On Fri, Mar 02, 2012 at 09:12:16AM +0100, Mike Hommey wrote: > On Thu, Mar 01, 2012 at 09:58:23PM -0800, Russ Allbery wrote: > > Kees Cook <k...@debian.org> writes: > > > > > Speaking to the false positives problem, I've discussed with some people > > > the idea of having build flags be included in some sort of ELF > > > comment-like area that can be examined. That way it's becomes trivial to > > > answer "how was this built?" and all these crapy heuristic checks that > > > get thrown away. In the mean time, I'll continue to work on the crappy > > > heuristic checks. ;) > > > > That sounds complicated, since there are separate compiler flags for every > > object (which may not match) and then the linker flags used to assemble > > the final executable or shared object. Does ELF give you object-specific > > comment areas? > > You can have a comment sections generated for each object (as a matter > of fact, gcc does that already to put its version), and the linker > aggregates them in a single section. > > I'm not a big fan of cluttering ELF binaries for a relatively small > benefit. Except maybe if that's moved with the debug info in > /usr/lib/debug.
Yeah, I'm not sure what it'd look like, but I would want to see it upstream. Besides being an intrusive change, there are other projects interested in this kind of post-build analysis. -Kees -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120302165349.gc3...@outflux.net
