC provides the necessary information for the linker. |
+ | * At present, late 2021, PIE Hardening does not seem to work on PowerPC64le systems, see [https://gitlab.com/freepascal.org/fpc/source/-/issues/39451 this bug report] | ||
+ | * Some linux operating systems have a ''file'' command that mentions the word 'pie' in its output when directed to a PIE Hardened binary, but some don't. But all recent OSs will, with a PIE Hardened binary, list something like ''interpreter /lib64/ld-linux-x86-64.so.2'' - that library must exist, if not, you have the ''statically linked binary'' problem mentioned above. |
Revision as of 07:35, 6 December 2021
Hardening - PIE or PIC
Overview
For our purpose here, "hardening" means making your binary harder to hack while running. Key is PIE, Position Independent Executable. FPC supports PIE with a couple of options on most platforms. Some environments require it and it makes good sense, especially in a server application. Its suggested that PIE Hardening increases the size of an executable and slows it down marginally.
Most projects only require the following extra FPC command line switches -
-Cg -k-pie -znow
However, there are some corner cases -
- Lazarus application will probably already have the "-Cg" in its compile line.
- Small, command line applications that would generate a statically linked binary will compile fine but not run. ("No such file or directory"). The difficulty is that FPC does not bother to embed instructions about portable linking in such a binary because it appears unnecessary. The solution is to add "{$linklib c}" without the inverted commas to your source. This requests LibC be linked, forceing a dynamically linked binary and FPC provides the necessary information for the linker.
- At present, late 2021, PIE Hardening does not seem to work on PowerPC64le systems, see this bug report
- Some linux operating systems have a file command that mentions the word 'pie' in its output when directed to a PIE Hardened binary, but some don't. But all recent OSs will, with a PIE Hardened binary, list something like interpreter /lib64/ld-linux-x86-64.so.2 - that library must exist, if not, you have the statically linked binary problem mentioned above.