Annotation of wikisrc/pkgsrc/hardening.mdwn, revision 1.14

1.1       khorben     1: [[!meta title="Hardening pkgsrc"]]
                      2: 
1.9       khorben     3: A number of mechanisms are available in [pkgsrc](http://www.pkgsrc.org/) to
                      4: improve the security of the resulting system. They can be enabled individually
1.1       khorben     5: in `mk.conf`, and consist of:
                      6: 
                      7: * `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent
                      8:   Executables) when supported on the current platform. This option is necessary
                      9:   to fully leverage ASLR as a mitigation for security vulnerabilities.
                     10: * `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used
                     11:   functions that do not bounds checking regularly - but could in some cases.
                     12: * `PKGSRC_USE_RELRO`: this also makes the exploitation of some security
                     13:   vulnerabilities more difficult in some cases.
                     14: * `PKGSRC_USE_SSP`: enables stack-smashing protection (again, on supported
                     15:   platforms)
1.14    ! khorben    16: * `PKGSRC_USE_STACK_CHECK`: uses `-fstack-check` with GCC for another stack
        !            17:   protection mitigation
1.1       khorben    18: 
1.2       khorben    19: # Caveats
                     20: 
                     21: ## Problems with `PKGSRC_MKPIE`
                     22: 
                     23: ### No support for cwrappers
                     24: 
                     25: As of the time of this article `PKGSRC_MKPIE` is not supported by
                     26: `pkgtools/cwrappers` (`USE_CWRAPPERS` in `mk.conf`).
                     27: 
                     28: ### Packages failing to build
                     29: 
                     30: A number of packages may fail to build with this option enabled. The failures
                     31: are often related to the absence of the "-fPIC" compilation flag when building
                     32: libraries or executables (or ideally "-fPIE" in the latter case). This flag is
                     33: added to the `CFLAGS` already, but requires the package to actually support it.
                     34: 
                     35: #### How to fix
                     36: 
                     37: These instructions are meant as a reference only; they likely need to be adapted
                     38: for many packages individually.
                     39: 
                     40: For packages using `Makefiles`:
                     41: 
                     42:     MAKE_FLAGS+=       CFLAGS=${CFLAGS:Q}
                     43:     MAKE_FLAGS+=       LDFLAGS=${LDFLAGS:Q}
                     44: 
                     45: For packages using `Imakefiles`:
                     46: 
                     47:     MAKE_FLAGS+=       CCOPTIONS=${CFLAGS:Q}
                     48:     MAKE_FLAGS+=       LOCAL_LDFLAGS=${LDFLAGS:Q}
                     49: 
                     50: ### Run-time crashes
                     51: 
                     52: Some programs may fail to run, or crash at random times once built as PIE. Two
                     53: scenarios are essentially possible:
                     54: 
                     55: * actual bug in the program crashing, exposed thanks to ASLR/mprotect;
                     56: * bug in the implementation of ASLR/mprotect in the Operating System.
                     57: 
1.4       khorben    58: ## Problems with `PKGSRC_USE_FORTIFY`
                     59: 
                     60: ### Packages failing to build
                     61: 
                     62: This feature makes use of pre-processing directives to look for hardened,
                     63: alternative implementations of essential library calls. Some programs may fail
                     64: to build as a result; this usually happens for those trying too hard to be
                     65: portable, or otherwise abusing definitions in the standard library.
                     66: 
                     67: This will require a modification to the program, or disabling this feature for
                     68: part or all of the build.
                     69: 
                     70: ### Run-time crashes
                     71: 
                     72: Just like with `PKGSRC_MKPIE` above, this feature may cause some programs to
                     73: crash, usually indicating an actual bug in the program. The fix will typically
                     74: involve patching the original program.
                     75: 
1.7       khorben    76: ## Problems with `PKGSRC_USE_RELRO`
                     77: 
                     78: ### Performance impact
                     79: 
                     80: For better protection, full RELRO requires every symbol to be resolved when the
1.11      khorben    81: program starts, rather than simply when required at run-time. This will have
                     82: more impact on programs using a lot of symbols, or linked to libraries exposing
                     83: a lot of symbols. Therefore, daemons or programs otherwise running in
                     84: background are affected only when started. Programs loading plug-ins at
                     85: run-time are affected when loading the plug-ins.
1.7       khorben    86: 
                     87: The impact is not expected to be noticeable on modern hardware, except in some
                     88: cases for big programs.
                     89: 
1.12      khorben    90: ### Run-time crashes
                     91: 
                     92: Some programs handle plug-ins and dependencies in a way that conflicts with
                     93: RELRO: for instance, with an initialization routine listing any other plug-in
                     94: required. With full RELRO, the missing symbols are resolved before the
                     95: initialization routine can run, and the dynamic loader will not be able to find
                     96: them directly and abort as a result. Unfortunately, this is how Xorg loads its
                     97: drivers. Partial RELRO can be applied instead in this case.
                     98: 
1.3       khorben    99: ## Problems with `PKGSRC_USE_SSP`
                    100: 
                    101: ### Packages failing to build
                    102: 
                    103: The stack-smashing protection provided by this option does not work for some
                    104: programs. The two most common situations in which this happens are:
                    105: 
                    106: * the program makes use of the `alloca(3)` library call (memory allocator on the
                    107:   stack)
                    108: * the program allocates variables on the stack, with the size determined at
                    109:   run-time.
                    110: 
                    111: Both cases will require a modification to the program, or disabling this feature
                    112: for part or all of the build.
                    113: 
                    114: ### Run-time crashes
                    115: 
1.4       khorben   116: Again, this feature may cause some programs to crash, usually indicating an
                    117: actual bug in the program. Patching the original program is then required.
1.3       khorben   118: 
1.8       khorben   119: ### Performance impact
                    120: 
                    121: The compiler emits extra code when using this feature: a check for buffer
                    122: overflows is performed when entering and exiting functions, requiring an extra
                    123: variable on the stack. The level of protection can otherwise be adjusted to
                    124: affect only those functions considered more sensitive by the compiler (with
                    125: `-fstack-protector` instead of `-fstack-protector-all`).
                    126: 
                    127: The impact is not expected to be noticeable on modern hardware. However,
                    128: programs with a hard requirement to run at the fastest possible speed should
                    129: avoid using this feature, or using libraries built with this feature.
                    130: 
1.5       khorben   131: # Auditing the system
                    132: 
                    133: The illusion of security is worse than having no security at all. This section
                    134: lists a number of ways to ensure the security features requested are actually
                    135: effective.
                    136: 
                    137: _These instructions were obtained and tested on a system derived from NetBSD 7
                    138: (amd64). YMMV._
                    139: 
                    140: ## Checking for PIE
                    141: 
                    142: The ELF executable type in use changes for binaries built as PIE; without:
                    143: 
                    144:     $ file /path/to/bin/ary
                    145:     /path/to/bin/ary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
                    146: 
                    147: as opposed to the following binary, built as PIE:
                    148: 
                    149:     $ file /path/to/pie/bin/ary
                    150:     /path/to/pie/bin/ary: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
                    151: 
                    152: The latter result is then what is expected.
                    153: 
1.13      khorben   154: ## Checking for partial RELRO
1.5       khorben   155: 
                    156: The following command should list a section called `RELRO`:
                    157: 
                    158:     $ objdump -p /path/to/bin/ary
                    159: 
                    160:     /path/to/bin/ary:     file format elf64-x86-64
                    161: 
                    162:     Program Header:
                    163:     [...]
                    164:        RELRO off    0x0000000000000d78 vaddr 0x0000000000600d78 paddr 0x0000000000600d78 align 2**0
1.6       khorben   165: 
1.13      khorben   166: ## Checking for full RELRO
                    167: 
                    168: The dynamic loader will apply RELRO immediately when detecting the presence of
                    169: the `BIND_NOW` flag:
                    170: 
                    171:     $ objdump -x /path/to/bin/ary
                    172: 
                    173:     /path/to/bin/ary:     file format elf64-x86-64
                    174: 
                    175:     Dynamic Section:
                    176:     [...]
                    177:       BIND_NOW             0x0000000000000000
                    178: 
                    179: This has to be combined with partial RELRO (see above) to be fully efficient.
                    180: 
1.6       khorben   181: ## Checking for SSP
                    182: 
                    183: Building objects, binaries and libraries with SSP will affect the presence of
                    184: additional symbols in the resulting file:
                    185: 
                    186:     $ nm /path/to/bin/ary
                    187:     [...]
                    188:                      U __stack_chk_fail
                    189:     0000000000600ea0 B __stack_chk_guard
                    190: 
                    191: This is an indicator that the program was indeed built with support for SSP.
                    192: 
1.10      khorben   193: # References
                    194: 
                    195: * <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html>
                    196: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb