Awesome job. Thanks. On Sun, Nov 18, 2012 at 10:40 AM, Nick Kralevich <[email protected]> wrote: > > -D_FORTIFY_SOURCE=1 protections were added in Android in 4.2, and almost all > programs on 4.2 are compiled with FORTIFY_SOURCE enabled. > > Some implementation notes, for those curious: > > FORTIFY_SOURCE protections are only enabled for applications compiled with > gcc. In particiular, llvm does not support the gnu_inline function attribute > necessary for FORTIFY_SOURCE to work. > FORTIFY_SOURCE protections are only enabled on ARM based systems. MIPS and > x86 Android systems do not currently have it enabled. > > The following Android libc functions are fortified: > > bzero > memcpy > memmove > strcpy > strncpy > strcat > strncat > memset > strlcpy (not in GLIBC) > strlcat (not in GLIBC) > strlen (bionic FORTIFY_SOURCE extension. Detect strlen calls on non-null > terminated character arrays.) > umask (bionic FORTIFY_SOURCE extension. Detect invalid umask calls. For > example: umask(777) instead of umask(0777)) > open > openat > vsnprintf > vsprintf > snprintf > sprintf > fgets > > FORTIFY_SOURCE was just one of the security hardening measures added in 4.2. > A more complete list can be found at > http://developer.android.com/about/versions/jelly-bean.html > > -- Nick > > On Sun, Nov 18, 2012 at 3:55 AM, Pau Oliva Fora <[email protected]> wrote: >> >> I believe yes, but not sure if support is completed. >> >> You can check through the git commits for tag android-4.2_r1 here: >> >> https://android.googlesource.com/platform/bionic.git/+/android-4.2_r1 >> >> Cheers, >> >> pof >> >> >> On 11/18/2012 11:05 AM, Jeffrey Walton wrote: >>> >>> Did Android 4.2 add support for FORTIFY_SOURCE=1? >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Android Security Discussions" group. >> To post to this group, send email to >> [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/android-security-discuss?hl=en. >> > > > > -- > Nick Kralevich | Android Security | [email protected] | 650.214.4037 >
-- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
