Annotation of wikisrc/pkgsrc/hardening.mdwn, revision 1.21
1.1 khorben 1: [[!meta title="Hardening pkgsrc"]]
2:
1.20 khorben 3: A number of mechanisms are available in [pkgsrc](https://www.pkgsrc.org/) to
1.9 khorben 4: improve the security of the resulting system. They can be enabled individually
1.1 khorben 5: in `mk.conf`, and consist of:
6:
7: * `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent
8: Executables) when supported on the current platform. This option is necessary
9: to fully leverage ASLR as a mitigation for security vulnerabilities.
10: * `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used
1.21 ! leot 11: functions that do not bounds checking regularly - but could in some cases
! 12: (enabled by default since pkgsrc-2017Q3)
1.1 khorben 13: * `PKGSRC_USE_RELRO`: this also makes the exploitation of some security
14: vulnerabilities more difficult in some cases.
1.21 ! leot 15: * `PKGSRC_USE_SSP`: enables a stack-smashing protection mitigation (enabled
! 16: by default where known supported since pkgsrc-2017Q3)
1.14 khorben 17: * `PKGSRC_USE_STACK_CHECK`: uses `-fstack-check` with GCC for another stack
1.16 khorben 18: protection mitigation.
1.1 khorben 19:
1.2 khorben 20: # Caveats
21:
22: ## Problems with `PKGSRC_MKPIE`
23:
1.19 khorben 24: ### Recent support for cwrappers
1.2 khorben 25:
1.19 khorben 26: `PKGSRC_MKPIE` is only supported by `pkgtools/cwrappers` from the 2017Q3
27: release on (`USE_CWRAPPERS` in `mk.conf`).
1.2 khorben 28:
29: ### Packages failing to build
30:
31: A number of packages may fail to build with this option enabled. The failures
1.18 khorben 32: are often related to the absence of the `-fPIC` compilation flag when building
33: libraries or executables (or ideally `-fPIE` in the latter case). This flag is
1.2 khorben 34: added to the `CFLAGS` already, but requires the package to actually support it.
35:
36: #### How to fix
37:
38: These instructions are meant as a reference only; they likely need to be adapted
39: for many packages individually.
40:
41: For packages using `Makefiles`:
42:
43: MAKE_FLAGS+= CFLAGS=${CFLAGS:Q}
44: MAKE_FLAGS+= LDFLAGS=${LDFLAGS:Q}
45:
46: For packages using `Imakefiles`:
47:
48: MAKE_FLAGS+= CCOPTIONS=${CFLAGS:Q}
49: MAKE_FLAGS+= LOCAL_LDFLAGS=${LDFLAGS:Q}
50:
51: ### Run-time crashes
52:
53: Some programs may fail to run, or crash at random times once built as PIE. Two
54: scenarios are essentially possible:
55:
56: * actual bug in the program crashing, exposed thanks to ASLR/mprotect;
57: * bug in the implementation of ASLR/mprotect in the Operating System.
58:
1.4 khorben 59: ## Problems with `PKGSRC_USE_FORTIFY`
60:
61: ### Packages failing to build
62:
63: This feature makes use of pre-processing directives to look for hardened,
64: alternative implementations of essential library calls. Some programs may fail
65: to build as a result; this usually happens for those trying too hard to be
66: portable, or otherwise abusing definitions in the standard library.
67:
68: This will require a modification to the program, or disabling this feature for
69: part or all of the build.
70:
71: ### Run-time crashes
72:
73: Just like with `PKGSRC_MKPIE` above, this feature may cause some programs to
74: crash, usually indicating an actual bug in the program. The fix will typically
75: involve patching the original program.
76:
1.7 khorben 77: ## Problems with `PKGSRC_USE_RELRO`
78:
79: ### Performance impact
80:
81: For better protection, full RELRO requires every symbol to be resolved when the
1.11 khorben 82: program starts, rather than simply when required at run-time. This will have
83: more impact on programs using a lot of symbols, or linked to libraries exposing
84: a lot of symbols. Therefore, daemons or programs otherwise running in
85: background are affected only when started. Programs loading plug-ins at
86: run-time are affected when loading the plug-ins.
1.7 khorben 87:
88: The impact is not expected to be noticeable on modern hardware, except in some
89: cases for big programs.
90:
1.12 khorben 91: ### Run-time crashes
92:
93: Some programs handle plug-ins and dependencies in a way that conflicts with
94: RELRO: for instance, with an initialization routine listing any other plug-in
95: required. With full RELRO, the missing symbols are resolved before the
96: initialization routine can run, and the dynamic loader will not be able to find
97: them directly and abort as a result. Unfortunately, this is how Xorg loads its
98: drivers. Partial RELRO can be applied instead in this case.
99:
1.3 khorben 100: ## Problems with `PKGSRC_USE_SSP`
101:
102: ### Packages failing to build
103:
104: The stack-smashing protection provided by this option does not work for some
105: programs. The two most common situations in which this happens are:
106:
107: * the program makes use of the `alloca(3)` library call (memory allocator on the
108: stack)
109: * the program allocates variables on the stack, with the size determined at
110: run-time.
111:
112: Both cases will require a modification to the program, or disabling this feature
113: for part or all of the build.
114:
115: ### Run-time crashes
116:
1.4 khorben 117: Again, this feature may cause some programs to crash, usually indicating an
118: actual bug in the program. Patching the original program is then required.
1.3 khorben 119:
1.8 khorben 120: ### Performance impact
121:
122: The compiler emits extra code when using this feature: a check for buffer
123: overflows is performed when entering and exiting functions, requiring an extra
124: variable on the stack. The level of protection can otherwise be adjusted to
125: affect only those functions considered more sensitive by the compiler (with
126: `-fstack-protector` instead of `-fstack-protector-all`).
127:
128: The impact is not expected to be noticeable on modern hardware. However,
129: programs with a hard requirement to run at the fastest possible speed should
130: avoid using this feature, or using libraries built with this feature.
131:
1.5 khorben 132: # Auditing the system
133:
134: The illusion of security is worse than having no security at all. This section
135: lists a number of ways to ensure the security features requested are actually
136: effective.
137:
138: _These instructions were obtained and tested on a system derived from NetBSD 7
139: (amd64). YMMV._
140:
141: ## Checking for PIE
142:
143: The ELF executable type in use changes for binaries built as PIE; without:
144:
145: $ file /path/to/bin/ary
146: /path/to/bin/ary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
147:
148: as opposed to the following binary, built as PIE:
149:
150: $ file /path/to/pie/bin/ary
151: /path/to/pie/bin/ary: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
152:
153: The latter result is then what is expected.
154:
1.13 khorben 155: ## Checking for partial RELRO
1.5 khorben 156:
157: The following command should list a section called `RELRO`:
158:
159: $ objdump -p /path/to/bin/ary
160:
161: /path/to/bin/ary: file format elf64-x86-64
162:
163: Program Header:
164: [...]
165: RELRO off 0x0000000000000d78 vaddr 0x0000000000600d78 paddr 0x0000000000600d78 align 2**0
1.6 khorben 166:
1.17 khorben 167: This check is now performed automatically if `PKG_DEVELOPER` is set and `RELRO`
168: is enabled.
169:
1.13 khorben 170: ## Checking for full RELRO
171:
172: The dynamic loader will apply RELRO immediately when detecting the presence of
173: the `BIND_NOW` flag:
174:
175: $ objdump -x /path/to/bin/ary
176:
177: /path/to/bin/ary: file format elf64-x86-64
178:
179: Dynamic Section:
180: [...]
181: BIND_NOW 0x0000000000000000
182:
183: This has to be combined with partial RELRO (see above) to be fully efficient.
184:
1.6 khorben 185: ## Checking for SSP
186:
187: Building objects, binaries and libraries with SSP will affect the presence of
188: additional symbols in the resulting file:
189:
190: $ nm /path/to/bin/ary
191: [...]
192: U __stack_chk_fail
193: 0000000000600ea0 B __stack_chk_guard
194:
195: This is an indicator that the program was indeed built with support for SSP.
196:
1.10 khorben 197: # References
198:
199: * <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html>
200:
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb
![[BACK]](/icons/back.gif){kind=icon}
Return to hardening.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / pkgsrc