the state of ASLR, PIE, SSP on Debian in 2018?

Question

As far as I remember, most Debian Wheezy packages were not compiled with those useful security flags (ASLR, PIE, SSP, and more).

Did the situation improve with Debian Squeeze or the upcoming Debian Buster ?

By comparison, Ubuntu and Fedora have a nice security features matrix, but I couldnt find a clear answer for Debian.

Ubuntu: https://wiki.ubuntu.com/Security/Features
Fedora: https://fedoraproject.org/wiki/Security_Features_Matrix

Have you tried using [checksec](https://github.com/slimm609/checksec.sh)? And here is the [2014 status](https://outflux.net/blog/archives/2014/02/03/compiler-hardening-in-ubuntu-and-debian/). — forest, Dec 02 '18 at 03:08

user3692267 · Answer 1 · 2018-12-04T14:29:09.497

you can check if a binary is compiled with

PIE
stack protection
fortify source
RO relocations
Immediate binding

by using hardening-check. E.g. hardening-check $(which sshd) Package devscripts contains the hardening-check

On Debian testing i get the following output:

root@root:~# hardening-check $(which sshd)
/usr/sbin/sshd
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected funcions found)
Read-only relocations: yes
Immediate binding: yes

See the following answer on stackexchange

the state of ASLR, PIE, SSP on Debian in 2018?

1 Answers1