Annotation of wikisrc/pkgsrc/hardening.mdwn, revision 1.22
1.1 khorben 1: [[!meta title="Hardening pkgsrc"]]
2:
1.22 ! gdt 3: A number of mechanisms are available in
! 4: [pkgsrc](https://www.pkgsrc.org/) to improve the security of the
! 5: resulting system. This page describes the mechanisms, and gives hints
! 6: about detecting and fixing problems.
! 7:
! 8: # Mechanisms
! 9:
! 10: Mechanisms can be enabled individually in `mk.conf`, and are
! 11: individually described below. They are sorted by whether thery are
! 12: enabled by default, and then by their ordering in mk/defaults/mk.conf.
! 13:
! 14: ## Enabled by default in the stable branch
1.1 khorben 15:
16: * `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used
1.21 leot 17: functions that do not bounds checking regularly - but could in some cases
18: (enabled by default since pkgsrc-2017Q3)
1.22 ! gdt 19:
! 20: * 'PKGSRC_USE_SSP`: enables a stack-smashing protection mitigation (enabled
! 21: by default where known supported since pkgsrc-2017Q3)
! 22:
! 23: ## Enabled by default in pkgsrc HEAD
! 24:
! 25: ## Not enabled by default
! 26:
! 27: * `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent
! 28: Executables) when supported on the current platform. With PIE
! 29: executables, a platform that supports ASLR will be able to randomize
! 30: the process layout.
! 31:
1.1 khorben 32: * `PKGSRC_USE_RELRO`: this also makes the exploitation of some security
33: vulnerabilities more difficult in some cases.
1.22 ! gdt 34:
1.14 khorben 35: * `PKGSRC_USE_STACK_CHECK`: uses `-fstack-check` with GCC for another stack
1.16 khorben 36: protection mitigation.
1.1 khorben 37:
1.2 khorben 38: # Caveats
39:
40: ## Problems with `PKGSRC_MKPIE`
41:
1.19 khorben 42: ### Recent support for cwrappers
1.2 khorben 43:
1.19 khorben 44: `PKGSRC_MKPIE` is only supported by `pkgtools/cwrappers` from the 2017Q3
45: release on (`USE_CWRAPPERS` in `mk.conf`).
1.2 khorben 46:
47: ### Packages failing to build
48:
49: A number of packages may fail to build with this option enabled. The failures
1.18 khorben 50: are often related to the absence of the `-fPIC` compilation flag when building
51: libraries or executables (or ideally `-fPIE` in the latter case). This flag is
1.2 khorben 52: added to the `CFLAGS` already, but requires the package to actually support it.
53:
54: #### How to fix
55:
56: These instructions are meant as a reference only; they likely need to be adapted
57: for many packages individually.
58:
59: For packages using `Makefiles`:
60:
61: MAKE_FLAGS+= CFLAGS=${CFLAGS:Q}
62: MAKE_FLAGS+= LDFLAGS=${LDFLAGS:Q}
63:
64: For packages using `Imakefiles`:
65:
66: MAKE_FLAGS+= CCOPTIONS=${CFLAGS:Q}
67: MAKE_FLAGS+= LOCAL_LDFLAGS=${LDFLAGS:Q}
68:
69: ### Run-time crashes
70:
71: Some programs may fail to run, or crash at random times once built as PIE. Two
72: scenarios are essentially possible:
73:
74: * actual bug in the program crashing, exposed thanks to ASLR/mprotect;
75: * bug in the implementation of ASLR/mprotect in the Operating System.
76:
1.4 khorben 77: ## Problems with `PKGSRC_USE_FORTIFY`
78:
79: ### Packages failing to build
80:
81: This feature makes use of pre-processing directives to look for hardened,
82: alternative implementations of essential library calls. Some programs may fail
83: to build as a result; this usually happens for those trying too hard to be
84: portable, or otherwise abusing definitions in the standard library.
85:
86: This will require a modification to the program, or disabling this feature for
87: part or all of the build.
88:
89: ### Run-time crashes
90:
91: Just like with `PKGSRC_MKPIE` above, this feature may cause some programs to
92: crash, usually indicating an actual bug in the program. The fix will typically
93: involve patching the original program.
94:
1.7 khorben 95: ## Problems with `PKGSRC_USE_RELRO`
96:
97: ### Performance impact
98:
99: For better protection, full RELRO requires every symbol to be resolved when the
1.11 khorben 100: program starts, rather than simply when required at run-time. This will have
101: more impact on programs using a lot of symbols, or linked to libraries exposing
102: a lot of symbols. Therefore, daemons or programs otherwise running in
103: background are affected only when started. Programs loading plug-ins at
104: run-time are affected when loading the plug-ins.
1.7 khorben 105:
106: The impact is not expected to be noticeable on modern hardware, except in some
107: cases for big programs.
108:
1.12 khorben 109: ### Run-time crashes
110:
111: Some programs handle plug-ins and dependencies in a way that conflicts with
112: RELRO: for instance, with an initialization routine listing any other plug-in
113: required. With full RELRO, the missing symbols are resolved before the
114: initialization routine can run, and the dynamic loader will not be able to find
115: them directly and abort as a result. Unfortunately, this is how Xorg loads its
116: drivers. Partial RELRO can be applied instead in this case.
117:
1.3 khorben 118: ## Problems with `PKGSRC_USE_SSP`
119:
120: ### Packages failing to build
121:
122: The stack-smashing protection provided by this option does not work for some
123: programs. The two most common situations in which this happens are:
124:
125: * the program makes use of the `alloca(3)` library call (memory allocator on the
126: stack)
127: * the program allocates variables on the stack, with the size determined at
128: run-time.
129:
130: Both cases will require a modification to the program, or disabling this feature
131: for part or all of the build.
132:
133: ### Run-time crashes
134:
1.4 khorben 135: Again, this feature may cause some programs to crash, usually indicating an
136: actual bug in the program. Patching the original program is then required.
1.3 khorben 137:
1.8 khorben 138: ### Performance impact
139:
140: The compiler emits extra code when using this feature: a check for buffer
141: overflows is performed when entering and exiting functions, requiring an extra
142: variable on the stack. The level of protection can otherwise be adjusted to
143: affect only those functions considered more sensitive by the compiler (with
144: `-fstack-protector` instead of `-fstack-protector-all`).
145:
146: The impact is not expected to be noticeable on modern hardware. However,
147: programs with a hard requirement to run at the fastest possible speed should
148: avoid using this feature, or using libraries built with this feature.
149:
1.5 khorben 150: # Auditing the system
151:
152: The illusion of security is worse than having no security at all. This section
153: lists a number of ways to ensure the security features requested are actually
154: effective.
155:
156: _These instructions were obtained and tested on a system derived from NetBSD 7
157: (amd64). YMMV._
158:
159: ## Checking for PIE
160:
161: The ELF executable type in use changes for binaries built as PIE; without:
162:
163: $ file /path/to/bin/ary
164: /path/to/bin/ary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
165:
166: as opposed to the following binary, built as PIE:
167:
168: $ file /path/to/pie/bin/ary
169: /path/to/pie/bin/ary: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
170:
171: The latter result is then what is expected.
172:
1.13 khorben 173: ## Checking for partial RELRO
1.5 khorben 174:
175: The following command should list a section called `RELRO`:
176:
177: $ objdump -p /path/to/bin/ary
178:
179: /path/to/bin/ary: file format elf64-x86-64
180:
181: Program Header:
182: [...]
183: RELRO off 0x0000000000000d78 vaddr 0x0000000000600d78 paddr 0x0000000000600d78 align 2**0
1.6 khorben 184:
1.17 khorben 185: This check is now performed automatically if `PKG_DEVELOPER` is set and `RELRO`
186: is enabled.
187:
1.13 khorben 188: ## Checking for full RELRO
189:
190: The dynamic loader will apply RELRO immediately when detecting the presence of
191: the `BIND_NOW` flag:
192:
193: $ objdump -x /path/to/bin/ary
194:
195: /path/to/bin/ary: file format elf64-x86-64
196:
197: Dynamic Section:
198: [...]
199: BIND_NOW 0x0000000000000000
200:
201: This has to be combined with partial RELRO (see above) to be fully efficient.
202:
1.6 khorben 203: ## Checking for SSP
204:
205: Building objects, binaries and libraries with SSP will affect the presence of
206: additional symbols in the resulting file:
207:
208: $ nm /path/to/bin/ary
209: [...]
210: U __stack_chk_fail
211: 0000000000600ea0 B __stack_chk_guard
212:
213: This is an indicator that the program was indeed built with support for SSP.
214:
1.10 khorben 215: # References
216:
217: * <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html>
218:
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb