1: [[!meta title="Hardening pkgsrc"]]
2:
3: A number of mechanisms are available in [pkgsrc](http://www.pkgsrc.org/) to
4: improve the security of the resulting system. They can be enabled individually
5: in `mk.conf`, and consist of:
6:
7: * `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent
8: Executables) when supported on the current platform. This option is necessary
9: to fully leverage ASLR as a mitigation for security vulnerabilities.
10: * `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used
11: functions that do not bounds checking regularly - but could in some cases.
12: * `PKGSRC_USE_RELRO`: this also makes the exploitation of some security
13: vulnerabilities more difficult in some cases.
14: * `PKGSRC_USE_SSP`: enables stack-smashing protection (again, on supported
15: platforms)
16: * `PKGSRC_USE_STACK_CHECK`: uses `-fstack-check` with GCC for another stack
17: protection mitigation
18:
19: # Caveats
20:
21: ## Problems with `PKGSRC_MKPIE`
22:
23: ### No support for cwrappers
24:
25: As of the time of this article `PKGSRC_MKPIE` is not supported by
26: `pkgtools/cwrappers` (`USE_CWRAPPERS` in `mk.conf`).
27:
28: ### Packages failing to build
29:
30: A number of packages may fail to build with this option enabled. The failures
31: are often related to the absence of the "-fPIC" compilation flag when building
32: libraries or executables (or ideally "-fPIE" in the latter case). This flag is
33: added to the `CFLAGS` already, but requires the package to actually support it.
34:
35: #### How to fix
36:
37: These instructions are meant as a reference only; they likely need to be adapted
38: for many packages individually.
39:
40: For packages using `Makefiles`:
41:
42: MAKE_FLAGS+= CFLAGS=${CFLAGS:Q}
43: MAKE_FLAGS+= LDFLAGS=${LDFLAGS:Q}
44:
45: For packages using `Imakefiles`:
46:
47: MAKE_FLAGS+= CCOPTIONS=${CFLAGS:Q}
48: MAKE_FLAGS+= LOCAL_LDFLAGS=${LDFLAGS:Q}
49:
50: ### Run-time crashes
51:
52: Some programs may fail to run, or crash at random times once built as PIE. Two
53: scenarios are essentially possible:
54:
55: * actual bug in the program crashing, exposed thanks to ASLR/mprotect;
56: * bug in the implementation of ASLR/mprotect in the Operating System.
57:
58: ## Problems with `PKGSRC_USE_FORTIFY`
59:
60: ### Packages failing to build
61:
62: This feature makes use of pre-processing directives to look for hardened,
63: alternative implementations of essential library calls. Some programs may fail
64: to build as a result; this usually happens for those trying too hard to be
65: portable, or otherwise abusing definitions in the standard library.
66:
67: This will require a modification to the program, or disabling this feature for
68: part or all of the build.
69:
70: ### Run-time crashes
71:
72: Just like with `PKGSRC_MKPIE` above, this feature may cause some programs to
73: crash, usually indicating an actual bug in the program. The fix will typically
74: involve patching the original program.
75:
76: ## Problems with `PKGSRC_USE_RELRO`
77:
78: ### Performance impact
79:
80: For better protection, full RELRO requires every symbol to be resolved when the
81: program starts, rather than simply when required at run-time. This will have
82: more impact on programs using a lot of symbols, or linked to libraries exposing
83: a lot of symbols. Therefore, daemons or programs otherwise running in
84: background are affected only when started. Programs loading plug-ins at
85: run-time are affected when loading the plug-ins.
86:
87: The impact is not expected to be noticeable on modern hardware, except in some
88: cases for big programs.
89:
90: ### Run-time crashes
91:
92: Some programs handle plug-ins and dependencies in a way that conflicts with
93: RELRO: for instance, with an initialization routine listing any other plug-in
94: required. With full RELRO, the missing symbols are resolved before the
95: initialization routine can run, and the dynamic loader will not be able to find
96: them directly and abort as a result. Unfortunately, this is how Xorg loads its
97: drivers. Partial RELRO can be applied instead in this case.
98:
99: ## Problems with `PKGSRC_USE_SSP`
100:
101: ### Packages failing to build
102:
103: The stack-smashing protection provided by this option does not work for some
104: programs. The two most common situations in which this happens are:
105:
106: * the program makes use of the `alloca(3)` library call (memory allocator on the
107: stack)
108: * the program allocates variables on the stack, with the size determined at
109: run-time.
110:
111: Both cases will require a modification to the program, or disabling this feature
112: for part or all of the build.
113:
114: ### Run-time crashes
115:
116: Again, this feature may cause some programs to crash, usually indicating an
117: actual bug in the program. Patching the original program is then required.
118:
119: ### Performance impact
120:
121: The compiler emits extra code when using this feature: a check for buffer
122: overflows is performed when entering and exiting functions, requiring an extra
123: variable on the stack. The level of protection can otherwise be adjusted to
124: affect only those functions considered more sensitive by the compiler (with
125: `-fstack-protector` instead of `-fstack-protector-all`).
126:
127: The impact is not expected to be noticeable on modern hardware. However,
128: programs with a hard requirement to run at the fastest possible speed should
129: avoid using this feature, or using libraries built with this feature.
130:
131: # Auditing the system
132:
133: The illusion of security is worse than having no security at all. This section
134: lists a number of ways to ensure the security features requested are actually
135: effective.
136:
137: _These instructions were obtained and tested on a system derived from NetBSD 7
138: (amd64). YMMV._
139:
140: ## Checking for PIE
141:
142: The ELF executable type in use changes for binaries built as PIE; without:
143:
144: $ file /path/to/bin/ary
145: /path/to/bin/ary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
146:
147: as opposed to the following binary, built as PIE:
148:
149: $ file /path/to/pie/bin/ary
150: /path/to/pie/bin/ary: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
151:
152: The latter result is then what is expected.
153:
154: ## Checking for partial RELRO
155:
156: The following command should list a section called `RELRO`:
157:
158: $ objdump -p /path/to/bin/ary
159:
160: /path/to/bin/ary: file format elf64-x86-64
161:
162: Program Header:
163: [...]
164: RELRO off 0x0000000000000d78 vaddr 0x0000000000600d78 paddr 0x0000000000600d78 align 2**0
165:
166: ## Checking for full RELRO
167:
168: The dynamic loader will apply RELRO immediately when detecting the presence of
169: the `BIND_NOW` flag:
170:
171: $ objdump -x /path/to/bin/ary
172:
173: /path/to/bin/ary: file format elf64-x86-64
174:
175: Dynamic Section:
176: [...]
177: BIND_NOW 0x0000000000000000
178:
179: This has to be combined with partial RELRO (see above) to be fully efficient.
180:
181: ## Checking for SSP
182:
183: Building objects, binaries and libraries with SSP will affect the presence of
184: additional symbols in the resulting file:
185:
186: $ nm /path/to/bin/ary
187: [...]
188: U __stack_chk_fail
189: 0000000000600ea0 B __stack_chk_guard
190:
191: This is an indicator that the program was indeed built with support for SSP.
192:
193: # References
194:
195: * <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html>
196:
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb
![[BACK]](/icons/back.gif){kind=icon}
Return to hardening.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / pkgsrc