File:  [NetBSD Developer Wiki] / wikisrc / pkgsrc / hardening.mdwn
Revision 1.22: download - view: text, annotated - select for diffs
Sun Nov 5 23:07:27 2017 UTC (4 years, 6 months ago) by gdt
Branches: MAIN
CVS tags: HEAD
Explain a bit more

    1: [[!meta title="Hardening pkgsrc"]]
    2: 
    3: A number of mechanisms are available in
    4: [pkgsrc](https://www.pkgsrc.org/) to improve the security of the
    5: resulting system. This page describes the mechanisms, and gives hints
    6: about detecting and fixing problems.
    7: 
    8: # Mechanisms
    9: 
   10: Mechanisms can be enabled individually in `mk.conf`, and are
   11: individually described below.  They are sorted by whether thery are
   12: enabled by default, and then by their ordering in mk/defaults/mk.conf.
   13: 
   14: ## Enabled by default in the stable branch
   15: 
   16: * `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used
   17:   functions that do not bounds checking regularly - but could in some cases
   18:   (enabled by default since pkgsrc-2017Q3)
   19: 
   20: * 'PKGSRC_USE_SSP`: enables a stack-smashing protection mitigation (enabled
   21:   by default where known supported since pkgsrc-2017Q3)
   22: 
   23: ## Enabled by default in pkgsrc HEAD
   24: 
   25: ## Not enabled by default
   26: 
   27: * `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent
   28:   Executables) when supported on the current platform.  With PIE
   29:   executables, a platform that supports ASLR will be able to randomize
   30:   the process layout.
   31: 
   32: * `PKGSRC_USE_RELRO`: this also makes the exploitation of some security
   33:   vulnerabilities more difficult in some cases.
   34: 
   35: * `PKGSRC_USE_STACK_CHECK`: uses `-fstack-check` with GCC for another stack
   36:   protection mitigation.
   37: 
   38: # Caveats
   39: 
   40: ## Problems with `PKGSRC_MKPIE`
   41: 
   42: ### Recent support for cwrappers
   43: 
   44: `PKGSRC_MKPIE` is only supported by `pkgtools/cwrappers` from the 2017Q3
   45: release on (`USE_CWRAPPERS` in `mk.conf`).
   46: 
   47: ### Packages failing to build
   48: 
   49: A number of packages may fail to build with this option enabled. The failures
   50: are often related to the absence of the `-fPIC` compilation flag when building
   51: libraries or executables (or ideally `-fPIE` in the latter case). This flag is
   52: added to the `CFLAGS` already, but requires the package to actually support it.
   53: 
   54: #### How to fix
   55: 
   56: These instructions are meant as a reference only; they likely need to be adapted
   57: for many packages individually.
   58: 
   59: For packages using `Makefiles`:
   60: 
   61:     MAKE_FLAGS+=	CFLAGS=${CFLAGS:Q}
   62:     MAKE_FLAGS+=	LDFLAGS=${LDFLAGS:Q}
   63: 
   64: For packages using `Imakefiles`:
   65: 
   66:     MAKE_FLAGS+=	CCOPTIONS=${CFLAGS:Q}
   67:     MAKE_FLAGS+=	LOCAL_LDFLAGS=${LDFLAGS:Q}
   68: 
   69: ### Run-time crashes
   70: 
   71: Some programs may fail to run, or crash at random times once built as PIE. Two
   72: scenarios are essentially possible:
   73: 
   74: * actual bug in the program crashing, exposed thanks to ASLR/mprotect;
   75: * bug in the implementation of ASLR/mprotect in the Operating System.
   76: 
   77: ## Problems with `PKGSRC_USE_FORTIFY`
   78: 
   79: ### Packages failing to build
   80: 
   81: This feature makes use of pre-processing directives to look for hardened,
   82: alternative implementations of essential library calls. Some programs may fail
   83: to build as a result; this usually happens for those trying too hard to be
   84: portable, or otherwise abusing definitions in the standard library.
   85: 
   86: This will require a modification to the program, or disabling this feature for
   87: part or all of the build.
   88: 
   89: ### Run-time crashes
   90: 
   91: Just like with `PKGSRC_MKPIE` above, this feature may cause some programs to
   92: crash, usually indicating an actual bug in the program. The fix will typically
   93: involve patching the original program.
