Annotation of wikisrc/pkgsrc/hardening.mdwn, revision 1.36
1.1 khorben 1: [[!meta title="Hardening pkgsrc"]]
2:
1.22 gdt 3: A number of mechanisms are available in
4: [pkgsrc](https://www.pkgsrc.org/) to improve the security of the
5: resulting system. This page describes the mechanisms, and gives hints
6: about detecting and fixing problems.
7:
8: # Mechanisms
9:
10: Mechanisms can be enabled individually in `mk.conf`, and are
1.27 khorben 11: individually described below. They are sorted by whether they are
1.26 khorben 12: enabled by default, and then by their ordering in `mk/defaults/mk.conf`.
1.22 gdt 13:
1.24 gdt 14: Typically, a feature will cause some programs to fail to build or work
1.25 khorben 15: when first enabled. This can be due to latent problems in the
16: program, and can be due to other reasons. After enough testing to
1.24 gdt 17: have confidence that user problems will be quite rare, individual
18: mechanisms will be enabled by default.
19:
20: For each mechanism, see the Caveats section below for an explanation
21: of what might go wrong at compile time and at run time, and how to
22: notice and address these problems.
1.23 gdt 23:
1.22 gdt 24: ## Enabled by default in the stable branch
1.1 khorben 25:
1.23 gdt 26: ### PKGSRC_USE_FORTIFY
27:
28: This allows substitute wrappers to be used for some commonly used
29: library functions that do not have built-in bounds checking - but
30: could in some cases.
31:
1.25 khorben 32: TODO: Explain FORTIFY_SOURCE 1 vs 2, and which is used. Give a link
33: to a good explanation of the technique. Explain if this is gcc specific.
1.23 gdt 34:
35: It has been enabled by default since pkgsrc-2017Q3.
36:
37: ### PKGSRC_USE_SSP
1.22 gdt 38:
1.29 khorben 39: This enables a stack-smashing protection mitigation. It is done by adding a
40: guard variable to functions with vulnerable objects. The guards are initialized
41: when a function is entered and then checked when the function exits. The guard
42: check will fail and the program forcibly exited if the variable was modified in
43: the meantime. This can happen in case of buffer overflows or memory corruption,
44: and therefore exposing these bugs.
45:
1.30 khorben 46: Different mitigation levels are available:
1.34 khorben 47:
1.30 khorben 48: * the default ("yes"), which will only protect functions considered vulnerable
49: by the compiler;
50: * "all", which will protect every function;
51: * "strong", which will apply a better balance between the two settings above.
52:
1.29 khorben 53: This mitigation is supported by both GCC and clang. It may be supported in
54: additional compilers, possibly under a different name. It is particularly useful
55: for unsafe programming languages, such as C/C++.
1.23 gdt 56:
1.29 khorben 57: It is enabled by default where known supported since pkgsrc-2017Q3.
1.23 gdt 58:
1.33 khorben 59: More details can be found here:
1.34 khorben 60:
1.29 khorben 61: * <https://en.wikipedia.org/wiki/Buffer_overflow_protection>
1.22 gdt 62:
63: ## Enabled by default in pkgsrc HEAD
64:
65: ## Not enabled by default
66:
1.23 gdt 67: ### PKGSRC_MKPIE
68:
1.36 ! khorben 69: This requests the creation of PIE (Position Independent Executables) for all
! 70: executables. The PIE mechanism is normally used for shared libraries so that
! 71: they can be loaded at differing addresses at runtime. PIE itself does not have
! 72: useful security properties. However, some operating systems support Address
! 73: Space Layout Randomization (ASLR), which causes different addresses to be used
! 74: each time a program is run. This makes it more difficult for an attacker to
! 75: guess addresses and thus makes exploits harder to construct.
1.23 gdt 76:
1.31 khorben 77: PIE executables will only be built for toolchains that are known to support PIE.
78: Currently, this means NetBSD on amd64 and i386.
1.23 gdt 79:
80: ### PKGSRC_USE_RELRO
81:
82: This also makes the exploitation of some security vulnerabilities more
83: difficult in some cases.
1.22 gdt 84:
1.33 khorben 85: Two different mitigation levels are available:
1.34 khorben 86:
1.33 khorben 87: * partial: the ELF sections are reordered so that internal data sections
88: precede the program's own data sections, and non-PLT GOT is read-only;
89: * full: in addition to partial RELRO, every relocation is performed immediately
90: when starting the program (with a slight performance impact), allowing the
91: entire GOT to be read-only.
1.24 gdt 92:
1.33 khorben 93: This is currently supported by GCC. Many software distributions now enable this
94: feature by default, at the "partial" level.
1.24 gdt 95:
1.33 khorben 96: More details can be found here:
1.34 khorben 97:
1.33 khorben 98: * <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html>
1.24 gdt 99:
1.23 gdt 100: ### PKGSRC_USE_STACK_CHECK
1.22 gdt 101:
1.32 khorben 102: This uses `-fstack-check` with GCC for another stack protection mitigation.
103:
104: It asks the compiler to generate code verifying that it does not corrupt the
105: stack. According to GCC's manual page, this is really only useful for
106: multi-threaded programs.
1.1 khorben 107:
1.2 khorben 108: # Caveats
109:
110: ## Problems with `PKGSRC_MKPIE`
111:
1.19 khorben 112: ### Recent support for cwrappers
1.2 khorben 113:
1.19 khorben 114: `PKGSRC_MKPIE` is only supported by `pkgtools/cwrappers` from the 2017Q3
115: release on (`USE_CWRAPPERS` in `mk.conf`).
1.2 khorben 116:
117: ### Packages failing to build
118:
119: A number of packages may fail to build with this option enabled. The failures
1.18 khorben 120: are often related to the absence of the `-fPIC` compilation flag when building
121: libraries or executables (or ideally `-fPIE` in the latter case). This flag is
1.2 khorben 122: added to the `CFLAGS` already, but requires the package to actually support it.
123:
124: #### How to fix
125:
126: These instructions are meant as a reference only; they likely need to be adapted
127: for many packages individually.
128:
129: For packages using `Makefiles`:
130:
131: MAKE_FLAGS+= CFLAGS=${CFLAGS:Q}
132: MAKE_FLAGS+= LDFLAGS=${LDFLAGS:Q}
133:
134: For packages using `Imakefiles`:
135:
136: MAKE_FLAGS+= CCOPTIONS=${CFLAGS:Q}
137: MAKE_FLAGS+= LOCAL_LDFLAGS=${LDFLAGS:Q}
138:
139: ### Run-time crashes
140:
141: Some programs may fail to run, or crash at random times once built as PIE. Two
142: scenarios are essentially possible:
143:
144: * actual bug in the program crashing, exposed thanks to ASLR/mprotect;
145: * bug in the implementation of ASLR/mprotect in the Operating System.
146:
1.4 khorben 147: ## Problems with `PKGSRC_USE_FORTIFY`
148:
149: ### Packages failing to build
150:
151: This feature makes use of pre-processing directives to look for hardened,
152: alternative implementations of essential library calls. Some programs may fail
153: to build as a result; this usually happens for those trying too hard to be
154: portable, or otherwise abusing definitions in the standard library.
155:
156: This will require a modification to the program, or disabling this feature for
157: part or all of the build.
158:
159: ### Run-time crashes
160:
161: Just like with `PKGSRC_MKPIE` above, this feature may cause some programs to
162: crash, usually indicating an actual bug in the program. The fix will typically
163: involve patching the original program.
164:
1.28 khorben 165: ### Optimization is required
166:
167: At least in the case of GCC, FORTIFY will only be applied if optimization is
168: applied while compiling. This means that the CFLAGS should also contain -O, -O2
169: or another optimization level. This cannot easily be applied globally, as some
170: packages may require specific optimization levels.
171:
1.7 khorben 172: ## Problems with `PKGSRC_USE_RELRO`
173:
174: ### Performance impact
175:
176: For better protection, full RELRO requires every symbol to be resolved when the
1.11 khorben 177: program starts, rather than simply when required at run-time. This will have
178: more impact on programs using a lot of symbols, or linked to libraries exposing
179: a lot of symbols. Therefore, daemons or programs otherwise running in
180: background are affected only when started. Programs loading plug-ins at
181: run-time are affected when loading the plug-ins.
