File:  [NetBSD Developer Wiki] / wikisrc / pkgsrc / hardening.mdwn
Revision 1.4: download - view: text, annotated - select for diffs
Thu Mar 17 03:19:17 2016 UTC (6 years, 8 months ago) by khorben
Branches: MAIN
CVS tags: HEAD
Also document PKGSRC_USE_FORTIFY

    1: [[!meta title="Hardening pkgsrc"]]
    2: 
    3: [pkgsrc](http://www.pkgsrc.org/) supports a number of mechanisms that are meant
    4: to improve the security of compiled binaries. They can be individually enabled
    5: in `mk.conf`, and consist of:
    6: 
    7: * `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent
    8:   Executables) when supported on the current platform. This option is necessary
    9:   to fully leverage ASLR as a mitigation for security vulnerabilities.
   10: * `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used
   11:   functions that do not bounds checking regularly - but could in some cases.
   12: * `PKGSRC_USE_RELRO`: this also makes the exploitation of some security
   13:   vulnerabilities more difficult in some cases.
   14: * `PKGSRC_USE_SSP`: enables stack-smashing protection (again, on supported
   15:   platforms)
   16: 
   17: # Caveats
   18: 
   19: ## Problems with `PKGSRC_MKPIE`
   20: 
   21: ### No support for cwrappers
   22: 
   23: As of the time of this article `PKGSRC_MKPIE` is not supported by
   24: `pkgtools/cwrappers` (`USE_CWRAPPERS` in `mk.conf`).
   25: 
   26: ### Packages failing to build
   27: 
   28: A number of packages may fail to build with this option enabled. The failures
   29: are often related to the absence of the "-fPIC" compilation flag when building
   30: libraries or executables (or ideally "-fPIE" in the latter case). This flag is
   31: added to the `CFLAGS` already, but requires the package to actually support it.
   32: 
   33: #### How to fix
   34: 
   35: These instructions are meant as a reference only; they likely need to be adapted
   36: for many packages individually.
   37: 
   38: For packages using `Makefiles`:
   39: 
   40:     MAKE_FLAGS+=	CFLAGS=${CFLAGS:Q}
   41:     MAKE_FLAGS+=	LDFLAGS=${LDFLAGS:Q}
   42: 
   43: For packages using `Imakefiles`:
   44: 
   45:     MAKE_FLAGS+=	CCOPTIONS=${CFLAGS:Q}
   46:     MAKE_FLAGS+=	LOCAL_LDFLAGS=${LDFLAGS:Q}
   47: 
   48: ### Run-time crashes
   49: 
   50: Some programs may fail to run, or crash at random times once built as PIE. Two
   51: scenarios are essentially possible:
   52: 
   53: * actual bug in the program crashing, exposed thanks to ASLR/mprotect;
   54: * bug in the implementation of ASLR/mprotect in the Operating System.
   55: 
   56: ## Problems with `PKGSRC_USE_FORTIFY`
   57: 
   58: ### Packages failing to build
   59: 
   60: This feature makes use of pre-processing directives to look for hardened,
   61: alternative implementations of essential library calls. Some programs may fail
   62: to build as a result; this usually happens for those trying too hard to be
   63: portable, or otherwise abusing definitions in the standard library.
   64: 
   65: This will require a modification to the program, or disabling this feature for
   66: part or all of the build.
   67: 
   68: ### Run-time crashes
   69: 
   70: Just like with `PKGSRC_MKPIE` above, this feature may cause some programs to
   71: crash, usually indicating an actual bug in the program. The fix will typically
   72: involve patching the original program.
   73: 
   74: ## Problems with `PKGSRC_USE_SSP`
   75: 
   76: ### Packages failing to build
   77: 
   78: The stack-smashing protection provided by this option does not work for some
   79: programs. The two most common situations in which this happens are:
   80: 
   81: * the program makes use of the `alloca(3)` library call (memory allocator on the
   82:   stack)
   83: * the program allocates variables on the stack, with the size determined at
   84:   run-time.
   85: 
   86: Both cases will require a modification to the program, or disabling this feature
   87: for part or all of the build.
   88: 
   89: ### Run-time crashes
   90: 
   91: Again, this feature may cause some programs to crash, usually indicating an
   92: actual bug in the program. Patching the original program is then required.
   93: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb