File:  [NetBSD Developer Wiki] / wikisrc / pkgsrc / hardening.mdwn
Revision 1.14: download - view: text, annotated - select for diffs
Sun Jul 9 15:35:02 2017 UTC (4 years, 10 months ago) by khorben
Branches: MAIN
CVS tags: HEAD
Also mention PKGSRC_USE_STACK_CHECK

    1: [[!meta title="Hardening pkgsrc"]]
    2: 
    3: A number of mechanisms are available in [pkgsrc](http://www.pkgsrc.org/) to
    4: improve the security of the resulting system. They can be enabled individually
    5: in `mk.conf`, and consist of:
    6: 
    7: * `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent
    8:   Executables) when supported on the current platform. This option is necessary
    9:   to fully leverage ASLR as a mitigation for security vulnerabilities.
   10: * `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used
   11:   functions that do not bounds checking regularly - but could in some cases.
   12: * `PKGSRC_USE_RELRO`: this also makes the exploitation of some security
   13:   vulnerabilities more difficult in some cases.
   14: * `PKGSRC_USE_SSP`: enables stack-smashing protection (again, on supported
   15:   platforms)
   16: * `PKGSRC_USE_STACK_CHECK`: uses `-fstack-check` with GCC for another stack
   17:   protection mitigation
   18: 
   19: # Caveats
   20: 
   21: ## Problems with `PKGSRC_MKPIE`
   22: 
   23: ### No support for cwrappers
   24: 
   25: As of the time of this article `PKGSRC_MKPIE` is not supported by
   26: `pkgtools/cwrappers` (`USE_CWRAPPERS` in `mk.conf`).
   27: 
   28: ### Packages failing to build
   29: 
   30: A number of packages may fail to build with this option enabled. The failures
   31: are often related to the absence of the "-fPIC" compilation flag when building
   32: libraries or executables (or ideally "-fPIE" in the latter case). This flag is
   33: added to the `CFLAGS` already, but requires the package to actually support it.
   34: 
   35: #### How to fix
   36: 
   37: These instructions are meant as a reference only; they likely need to be adapted
   38: for many packages individually.
   39: 
   40: For packages using `Makefiles`:
   41: 
   42:     MAKE_FLAGS+=	CFLAGS=${CFLAGS:Q}
   43:     MAKE_FLAGS+=	LDFLAGS=${LDFLAGS:Q}
   44: 
   45: For packages using `Imakefiles`:
   46: 
   47:     MAKE_FLAGS+=	CCOPTIONS=${CFLAGS:Q}
   48:     MAKE_FLAGS+=	LOCAL_LDFLAGS=${LDFLAGS:Q}
   49: 
   50: ### Run-time crashes
   51: 
   52: Some programs may fail to run, or crash at random times once built as PIE. Two
   53: scenarios are essentially possible:
   54: 
   55: * actual bug in the program crashing, exposed thanks to ASLR/mprotect;
   56: * bug in the implementation of ASLR/mprotect in the Operating System.
   57: 
   58: ## Problems with `PKGSRC_USE_FORTIFY`
   59: 
   60: ### Packages failing to build
   61: 
   62: This feature makes use of pre-processing directives to look for hardened,
   63: alternative implementations of essential library calls. Some programs may fail
   64: to build as a result; this usually happens for those trying too hard to be
   65: portable, or otherwise abusing definitions in the standard library.
   66: 
   67: This will require a modification to the program, or disabling this feature for
   68: part or all of the build.
   69: 
   70: ### Run-time crashes
   71: 
   72: Just like with `PKGSRC_MKPIE` above, this feature may cause some programs to
   73: crash, usually indicating an actual bug in the program. The fix will typically
   74: involve patching the original program.
   75: 
   76: ## Problems with `PKGSRC_USE_RELRO`
   77: 
   78: ### Performance impact
   79: 
   80: For better protection, full RELRO requires every symbol to be resolved when the
   81: program starts, rather than simply when required at run-time. This will have
   82: more impact on programs using a lot of symbols, or linked to libraries exposing
   83: a lot of symbols. Therefore, daemons or programs otherwise running in
   84: background are affected only when started. Programs loading plug-ins at
   85: run-time are affected when loading the plug-ins.
   86: 
   87: The impact is not expected to be noticeable on modern hardware, except in some
   88: cases for big programs.
   89: 
   90: ### Run-time crashes
   91: 
   92: Some programs handle plug-ins and dependencies in a way that conflicts with
   93: RELRO: for instance, with an initialization routine listing any other plug-in
   94: required. With full RELRO, the missing symbols are resolved before the
   95: initialization routine can run, and the dynamic loader will not be able to find
   96: them directly and abort as a result. Unfortunately, this is how Xorg loads its
   97: drivers. Partial RELRO can be applied instead in this case.
   98: 
   99: ## Problems with `PKGSRC_USE_SSP`
  100: 
  101: ### Packages failing to build
  102: 
  103: The stack-smashing protection provided by this option does not work for some
  104: programs. The two most common situations in which this happens are:
  105: 
  106: * the program makes use of the `alloca(3)` library call (memory allocator on the
  107:   stack)
  108: * the program allocates variables on the stack, with the size determined at
  109:   run-time.
  110: 
  111: Both cases will require a modification to the program, or disabling this feature
  112: for part or all of the build.
  113: 
  114: ### Run-time crashes
  115: 
  116: Again, this feature may cause some programs to crash, usually indicating an
  117: actual bug in the program. Patching the original program is then required.
  118: 
  119: ### Performance impact
  120: 
  121: The compiler emits extra code when using this feature: a check for buffer
  122: overflows is performed when entering and exiting functions, requiring an extra
  123: variable on the stack. The level of protection can otherwise be adjusted to
  124: affect only those functions considered more sensitive by the compiler (with
  125: `-fstack-protector` instead of `-fstack-protector-all`).
  126: 
  127: The impact is not expected to be noticeable on modern hardware. However,
  128: programs with a hard requirement to run at the fastest possible speed should
  129: avoid using this feature, or using libraries built with this feature.
  130: 
  131: # Auditing the system
  132: 
  133: The illusion of security is worse than having no security at all. This section
  134: lists a number of ways to ensure the security features requested are actually
  135: effective.
  136: 
  137: _These instructions were obtained and tested on a system derived from NetBSD 7
  138: (amd64). YMMV._
  139: 
  140: ## Checking for PIE
  141: 
  142: The ELF executable type in use changes for binaries built as PIE; without:
  143: 
  144:     $ file /path/to/bin/ary
  145:     /path/to/bin/ary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
  146: 
  147: as opposed to the following binary, built as PIE:
  148: 
  149:     $ file /path/to/pie/bin/ary
  150:     /path/to/pie/bin/ary: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
  151: 
  152: The latter result is then what is expected.
  153: 
  154: ## Checking for partial RELRO
  155: 
  156: The following command should list a section called `RELRO`:
  157: 
  158:     $ objdump -p /path/to/bin/ary
  159: 
  160:     /path/to/bin/ary:     file format elf64-x86-64
  161: 
  162:     Program Header:
  163:     [...]
  164:        RELRO off    0x0000000000000d78 vaddr 0x0000000000600d78 paddr 0x0000000000600d78 align 2**0
  165: 
  166: ## Checking for full RELRO
  167: 
  168: The dynamic loader will apply RELRO immediately when detecting the presence of
  169: the `BIND_NOW` flag:
  170: 
  171:     $ objdump -x /path/to/bin/ary
  172: 
  173:     /path/to/bin/ary:     file format elf64-x86-64
  174: 
  175:     Dynamic Section:
  176:     [...]
  177:       BIND_NOW             0x0000000000000000
  178: 
  179: This has to be combined with partial RELRO (see above) to be fully efficient.
  180: 
  181: ## Checking for SSP
  182: 
  183: Building objects, binaries and libraries with SSP will affect the presence of
  184: additional symbols in the resulting file:
  185: 
  186:     $ nm /path/to/bin/ary
  187:     [...]
  188:                      U __stack_chk_fail
  189:     0000000000600ea0 B __stack_chk_guard
  190: 
  191: This is an indicator that the program was indeed built with support for SSP.
  192: 
  193: # References
  194: 
  195: * <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html>
  196: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb