Annotation of wikisrc/pkgsrc/hardening.mdwn, revision 1.22

1.1       khorben     1: [[!meta title="Hardening pkgsrc"]]
                      2: 
1.22    ! gdt         3: A number of mechanisms are available in
        !             4: [pkgsrc](https://www.pkgsrc.org/) to improve the security of the
        !             5: resulting system. This page describes the mechanisms, and gives hints
        !             6: about detecting and fixing problems.
        !             7: 
        !             8: # Mechanisms
        !             9: 
        !            10: Mechanisms can be enabled individually in `mk.conf`, and are
        !            11: individually described below.  They are sorted by whether thery are
        !            12: enabled by default, and then by their ordering in mk/defaults/mk.conf.
        !            13: 
        !            14: ## Enabled by default in the stable branch
1.1       khorben    15: 
                     16: * `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used
1.21      leot       17:   functions that do not bounds checking regularly - but could in some cases
                     18:   (enabled by default since pkgsrc-2017Q3)
1.22    ! gdt        19: 
        !            20: * 'PKGSRC_USE_SSP`: enables a stack-smashing protection mitigation (enabled
        !            21:   by default where known supported since pkgsrc-2017Q3)
        !            22: 
        !            23: ## Enabled by default in pkgsrc HEAD
        !            24: 
        !            25: ## Not enabled by default
        !            26: 
        !            27: * `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent
        !            28:   Executables) when supported on the current platform.  With PIE
        !            29:   executables, a platform that supports ASLR will be able to randomize
        !            30:   the process layout.
        !            31: 
1.1       khorben    32: * `PKGSRC_USE_RELRO`: this also makes the exploitation of some security
                     33:   vulnerabilities more difficult in some cases.
1.22    ! gdt        34: 
1.14      khorben    35: * `PKGSRC_USE_STACK_CHECK`: uses `-fstack-check` with GCC for another stack
1.16      khorben    36:   protection mitigation.
1.1       khorben    37: 
1.2       khorben    38: # Caveats
                     39: 
                     40: ## Problems with `PKGSRC_MKPIE`
                     41: 
1.19      khorben    42: ### Recent support for cwrappers
1.2       khorben    43: 
1.19      khorben    44: `PKGSRC_MKPIE` is only supported by `pkgtools/cwrappers` from the 2017Q3
                     45: release on (`USE_CWRAPPERS` in `mk.conf`).
1.2       khorben    46: 
                     47: ### Packages failing to build
                     48: 
                     49: A number of packages may fail to build with this option enabled. The failures
1.18      khorben    50: are often related to the absence of the `-fPIC` compilation flag when building
                     51: libraries or executables (or ideally `-fPIE` in the latter case). This flag is
1.2       khorben    52: added to the `CFLAGS` already, but requires the package to actually support it.
                     53: 
                     54: #### How to fix
                     55: 
                     56: These instructions are meant as a reference only; they likely need to be adapted
                     57: for many packages individually.
                     58: 
                     59: For packages using `Makefiles`:
                     60: 
                     61:     MAKE_FLAGS+=       CFLAGS=${CFLAGS:Q}
                     62:     MAKE_FLAGS+=       LDFLAGS=${LDFLAGS:Q}
                     63: 
                     64: For packages using `Imakefiles`:
                     65: 
                     66:     MAKE_FLAGS+=       CCOPTIONS=${CFLAGS:Q}
                     67:     MAKE_FLAGS+=       LOCAL_LDFLAGS=${LDFLAGS:Q}
                     68: 
                     69: ### Run-time crashes
                     70: 
                     71: Some programs may fail to run, or crash at random times once built as PIE. Two
                     72: scenarios are essentially possible:
                     73: 
                     74: * actual bug in the program crashing, exposed thanks to ASLR/mprotect;
                     75: * bug in the implementation of ASLR/mprotect in the Operating System.
                     76: 
1.4       khorben    77: ## Problems with `PKGSRC_USE_FORTIFY`
                     78: 
                     79: ### Packages failing to build
                     80: 
                     81: This feature makes use of pre-processing directives to look for hardened,
                     82: alternative implementations of essential library calls. Some programs may fail
                     83: to build as a result; this usually happens for those trying too hard to be
                     84: portable, or otherwise abusing definitions in the standard library.
                     85: 
                     86: This will require a modification to the program, or disabling this feature for
                     87: part or all of the build.
                     88: 
                     89: ### Run-time crashes
                     90: 
                     91: Just like with `PKGSRC_MKPIE` above, this feature may cause some programs to
                     92: crash, usually indicating an actual bug in the program. The fix will typically
                     93: involve patching the original program.
                     94: 
1.7       khorben    95: ## Problems with `PKGSRC_USE_RELRO`
                     96: 
                     97: ### Performance impact
                     98: 
                     99: For better protection, full RELRO requires every symbol to be resolved when the
1.11      khorben   100: program starts, rather than simply when required at run-time. This will have
                    101: more impact on programs using a lot of symbols, or linked to libraries exposing
                    102: a lot of symbols. Therefore, daemons or programs otherwise running in
                    103: background are affected only when started. Programs loading plug-ins at
                    104: run-time are affected when loading the plug-ins.
1.7       khorben   105: 
                    106: The impact is not expected to be noticeable on modern hardware, except in some
                    107: cases for big programs.
                    108: 
1.12      khorben   109: ### Run-time crashes
                    110: 
                    111: Some programs handle plug-ins and dependencies in a way that conflicts with
                    112: RELRO: for instance, with an initialization routine listing any other plug-in
                    113: required. With full RELRO, the missing symbols are resolved before the
                    114: initialization routine can run, and the dynamic loader will not be able to find
                    115: them directly and abort as a result. Unfortunately, this is how Xorg loads its
                    116: drivers. Partial RELRO can be applied instead in this case.
                    117: 
1.3       khorben   118: ## Problems with `PKGSRC_USE_SSP`
                    119: 
                    120: ### Packages failing to build
                    121: 
                    122: The stack-smashing protection provided by this option does not work for some
                    123: programs. The two most common situations in which this happens are:
                    124: 
                    125: * the program makes use of the `alloca(3)` library call (memory allocator on the
                    126:   stack)
                    127: * the program allocates variables on the stack, with the size determined at
                    128:   run-time.
                    129: 
                    130: Both cases will require a modification to the program, or disabling this feature
                    131: for part or all of the build.
                    132: 
                    133: ### Run-time crashes
                    134: 
1.4       khorben   135: Again, this feature may cause some programs to crash, usually indicating an
                    136: actual bug in the program. Patching the original program is then required.
1.3       khorben   137: 
1.8       khorben   138: ### Performance impact
                    139: 
                    140: The compiler emits extra code when using this feature: a check for buffer
                    141: overflows is performed when entering and exiting functions, requiring an extra
                    142: variable on the stack. The level of protection can otherwise be adjusted to
                    143: affect only those functions considered more sensitive by the compiler (with
                    144: `-fstack-protector` instead of `-fstack-protector-all`).
                    145: 
                    146: The impact is not expected to be noticeable on modern hardware. However,
                    147: programs with a hard requirement to run at the fastest possible speed should
                    148: avoid using this feature, or using libraries built with this feature.
                    149: 
1.5       khorben   150: # Auditing the system
                    151: 
                    152: The illusion of security is worse than having no security at all. This section
                    153: lists a number of ways to ensure the security features requested are actually
                    154: effective.
                    155: 
                    156: _These instructions were obtained and tested on a system derived from NetBSD 7
                    157: (amd64). YMMV._
                    158: 
                    159: ## Checking for PIE
                    160: 
                    161: The ELF executable type in use changes for binaries built as PIE; without:
                    162: 
                    163:     $ file /path/to/bin/ary
                    164:     /path/to/bin/ary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
                    165: 
                    166: as opposed to the following binary, built as PIE:
                    167: 
                    168:     $ file /path/to/pie/bin/ary
                    169:     /path/to/pie/bin/ary: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
                    170: 
                    171: The latter result is then what is expected.
                    172: 
1.13      khorben   173: ## Checking for partial RELRO
1.5       khorben   174: 
                    175: The following command should list a section called `RELRO`:
                    176: 
                    177:     $ objdump -p /path/to/bin/ary
                    178: 
                    179:     /path/to/bin/ary:     file format elf64-x86-64
                    180: 
                    181:     Program Header:
                    182:     [...]
                    183:        RELRO off    0x0000000000000d78 vaddr 0x0000000000600d78 paddr 0x0000000000600d78 align 2**0
1.6       khorben   184: 
1.17      khorben   185: This check is now performed automatically if `PKG_DEVELOPER` is set and `RELRO`
                    186: is enabled.
                    187: 
1.13      khorben   188: ## Checking for full RELRO
                    189: 
                    190: The dynamic loader will apply RELRO immediately when detecting the presence of
                    191: the `BIND_NOW` flag:
                    192: 
                    193:     $ objdump -x /path/to/bin/ary
                    194: 
                    195:     /path/to/bin/ary:     file format elf64-x86-64
                    196: 
                    197:     Dynamic Section:
                    198:     [...]
                    199:       BIND_NOW             0x0000000000000000
                    200: 
                    201: This has to be combined with partial RELRO (see above) to be fully efficient.
                    202: 
1.6       khorben   203: ## Checking for SSP
                    204: 
                    205: Building objects, binaries and libraries with SSP will affect the presence of
                    206: additional symbols in the resulting file:
                    207: 
                    208:     $ nm /path/to/bin/ary
                    209:     [...]
                    210:                      U __stack_chk_fail
                    211:     0000000000600ea0 B __stack_chk_guard
                    212: 
                    213: This is an indicator that the program was indeed built with support for SSP.
                    214: 
1.10      khorben   215: # References
                    216: 
                    217: * <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html>
                    218: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb