1: [[!meta title="Hardening pkgsrc"]]
2:
3: A number of mechanisms are available in
4: [pkgsrc](https://www.pkgsrc.org/) to improve the security of the
5: resulting system. This page describes the mechanisms, and gives hints
6: about detecting and fixing problems.
7:
8: # Mechanisms
9:
10: Mechanisms can be enabled individually in `mk.conf`, and are
11: individually described below. They are sorted by whether they are
12: enabled by default, and then by their ordering in `mk/defaults/mk.conf`.
13:
14: Typically, a feature will cause some programs to fail to build or work
15: when first enabled. This can be due to latent problems in the
16: program, and can be due to other reasons. After enough testing to
17: have confidence that user problems will be quite rare, individual
18: mechanisms will be enabled by default.
19:
20: For each mechanism, see the Caveats section below for an explanation
21: of what might go wrong at compile time and at run time, and how to
22: notice and address these problems.
23:
24: ## Enabled by default in the stable branch
25:
26: ### PKGSRC_USE_FORTIFY
27:
28: This allows substitute wrappers to be used for some commonly used
29: library functions that do not have built-in bounds checking - but
30: could in some cases.
31:
32: TODO: Explain FORTIFY_SOURCE 1 vs 2, and which is used. Give a link
33: to a good explanation of the technique. Explain if this is gcc specific.
34:
35: It has been enabled by default since pkgsrc-2017Q3.
36:
37: ### PKGSRC_USE_SSP
38:
39: This enables a stack-smashing protection mitigation. It is done by adding a
40: guard variable to functions with vulnerable objects. The guards are initialized
41: when a function is entered and then checked when the function exits. The guard
42: check will fail and the program forcibly exited if the variable was modified in
43: the meantime. This can happen in case of buffer overflows or memory corruption,
44: and therefore exposing these bugs.
45:
46: Different mitigation levels are available:
47: * the default ("yes"), which will only protect functions considered vulnerable
48: by the compiler;
49: * "all", which will protect every function;
50: * "strong", which will apply a better balance between the two settings above.
51:
52: This mitigation is supported by both GCC and clang. It may be supported in
53: additional compilers, possibly under a different name. It is particularly useful
54: for unsafe programming languages, such as C/C++.
55:
56: It is enabled by default where known supported since pkgsrc-2017Q3.
57:
58: * <https://en.wikipedia.org/wiki/Buffer_overflow_protection>
59:
60: ## Enabled by default in pkgsrc HEAD
61:
62: ## Not enabled by default
63:
64: ### PKGSRC_MKPIE
65:
66: This requests the the creation of PIE (Position Independent
67: Executables) for all executables. The PIE mechanism is normally used
68: for shared libraries so that they can be loaded at differing addresses
69: at runtime. PIE itself does not have useful security properties.
70: However, some operating systems support Address Space Layout
71: Randomization (ASLR), which causes different addresses to be used each
72: time a program is run. This makes it more difficult for an attacker
73: to guess addresses and thus makes exploits harder to construct.
74:
75: TODO/check: PIE executables will only be built for toolchains that
76: support PIE and operating systems known to support ASLR. Currently,
77: this means NetBSD 8 and later, i386 and amd64.
78:
79: ### PKGSRC_USE_RELRO
80:
81: This also makes the exploitation of some security vulnerabilities more
82: difficult in some cases.
83:
84: TODO: Explain gcc vs clang, and whether this has broad support or just
85: a few platforms.
86:
87: TODO: Address "partial" vs "full"; which is this?
88:
89: TODO: Give a link to a comprehensive explanation.
90:
91: ### PKGSRC_USE_STACK_CHECK
92:
93: This uses `-fstack-check` with GCC for another stack protection
94: mitigation.
95:
96: # Caveats
97:
98: ## Problems with `PKGSRC_MKPIE`
99:
100: ### Recent support for cwrappers
101:
102: `PKGSRC_MKPIE` is only supported by `pkgtools/cwrappers` from the 2017Q3
103: release on (`USE_CWRAPPERS` in `mk.conf`).
104:
105: ### Packages failing to build
106:
107: A number of packages may fail to build with this option enabled. The failures
108: are often related to the absence of the `-fPIC` compilation flag when building
109: libraries or executables (or ideally `-fPIE` in the latter case). This flag is
110: added to the `CFLAGS` already, but requires the package to actually support it.
111:
112: #### How to fix
113:
114: These instructions are meant as a reference only; they likely need to be adapted
115: for many packages individually.
116:
117: For packages using `Makefiles`:
118:
119: MAKE_FLAGS+= CFLAGS=${CFLAGS:Q}
120: MAKE_FLAGS+= LDFLAGS=${LDFLAGS:Q}
121:
122: For packages using `Imakefiles`:
123:
124: MAKE_FLAGS+= CCOPTIONS=${CFLAGS:Q}
125: MAKE_FLAGS+= LOCAL_LDFLAGS=${LDFLAGS:Q}
126:
127: ### Run-time crashes
128:
129: Some programs may fail to run, or crash at random times once built as PIE. Two
130: scenarios are essentially possible:
131:
132: * actual bug in the program crashing, exposed thanks to ASLR/mprotect;
133: * bug in the implementation of ASLR/mprotect in the Operating System.
134:
135: ## Problems with `PKGSRC_USE_FORTIFY`
136:
137: ### Packages failing to build
138:
139: This feature makes use of pre-processing directives to look for hardened,
140: alternative implementations of essential library calls. Some programs may fail
141: to build as a result; this usually happens for those trying too hard to be
142: portable, or otherwise abusing definitions in the standard library.
143:
144: This will require a modification to the program, or disabling this feature for
145: part or all of the build.
146:
147: ### Run-time crashes
148:
149: Just like with `PKGSRC_MKPIE` above, this feature may cause some programs to
150: crash, usually indicating an actual bug in the program. The fix will typically
151: involve patching the original program.
152:
153: ### Optimization is required
154:
155: At least in the case of GCC, FORTIFY will only be applied if optimization is
156: applied while compiling. This means that the CFLAGS should also contain -O, -O2
157: or another optimization level. This cannot easily be applied globally, as some
158: packages may require specific optimization levels.
159:
160: ## Problems with `PKGSRC_USE_RELRO`
161:
162: ### Performance impact
163:
164: For better protection, full RELRO requires every symbol to be resolved when the
165: program starts, rather than simply when required at run-time. This will have
166: more impact on programs using a lot of symbols, or linked to libraries exposing
167: a lot of symbols. Therefore, daemons or programs otherwise running in
168: background are affected only when started. Programs loading plug-ins at
169: run-time are affected when loading the plug-ins.
170:
171: The impact is not expected to be noticeable on modern hardware, except in some
172: cases for big programs.
173:
174: ### Run-time crashes
175:
176: Some programs handle plug-ins and dependencies in a way that conflicts with
177: RELRO: for instance, with an initialization routine listing any other plug-in
178: required. With full RELRO, the missing symbols are resolved before the
179: initialization routine can run, and the dynamic loader will not be able to find
180: them directly and abort as a result. Unfortunately, this is how Xorg loads its
181: drivers. Partial RELRO can be applied instead in this case.
182:
183: ## Problems with `PKGSRC_USE_SSP`
184:
185: ### Packages failing to build
186:
187: The stack-smashing protection provided by this option does not work for some
188: programs. The two most common situations in which this happens are:
189:
190: * the program makes use of the `alloca(3)` library call (memory allocator on the
191: stack)
192: * the program allocates variables on the stack, with the size determined at
193: run-time.
194:
195: Both cases will require a modification to the program, or disabling this feature
196: for part or all of the build.
197:
198: ### Run-time crashes
199:
200: Again, this feature may cause some programs to crash, usually indicating an
201: actual bug in the program. Patching the original program is then required.
202:
203: ### Performance impact
204:
205: The compiler emits extra code when using this feature: a check for buffer
206: overflows is performed when entering and exiting functions, requiring an extra
207: variable on the stack. The level of protection can otherwise be adjusted to
208: affect only those functions considered more sensitive by the compiler (with
209: `-fstack-protector` instead of `-fstack-protector-all`).
210:
211: The impact is not expected to be noticeable on modern hardware. However,
212: programs with a hard requirement to run at the fastest possible speed should
213: avoid using this feature, or using libraries built with this feature.
214:
215: # Auditing the system
216:
217: The illusion of security is worse than having no security at all. This section
218: lists a number of ways to ensure the security features requested are actually
219: effective.
220:
221: _These instructions were obtained and tested on a system derived from NetBSD 7
222: (amd64). YMMV._
223:
224: ## Checking for PIE
225:
226: The ELF executable type in use changes for binaries built as PIE; without:
227:
228: $ file /path/to/bin/ary
229: /path/to/bin/ary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
230:
231: as opposed to the following binary, built as PIE:
232:
233: $ file /path/to/pie/bin/ary
234: /path/to/pie/bin/ary: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
235:
236: The latter result is then what is expected.
237:
238: ## Checking for partial RELRO
239:
240: The following command should list a section called `RELRO`:
241:
242: $ objdump -p /path/to/bin/ary
243:
244: /path/to/bin/ary: file format elf64-x86-64
245:
246: Program Header:
247: [...]
248: RELRO off 0x0000000000000d78 vaddr 0x0000000000600d78 paddr 0x0000000000600d78 align 2**0
249:
250: This check is now performed automatically if `PKG_DEVELOPER` is set and `RELRO`
251: is enabled.
252:
253: ## Checking for full RELRO
254:
255: The dynamic loader will apply RELRO immediately when detecting the presence of
256: the `BIND_NOW` flag:
257:
258: $ objdump -x /path/to/bin/ary
259:
260: /path/to/bin/ary: file format elf64-x86-64
261:
262: Dynamic Section:
263: [...]
264: BIND_NOW 0x0000000000000000
265:
266: This has to be combined with partial RELRO (see above) to be fully efficient.
267:
268: ## Checking for SSP
269:
270: Building objects, binaries and libraries with SSP will affect the presence of
271: additional symbols in the resulting file:
272:
273: $ nm /path/to/bin/ary
274: [...]
275: U __stack_chk_fail
276: 0000000000600ea0 B __stack_chk_guard
277:
278: This is an indicator that the program was indeed built with support for SSP.
279:
280: # References
281:
282: * <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html>
283:
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb
![[BACK]](/icons/back.gif){kind=icon}
Return to hardening.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / pkgsrc