Annotation of wikisrc/pkgsrc/hardening.mdwn, revision 1.10
1.1 khorben 1: [[!meta title="Hardening pkgsrc"]]
2:
1.9 khorben 3: A number of mechanisms are available in [pkgsrc](http://www.pkgsrc.org/) to
4: improve the security of the resulting system. They can be enabled individually
1.1 khorben 5: in `mk.conf`, and consist of:
6:
7: * `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent
8: Executables) when supported on the current platform. This option is necessary
9: to fully leverage ASLR as a mitigation for security vulnerabilities.
10: * `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used
11: functions that do not bounds checking regularly - but could in some cases.
12: * `PKGSRC_USE_RELRO`: this also makes the exploitation of some security
13: vulnerabilities more difficult in some cases.
14: * `PKGSRC_USE_SSP`: enables stack-smashing protection (again, on supported
15: platforms)
16:
1.2 khorben 17: # Caveats
18:
19: ## Problems with `PKGSRC_MKPIE`
20:
21: ### No support for cwrappers
22:
23: As of the time of this article `PKGSRC_MKPIE` is not supported by
24: `pkgtools/cwrappers` (`USE_CWRAPPERS` in `mk.conf`).
25:
26: ### Packages failing to build
27:
28: A number of packages may fail to build with this option enabled. The failures
29: are often related to the absence of the "-fPIC" compilation flag when building
30: libraries or executables (or ideally "-fPIE" in the latter case). This flag is
31: added to the `CFLAGS` already, but requires the package to actually support it.
32:
33: #### How to fix
34:
35: These instructions are meant as a reference only; they likely need to be adapted
36: for many packages individually.
37:
38: For packages using `Makefiles`:
39:
40: MAKE_FLAGS+= CFLAGS=${CFLAGS:Q}
41: MAKE_FLAGS+= LDFLAGS=${LDFLAGS:Q}
42:
43: For packages using `Imakefiles`:
44:
45: MAKE_FLAGS+= CCOPTIONS=${CFLAGS:Q}
46: MAKE_FLAGS+= LOCAL_LDFLAGS=${LDFLAGS:Q}
47:
48: ### Run-time crashes
49:
50: Some programs may fail to run, or crash at random times once built as PIE. Two
51: scenarios are essentially possible:
52:
53: * actual bug in the program crashing, exposed thanks to ASLR/mprotect;
54: * bug in the implementation of ASLR/mprotect in the Operating System.
55:
1.4 khorben 56: ## Problems with `PKGSRC_USE_FORTIFY`
57:
58: ### Packages failing to build
59:
60: This feature makes use of pre-processing directives to look for hardened,
61: alternative implementations of essential library calls. Some programs may fail
62: to build as a result; this usually happens for those trying too hard to be
63: portable, or otherwise abusing definitions in the standard library.
64:
65: This will require a modification to the program, or disabling this feature for
66: part or all of the build.
67:
68: ### Run-time crashes
69:
70: Just like with `PKGSRC_MKPIE` above, this feature may cause some programs to
71: crash, usually indicating an actual bug in the program. The fix will typically
72: involve patching the original program.
73:
1.7 khorben 74: ## Problems with `PKGSRC_USE_RELRO`
75:
76: ### Performance impact
77:
78: For better protection, full RELRO requires every symbol to be resolved when the
79: program starts, rather than lazily at run-time. This will have more impact on
80: programs using a lot of symbols, or linked to libraries exposing a lot of
81: symbols. Therefore, daemons or programs otherwise running in background are
82: affected only when started. Programs loading plug-ins at run-time are affected
83: when loading the plug-ins.
84:
85: The impact is not expected to be noticeable on modern hardware, except in some
86: cases for big programs.
87:
1.3 khorben 88: ## Problems with `PKGSRC_USE_SSP`
89:
90: ### Packages failing to build
91:
92: The stack-smashing protection provided by this option does not work for some
93: programs. The two most common situations in which this happens are:
94:
95: * the program makes use of the `alloca(3)` library call (memory allocator on the
96: stack)
97: * the program allocates variables on the stack, with the size determined at
98: run-time.
99:
100: Both cases will require a modification to the program, or disabling this feature
101: for part or all of the build.
102:
103: ### Run-time crashes
104:
1.4 khorben 105: Again, this feature may cause some programs to crash, usually indicating an
106: actual bug in the program. Patching the original program is then required.
1.3 khorben 107:
1.8 khorben 108: ### Performance impact
109:
110: The compiler emits extra code when using this feature: a check for buffer
111: overflows is performed when entering and exiting functions, requiring an extra
112: variable on the stack. The level of protection can otherwise be adjusted to
113: affect only those functions considered more sensitive by the compiler (with
114: `-fstack-protector` instead of `-fstack-protector-all`).
115:
116: The impact is not expected to be noticeable on modern hardware. However,
117: programs with a hard requirement to run at the fastest possible speed should
118: avoid using this feature, or using libraries built with this feature.
119:
1.5 khorben 120: # Auditing the system
121:
122: The illusion of security is worse than having no security at all. This section
123: lists a number of ways to ensure the security features requested are actually
124: effective.
125:
126: _These instructions were obtained and tested on a system derived from NetBSD 7
127: (amd64). YMMV._
128:
129: ## Checking for PIE
130:
131: The ELF executable type in use changes for binaries built as PIE; without:
132:
133: $ file /path/to/bin/ary
134: /path/to/bin/ary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
135:
136: as opposed to the following binary, built as PIE:
137:
138: $ file /path/to/pie/bin/ary
139: /path/to/pie/bin/ary: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
140:
141: The latter result is then what is expected.
142:
143: ## Checking for RELRO
144:
145: The following command should list a section called `RELRO`:
146:
147: $ objdump -p /path/to/bin/ary
148:
149: /path/to/bin/ary: file format elf64-x86-64
150:
151: Program Header:
152: [...]
153: RELRO off 0x0000000000000d78 vaddr 0x0000000000600d78 paddr 0x0000000000600d78 align 2**0
1.6 khorben 154:
155: ## Checking for SSP
156:
157: Building objects, binaries and libraries with SSP will affect the presence of
158: additional symbols in the resulting file:
159:
160: $ nm /path/to/bin/ary
161: [...]
162: U __stack_chk_fail
163: 0000000000600ea0 B __stack_chk_guard
164:
165: This is an indicator that the program was indeed built with support for SSP.
166:
1.10 ! khorben 167: # References
! 168:
! 169: * <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html>
! 170:
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb