File:  [NetBSD Developer Wiki] / wikisrc / pkgsrc / hardening.mdwn
Revision 1.15: download - view: text, annotated - select for diffs
Sun Jul 9 15:37:21 2017 UTC (4 years, 10 months ago) by khorben
Branches: MAIN
CVS tags: HEAD
Mention SSP and FORTIFY and now enabled by default

    1: [[!meta title="Hardening pkgsrc"]]
    2: 
    3: A number of mechanisms are available in [pkgsrc](http://www.pkgsrc.org/) to
    4: improve the security of the resulting system. They can be enabled individually
    5: in `mk.conf`, and consist of:
    6: 
    7: * `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent
    8:   Executables) when supported on the current platform. This option is necessary
    9:   to fully leverage ASLR as a mitigation for security vulnerabilities.
   10: * `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used
   11:   functions that do not bounds checking regularly - but could in some cases (now
   12:   enabled by default)
   13: * `PKGSRC_USE_RELRO`: this also makes the exploitation of some security
   14:   vulnerabilities more difficult in some cases.
   15: * `PKGSRC_USE_SSP`: enables stack-smashing protection on supported platforms
   16:   (now enabled by default)
   17: * `PKGSRC_USE_STACK_CHECK`: uses `-fstack-check` with GCC for another stack
   18:   protection mitigation
   19: 
   20: # Caveats
   21: 
   22: ## Problems with `PKGSRC_MKPIE`
   23: 
   24: ### No support for cwrappers
   25: 
   26: As of the time of this article `PKGSRC_MKPIE` is not supported by
   27: `pkgtools/cwrappers` (`USE_CWRAPPERS` in `mk.conf`).
   28: 
   29: ### Packages failing to build
   30: 
   31: A number of packages may fail to build with this option enabled. The failures
   32: are often related to the absence of the "-fPIC" compilation flag when building
   33: libraries or executables (or ideally "-fPIE" in the latter case). This flag is
   34: added to the `CFLAGS` already, but requires the package to actually support it.
   35: 
   36: #### How to fix
   37: 
   38: These instructions are meant as a reference only; they likely need to be adapted
   39: for many packages individually.
   40: 
   41: For packages using `Makefiles`:
   42: 
   43:     MAKE_FLAGS+=	CFLAGS=${CFLAGS:Q}
   44:     MAKE_FLAGS+=	LDFLAGS=${LDFLAGS:Q}
   45: 
   46: For packages using `Imakefiles`:
   47: 
   48:     MAKE_FLAGS+=	CCOPTIONS=${CFLAGS:Q}
   49:     MAKE_FLAGS+=	LOCAL_LDFLAGS=${LDFLAGS:Q}
   50: 
   51: ### Run-time crashes
   52: 
   53: Some programs may fail to run, or crash at random times once built as PIE. Two
   54: scenarios are essentially possible:
   55: 
   56: * actual bug in the program crashing, exposed thanks to ASLR/mprotect;
   57: * bug in the implementation of ASLR/mprotect in the Operating System.
   58: 
   59: ## Problems with `PKGSRC_USE_FORTIFY`
   60: 
   61: ### Packages failing to build
   62: 
   63: This feature makes use of pre-processing directives to look for hardened,
   64: alternative implementations of essential library calls. Some programs may fail
   65: to build as a result; this usually happens for those trying too hard to be
   66: portable, or otherwise abusing definitions in the standard library.
   67: 
   68: This will require a modification to the program, or disabling this feature for
   69: part or all of the build.
   70: 
   71: ### Run-time crashes
   72: 
   73: Just like with `PKGSRC_MKPIE` above, this feature may cause some programs to
   74: crash, usually indicating an actual bug in the program. The fix will typically
   75: involve patching the original program.
   76: 
   77: ## Problems with `PKGSRC_USE_RELRO`
   78: 
   79: ### Performance impact
   80: 
   81: For better protection, full RELRO requires every symbol to be resolved when the
   82: program starts, rather than simply when required at run-time. This will have
   83: more impact on programs using a lot of symbols, or linked to libraries exposing
   84: a lot of symbols. Therefore, daemons or programs otherwise running in
   85: background are affected only when started. Programs loading plug-ins at
   86: run-time are affected when loading the plug-ins.
   87: 
   88: The impact is not expected to be noticeable on modern hardware, except in some
   89: cases for big programs.
   90: 
   91: ### Run-time crashes
   92: 
   93: Some programs handle plug-ins and dependencies in a way that conflicts with
   94: RELRO: for instance, with an initialization routine listing any other plug-in
   95: required. With full RELRO, the missing symbols are resolved before the
   96: initialization routine can run, and the dynamic loader will not be able to find
   97: them directly and abort as a result. Unfortunately, this is how Xorg loads its
   98: drivers. Partial RELRO can be applied instead in this case.
   99: 
  100: ## Problems with `PKGSRC_USE_SSP`
  101: 
  102: ### Packages failing to build
  103: 
  104: The stack-smashing protection provided by this option does not work for some
  105: programs. The two most common situations in which this happens are:
  106: 
  107: * the program makes use of the `alloca(3)` library call (memory allocator on the
  108:   stack)
  109: * the program allocates variables on the stack, with the size determined at
  110:   run-time.
  111: 
  112: Both cases will require a modification to the program, or disabling this feature
  113: for part or all of the build.
  114: 
  115: ### Run-time crashes
  116: 
  117: Again, this feature may cause some programs to crash, usually indicating an
  118: actual bug in the program. Patching the original program is then required.
  119: 
  120: ### Performance impact
  121: 
  122: The compiler emits extra code when using this feature: a check for buffer
  123: overflows is performed when entering and exiting functions, requiring an extra
  124: variable on the stack. The level of protection can otherwise be adjusted to
  125: affect only those functions considered more sensitive by the compiler (with
  126: `-fstack-protector` instead of `-fstack-protector-all`).
  127: 
  128: The impact is not expected to be noticeable on modern hardware. However,
  129: programs with a hard requirement to run at the fastest possible speed should
  130: avoid using this feature, or using libraries built with this feature.
  131: 
  132: # Auditing the system
  133: 
  134: The illusion of security is worse than having no security at all. This section
  135: lists a number of ways to ensure the security features requested are actually
  136: effective.
  137: 
  138: _These instructions were obtained and tested on a system derived from NetBSD 7
  139: (amd64). YMMV._
  140: 
  141: ## Checking for PIE
  142: 
  143: The ELF executable type in use changes for binaries built as PIE; without:
  144: 
  145:     $ file /path/to/bin/ary
  146:     /path/to/bin/ary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
  147: 
  148: as opposed to the following binary, built as PIE:
  149: 
  150:     $ file /path/to/pie/bin/ary
  151:     /path/to/pie/bin/ary: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
  152: 
  153: The latter result is then what is expected.
  154: 
  155: ## Checking for partial RELRO
  156: 
  157: The following command should list a section called `RELRO`:
  158: 
  159:     $ objdump -p /path/to/bin/ary
  160: 
  161:     /path/to/bin/ary:     file format elf64-x86-64
  162: 
  163:     Program Header:
  164:     [...]
  165:        RELRO off    0x0000000000000d78 vaddr 0x0000000000600d78 paddr 0x0000000000600d78 align 2**0
  166: 
  167: ## Checking for full RELRO
  168: 
  169: The dynamic loader will apply RELRO immediately when detecting the presence of
  170: the `BIND_NOW` flag:
  171: 
  172:     $ objdump -x /path/to/bin/ary
  173: 
  174:     /path/to/bin/ary:     file format elf64-x86-64
  175: 
  176:     Dynamic Section:
  177:     [...]
  178:       BIND_NOW             0x0000000000000000
  179: 
  180: This has to be combined with partial RELRO (see above) to be fully efficient.
  181: 
  182: ## Checking for SSP
  183: 
  184: Building objects, binaries and libraries with SSP will affect the presence of
  185: additional symbols in the resulting file:
  186: 
  187:     $ nm /path/to/bin/ary
  188:     [...]
  189:                      U __stack_chk_fail
  190:     0000000000600ea0 B __stack_chk_guard
  191: 
  192: This is an indicator that the program was indeed built with support for SSP.
  193: 
  194: # References
  195: 
  196: * <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html>
  197: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb