On Thu, Mar 01, 2012 at 09:58:23PM -0800, Russ Allbery wrote: > Kees Cook <k...@debian.org> writes: > > > Speaking to the false positives problem, I've discussed with some people > > the idea of having build flags be included in some sort of ELF > > comment-like area that can be examined. That way it's becomes trivial to > > answer "how was this built?" and all these crapy heuristic checks that > > get thrown away. In the mean time, I'll continue to work on the crappy > > heuristic checks. ;) > > That sounds complicated, since there are separate compiler flags for every > object (which may not match) and then the linker flags used to assemble > the final executable or shared object. Does ELF give you object-specific > comment areas?
You can have a comment sections generated for each object (as a matter of fact, gcc does that already to put its version), and the linker aggregates them in a single section. I'm not a big fan of cluttering ELF binaries for a relatively small benefit. Except maybe if that's moved with the debug info in /usr/lib/debug. Mike -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120302081216.ga28...@glandium.org