   94: 
   95: ## Problems with `PKGSRC_USE_RELRO`
   96: 
   97: ### Performance impact
   98: 
   99: For better protection, full RELRO requires every symbol to be resolved when the
  100: program starts, rather than simply when required at run-time. This will have
  101: more impact on programs using a lot of symbols, or linked to libraries exposing
  102: a lot of symbols. Therefore, daemons or programs otherwise running in
  103: background are affected only when started. Programs loading plug-ins at
  104: run-time are affected when loading the plug-ins.
  105: 
  106: The impact is not expected to be noticeable on modern hardware, except in some
  107: cases for big programs.
  108: 
  109: ### Run-time crashes
  110: 
  111: Some programs handle plug-ins and dependencies in a way that conflicts with
  112: RELRO: for instance, with an initialization routine listing any other plug-in
  113: required. With full RELRO, the missing symbols are resolved before the
  114: initialization routine can run, and the dynamic loader will not be able to find
  115: them directly and abort as a result. Unfortunately, this is how Xorg loads its
  116: drivers. Partial RELRO can be applied instead in this case.
  117: 
  118: ## Problems with `PKGSRC_USE_SSP`
  119: 
  120: ### Packages failing to build
  121: 
  122: The stack-smashing protection provided by this option does not work for some
  123: programs. The two most common situations in which this happens are:
  124: 
  125: * the program makes use of the `alloca(3)` library call (memory allocator on the
  126:   stack)
  127: * the program allocates variables on the stack, with the size determined at
  128:   run-time.
  129: 
  130: Both cases will require a modification to the program, or disabling this feature
  131: for part or all of the build.
  132: 
  133: ### Run-time crashes
  134: 
  135: Again, this feature may cause some programs to crash, usually indicating an
  136: actual bug in the program. Patching the original program is then required.
  137: 
  138: ### Performance impact
  139: 
  140: The compiler emits extra code when using this feature: a check for buffer
  141: overflows is performed when entering and exiting functions, requiring an extra
  142: variable on the stack. The level of protection can otherwise be adjusted to
  143: affect only those functions considered more sensitive by the compiler (with
  144: `-fstack-protector` instead of `-fstack-protector-all`).
  145: 
  146: The impact is not expected to be noticeable on modern hardware. However,
  147: programs with a hard requirement to run at the fastest possible speed should
  148: avoid using this feature, or using libraries built with this feature.
  149: 
  150: # Auditing the system
  151: 
  152: The illusion of security is worse than having no security at all. This section
  153: lists a number of ways to ensure the security features requested are actually
  154: effective.
  155: 
  156: _These instructions were obtained and tested on a system derived from NetBSD 7
  157: (amd64). YMMV._
  158: 
  159: ## Checking for PIE
  160: 
  161: The ELF executable type in use changes for binaries built as PIE; without:
  162: 
  163:     $ file /path/to/bin/ary
  164:     /path/to/bin/ary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
  165: 
  166: as opposed to the following binary, built as PIE:
  167: 
  168:     $ file /path/to/pie/bin/ary
  169:     /path/to/pie/bin/ary: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
  170: 
  171: The latter result is then what is expected.
  172: 
  173: ## Checking for partial RELRO
  174: 
  175: The following command should list a section called `RELRO`:
  176: 
  177:     $ objdump -p /path/to/bin/ary
  178: 
  179:     /path/to/bin/ary:     file format elf64-x86-64
  180: 
  181:     Program Header:
  182:     [...]
  183:        RELRO off    0x0000000000000d78 vaddr 0x0000000000600d78 paddr 0x0000000000600d78 align 2**0
  184: 
  185: This check is now performed automatically if `PKG_DEVELOPER` is set and `RELRO`
  186: is enabled.
  187: 
  188: ## Checking for full RELRO
  189: 
  190: The dynamic loader will apply RELRO immediately when detecting the presence of
  191: the `BIND_NOW` flag:
  192: 
  193:     $ objdump -x /path/to/bin/ary
  194: 
  195:     /path/to/bin/ary:     file format elf64-x86-64
  196: 
  197:     Dynamic Section:
  198:     [...]
  199:       BIND_NOW             0x0000000000000000
  200: 
  201: This has to be combined with partial RELRO (see above) to be fully efficient.
  202: 
  203: ## Checking for SSP
  204: 
  205: Building objects, binaries and libraries with SSP will affect the presence of
  206: additional symbols in the resulting file:
  207: 
  208:     $ nm /path/to/bin/ary
  209:     [...]
  210:                      U __stack_chk_fail
  211:     0000000000600ea0 B __stack_chk_guard
  212: 
  213: This is an indicator that the program was indeed built with support for SSP.
  214: 
  215: # References
  216: 
  217: * <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html>
  218: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb