File:  [NetBSD Developer Wiki] / wikisrc / pkgsrc / hardening.mdwn
Revision 1.3: download - view: text, annotated - select for diffs
Thu Mar 17 03:14:51 2016 UTC (6 years, 2 months ago) by khorben
Branches: MAIN
CVS tags: HEAD
Also document PKGSRC_USE_SSP

[[!meta title="Hardening pkgsrc"]]

[pkgsrc](http://www.pkgsrc.org/) supports a number of mechanisms that are meant
to improve the security of compiled binaries. They can be individually enabled
in `mk.conf`, and consist of:

* `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent
  Executables) when supported on the current platform. This option is necessary
  to fully leverage ASLR as a mitigation for security vulnerabilities.
* `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used
  functions that do not bounds checking regularly - but could in some cases.
* `PKGSRC_USE_RELRO`: this also makes the exploitation of some security
  vulnerabilities more difficult in some cases.
* `PKGSRC_USE_SSP`: enables stack-smashing protection (again, on supported
  platforms)

# Caveats

## Problems with `PKGSRC_MKPIE`

### No support for cwrappers

As of the time of this article `PKGSRC_MKPIE` is not supported by
`pkgtools/cwrappers` (`USE_CWRAPPERS` in `mk.conf`).

### Packages failing to build

A number of packages may fail to build with this option enabled. The failures
are often related to the absence of the "-fPIC" compilation flag when building
libraries or executables (or ideally "-fPIE" in the latter case). This flag is
added to the `CFLAGS` already, but requires the package to actually support it.

#### How to fix

These instructions are meant as a reference only; they likely need to be adapted
for many packages individually.

For packages using `Makefiles`:

    MAKE_FLAGS+=	CFLAGS=${CFLAGS:Q}
    MAKE_FLAGS+=	LDFLAGS=${LDFLAGS:Q}

For packages using `Imakefiles`:

    MAKE_FLAGS+=	CCOPTIONS=${CFLAGS:Q}
    MAKE_FLAGS+=	LOCAL_LDFLAGS=${LDFLAGS:Q}

### Run-time crashes

Some programs may fail to run, or crash at random times once built as PIE. Two
scenarios are essentially possible:

* actual bug in the program crashing, exposed thanks to ASLR/mprotect;
* bug in the implementation of ASLR/mprotect in the Operating System.

## Problems with `PKGSRC_USE_SSP`

### Packages failing to build

The stack-smashing protection provided by this option does not work for some
programs. The two most common situations in which this happens are:

* the program makes use of the `alloca(3)` library call (memory allocator on the
  stack)
* the program allocates variables on the stack, with the size determined at
  run-time.

Both cases will require a modification to the program, or disabling this feature
for part or all of the build.

### Run-time crashes

Just like with `PKGSRC_MKPIE` above, this feature may cause some programs to
crash, usually indicating an actual bug in the program. The fix will typically
involve patching the original program.


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb