search

ResistancePlatform / resistance-miner

Resistance Miner
Other
13 stars 7 forks source link

hardening flags save? #9

Closed adrelanos closed 5 years ago

adrelanos commented 5 years ago

Compilation during Debian package build uses more hardening compile time flags than a build outside of packaging.

I would suggest to upgrade the upstream (non-packaging) build compile flags.

The more important question is, are these hardening flags save? I guess they are but I am not a C programmer. My gap in knowledge is: could these result in a network split?

Compiled during Debian package build:

checksec --file /usr/bin/minerd
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/bin/minerd
hardening-check /usr/bin/minerd
/usr/bin/minerd:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes
gcc -DHAVE_CONFIG_H -I.  -I./compat/jansson -pthread -Wdate-time -D_FORTIFY_SOURCE=2  -g -O2 -fdebug-prefix-map=/build/resistance-miner-2.5.0.res3=. -fstack-protector-strong -Wformat -Werror=format-security -c -o minerd-cpu-miner.o `test -f 'cpu-miner.c' || echo './'`cpu-miner.c

Compiled outside of packaging:

checksec --file minerd
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH  Symbols     FORTIFY Fortified   Fortifiable  FILE
Partial RELRO   No canary found   NX enabled    PIE enabled     No RPATH   No RUNPATH   439 Symbols No  0       30  minerd
hardening-check minerd
minerd:
 Position Independent Executable: yes
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: no, not found!
gcc -DHAVE_CONFIG_H -I.  -I./compat/jansson -pthread   -Wall -O2 -fomit-frame-pointer -MT minerd-cpu-miner.o -MD -MP -MF .deps/minerd-cpu-miner.Tpo -c -o minerd-cpu-miner.o `test -f 'cpu-miner.c' || echo './'`cpu-miner.c
solardiz commented 5 years ago

It's safe to use these hardening flags, but some of them might affect mining performance (most won't).

solardiz commented 5 years ago

Also, upstreaming of hardening flags may reduce portability (such as to non-Linux) or complicate our autoconf logic (testing whether the system supports each flag before adding it).

solardiz commented 5 years ago

The question asked in this issue has been addressed in the discussion.