1.7 khorben 182:
183: The impact is not expected to be noticeable on modern hardware, except in some
184: cases for big programs.
185:
1.12 khorben 186: ### Run-time crashes
187:
188: Some programs handle plug-ins and dependencies in a way that conflicts with
189: RELRO: for instance, with an initialization routine listing any other plug-in
190: required. With full RELRO, the missing symbols are resolved before the
191: initialization routine can run, and the dynamic loader will not be able to find
192: them directly and abort as a result. Unfortunately, this is how Xorg loads its
193: drivers. Partial RELRO can be applied instead in this case.
194:
1.3 khorben 195: ## Problems with `PKGSRC_USE_SSP`
196:
197: ### Packages failing to build
198:
199: The stack-smashing protection provided by this option does not work for some
200: programs. The two most common situations in which this happens are:
201:
202: * the program makes use of the `alloca(3)` library call (memory allocator on the
203: stack)
204: * the program allocates variables on the stack, with the size determined at
205: run-time.
206:
207: Both cases will require a modification to the program, or disabling this feature
208: for part or all of the build.
209:
210: ### Run-time crashes
211:
1.4 khorben 212: Again, this feature may cause some programs to crash, usually indicating an
213: actual bug in the program. Patching the original program is then required.
1.3 khorben 214:
1.8 khorben 215: ### Performance impact
216:
217: The compiler emits extra code when using this feature: a check for buffer
218: overflows is performed when entering and exiting functions, requiring an extra
219: variable on the stack. The level of protection can otherwise be adjusted to
220: affect only those functions considered more sensitive by the compiler (with
221: `-fstack-protector` instead of `-fstack-protector-all`).
222:
223: The impact is not expected to be noticeable on modern hardware. However,
224: programs with a hard requirement to run at the fastest possible speed should
225: avoid using this feature, or using libraries built with this feature.
226:
1.5 khorben 227: # Auditing the system
228:
229: The illusion of security is worse than having no security at all. This section
230: lists a number of ways to ensure the security features requested are actually
231: effective.
232:
233: _These instructions were obtained and tested on a system derived from NetBSD 7
234: (amd64). YMMV._
235:
236: ## Checking for PIE
237:
238: The ELF executable type in use changes for binaries built as PIE; without:
239:
240: $ file /path/to/bin/ary
241: /path/to/bin/ary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
242:
243: as opposed to the following binary, built as PIE:
244:
245: $ file /path/to/pie/bin/ary
246: /path/to/pie/bin/ary: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
247:
248: The latter result is then what is expected.
249:
1.13 khorben 250: ## Checking for partial RELRO
1.5 khorben 251:
252: The following command should list a section called `RELRO`:
253:
254: $ objdump -p /path/to/bin/ary
255:
256: /path/to/bin/ary: file format elf64-x86-64
257:
258: Program Header:
259: [...]
260: RELRO off 0x0000000000000d78 vaddr 0x0000000000600d78 paddr 0x0000000000600d78 align 2**0
1.6 khorben 261:
1.17 khorben 262: This check is now performed automatically if `PKG_DEVELOPER` is set and `RELRO`
263: is enabled.
264:
1.13 khorben 265: ## Checking for full RELRO
266:
267: The dynamic loader will apply RELRO immediately when detecting the presence of
268: the `BIND_NOW` flag:
269:
270: $ objdump -x /path/to/bin/ary
271:
272: /path/to/bin/ary: file format elf64-x86-64
273:
274: Dynamic Section:
275: [...]
276: BIND_NOW 0x0000000000000000
277:
278: This has to be combined with partial RELRO (see above) to be fully efficient.
279:
1.6 khorben 280: ## Checking for SSP
281:
282: Building objects, binaries and libraries with SSP will affect the presence of
283: additional symbols in the resulting file:
284:
285: $ nm /path/to/bin/ary
286: [...]
287: U __stack_chk_fail
288: 0000000000600ea0 B __stack_chk_guard
289:
290: This is an indicator that the program was indeed built with support for SSP.
1.35 khorben 291:
292: This check is now performed automatically (where supported) if `PKG_DEVELOPER`
293: is set and `SSP` is enabled.
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb