File:  [NetBSD Developer Wiki] / wikisrc / pkgsrc / hardening.mdwn
Revision 1.9: download - view: text, annotated - select for diffs
Thu Mar 17 14:02:06 2016 UTC (6 years, 8 months ago) by khorben
Branches: MAIN
CVS tags: HEAD
Wording

    1: [[!meta title="Hardening pkgsrc"]]
    2: 
    3: A number of mechanisms are available in [pkgsrc](http://www.pkgsrc.org/) to
    4: improve the security of the resulting system. They can be enabled individually
    5: in `mk.conf`, and consist of:
    6: 
    7: * `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent
    8:   Executables) when supported on the current platform. This option is necessary
    9:   to fully leverage ASLR as a mitigation for security vulnerabilities.
   10: * `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used
   11:   functions that do not bounds checking regularly - but could in some cases.
   12: * `PKGSRC_USE_RELRO`: this also makes the exploitation of some security
   13:   vulnerabilities more difficult in some cases.
   14: * `PKGSRC_USE_SSP`: enables stack-smashing protection (again, on supported
   15:   platforms)
   16: 
   17: # Caveats
   18: 
   19: ## Problems with `PKGSRC_MKPIE`
   20: 
   21: ### No support for cwrappers
   22: 
   23: As of the time of this article `PKGSRC_MKPIE` is not supported by
   24: `pkgtools/cwrappers` (`USE_CWRAPPERS` in `mk.conf`).
   25: 
   26: ### Packages failing to build
   27: 
   28: A number of packages may fail to build with this option enabled. The failures
   29: are often related to the absence of the "-fPIC" compilation flag when building
   30: libraries or executables (or ideally "-fPIE" in the latter case). This flag is
   31: added to the `CFLAGS` already, but requires the package to actually support it.
   32: 
   33: #### How to fix
   34: 
   35: These instructions are meant as a reference only; they likely need to be adapted
   36: for many packages individually.
   37: 
   38: For packages using `Makefiles`:
   39: 
   40:     MAKE_FLAGS+=	CFLAGS=${CFLAGS:Q}
   41:     MAKE_FLAGS+=	LDFLAGS=${LDFLAGS:Q}
   42: 
   43: For packages using `Imakefiles`:
   44: 
   45:     MAKE_FLAGS+=	CCOPTIONS=${CFLAGS:Q}
   46:     MAKE_FLAGS+=	LOCAL_LDFLAGS=${LDFLAGS:Q}
   47: 
   48: ### Run-time crashes
   49: 
   50: Some programs may fail to run, or crash at random times once built as PIE. Two
   51: scenarios are essentially possible:
   52: 
   53: * actual bug in the program crashing, exposed thanks to ASLR/mprotect;
   54: * bug in the implementation of ASLR/mprotect in the Operating System.
   55: 
   56: ## Problems with `PKGSRC_USE_FORTIFY`
   57: 
   58: ### Packages failing to build
   59: 
   60: This feature makes use of pre-processing directives to look for hardened,
   61: alternative implementations of essential library calls. Some programs may fail
   62: to build as a result; this usually happens for those trying too hard to be
   63: portable, or otherwise abusing definitions in the standard library.
   64: 
   65: This will require a modification to the program, or disabling this feature for
   66: part or all of the build.
   67: 
   68: ### Run-time crashes
   69: 
   70: Just like with `PKGSRC_MKPIE` above, this feature may cause some programs to
   71: crash, usually indicating an actual bug in the program. The fix will typically
   72: involve patching the original program.
   73: 
   74: ## Problems with `PKGSRC_USE_RELRO`
   75: 
   76: ### Performance impact
   77: 
   78: For better protection, full RELRO requires every symbol to be resolved when the
   79: program starts, rather than lazily at run-time. This will have more impact on
   80: programs using a lot of symbols, or linked to libraries exposing a lot of
   81: symbols. Therefore, daemons or programs otherwise running in background are
   82: affected only when started. Programs loading plug-ins at run-time are affected
   83: when loading the plug-ins.
   84: 
   85: The impact is not expected to be noticeable on modern hardware, except in some
   86: cases for big programs.
   87: 
   88: ## Problems with `PKGSRC_USE_SSP`
   89: 
   90: ### Packages failing to build
   91: 
   92: The stack-smashing protection provided by this option does not work for some
   93: programs. The two most common situations in which this happens are:
   94: 
   95: * the program makes use of the `alloca(3)` library call (memory allocator on the
   96:   stack)
   97: * the program allocates variables on the stack, with the size determined at
   98:   run-time.
   99: 
  100: Both cases will require a modification to the program, or disabling this feature
  101: for part or all of the build.
  102: 
  103: ### Run-time crashes
  104: 
  105: Again, this feature may cause some programs to crash, usually indicating an
  106: actual bug in the program. Patching the original program is then required.
  107: 
  108: ### Performance impact
  109: 
  110: The compiler emits extra code when using this feature: a check for buffer
  111: overflows is performed when entering and exiting functions, requiring an extra
  112: variable on the stack. The level of protection can otherwise be adjusted to
  113: affect only those functions considered more sensitive by the compiler (with
  114: `-fstack-protector` instead of `-fstack-protector-all`).
  115: 
  116: The impact is not expected to be noticeable on modern hardware. However,
  117: programs with a hard requirement to run at the fastest possible speed should
  118: avoid using this feature, or using libraries built with this feature.
  119: 
  120: # Auditing the system
  121: 
  122: The illusion of security is worse than having no security at all. This section
  123: lists a number of ways to ensure the security features requested are actually
  124: effective.
  125: 
  126: _These instructions were obtained and tested on a system derived from NetBSD 7
  127: (amd64). YMMV._
  128: 
  129: ## Checking for PIE
  130: 
  131: The ELF executable type in use changes for binaries built as PIE; without:
  132: 
  133:     $ file /path/to/bin/ary
  134:     /path/to/bin/ary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
  135: 
  136: as opposed to the following binary, built as PIE:
  137: 
  138:     $ file /path/to/pie/bin/ary
  139:     /path/to/pie/bin/ary: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped
  140: 
  141: The latter result is then what is expected.
  142: 
  143: ## Checking for RELRO
  144: 
  145: The following command should list a section called `RELRO`:
  146: 
  147:     $ objdump -p /path/to/bin/ary
  148: 
  149:     /path/to/bin/ary:     file format elf64-x86-64
  150: 
  151:     Program Header:
  152:     [...]
  153:        RELRO off    0x0000000000000d78 vaddr 0x0000000000600d78 paddr 0x0000000000600d78 align 2**0
  154: 
  155: ## Checking for SSP
  156: 
  157: Building objects, binaries and libraries with SSP will affect the presence of
  158: additional symbols in the resulting file:
  159: 
  160:     $ nm /path/to/bin/ary
  161:     [...]
  162:                      U __stack_chk_fail
  163:     0000000000600ea0 B __stack_chk_guard
  164: 
  165: This is an indicator that the program was indeed built with support for SSP.
  166: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb