binary Hardening on linux using Relocation Read-Only (relro)
Florian Weimer
fweimer at redhat.com
Tue Nov 26 13:18:12 UTC 2019
* Matthias Baesken:
> If I understand
> https://bugzilla.redhat.com/show_bug.cgi?id=1571359
> correct, RedHat is setting those flags already via the build system .
BFD ld in binutils defaults to relro, except perhaps on s390x where your
version might not implement the partial RELRO variant that you get
without -z now (BIND_NOW is not enabled by default).
> Regarding "bindnow" (ld -z now) , this might be set additionally by
> using --with-extra-ldflags .
Yes, that is usually more controversial because it can have an impact on
startup time. But even the AWT libraries have relatively few function
references, so it probably does not matter.
On the other hand, all this security hardening is typically not very
effective because part of classes.jsa is mapped rwx at a fixed address,
so you can just abuse that (if you want to inject machine code directly,
I'm sure there are other options for bytecode).
Thanks,
Florian
More information about the build-dev
mailing list