HardeningWrapper

Differences between revisions 12 and 13
Revision 12 as of 2008-04-29 22:06:43
Size: 4386
Editor: c-76-105-157-155
Comment:
Revision 13 as of 2008-04-30 08:12:15
Size: 4493
Editor: c-76-105-157-155
Comment: new logs
Deletions are marked like this. Additions are marked like this.
Line 79: Line 79:
All of Hardy "main" was rebuilt with version 1.5 of hardening-wrapper. Attempts were made for full hardening, and with PIE disabled. Results are here: http://people.ubuntu.com/~kees/hardening/ All of Hardy "main" was test-rebuilt with the hardening-wrapper. Attempts were made for full hardening, and with PIE disabled. Results:
 * hardening-wrapper 1.5
: http://people.ubuntu.com/~kees/hardening/wrapper-1.5/
 * hardening-wrapper 1.11: http://people.ubuntu.com/~kees/hardening/wrapper-1.11/

While the DistCompilerFlags spec (and ensuing [https://wiki.ubuntu.com/DistCompilerFlags Debian discussion]) matures, we need a way to test security hardening compiler options (in the hopes of implementing it distro-wide for Intrepid). The [http://wiki.debian.org/Hardening hardening-wrapper] package installs wrappers for ld and gcc/g++ (4.1, 4.2, 4.3 -- 3.x is not included since it seems that it won't be in the archive for Intrepid, though these can be added if someone needs it). These options enable several features that make the resulting binaries more resistant to memory corruption vulnerability exploitation (making targets in the binary harder to find, reducing the number of targets, catching overflows before they happen, and warning about unsafe *printf usage during compile).

To perform package builds with the options enabled, a developer needs to do two things:

  • install hardening-wrapper (surprise!)
  • set the environment variable DEB_BUILD_HARDENING=1 (in hardening-wrapper 1.12 and later, /etc/hardening-wrapper.conf can hold system-wide default DEB_BUILD_HARDENING* variables)

The hardening features can be individually disabled if there are complications during a build. The most likely build failures will be related to DEB_BUILD_HARDENING_PIE which has the largest impact on the built objects. Some strange packages are known not to work with this wrapper's implementation of the PIE compiler options. When build failures are found that are specific to enabling the hardening features, please open a bug against the failed package with this information and:

  • attach the build log when built with DEB_BUILD_HARDENING_DEBUG=1 enabled
  • tag the bug as "hardening-ftbfs"
  • discuss any tested work-arounds (does it compile with certain options disabled?)

When performing compiles, also please keep an eye out for this kind of warning:

foo.c: In function 'bar':
foo.c:16: warning: format not a string literal and no format arguments

This indicates a (possibly) unsafe use of a *printf function (i.e. printf(strvar) when printf("%s",str) should be used), and should be investigated to make sure the package is not vulnerable to a format string attack. Please open bugs for these as well, and tag them "format-security".

To catch libc runtime abort errors, they must be forced to STDERR by setting the environment variable LIBC_FATAL_STDERR_=1. (The trailing underscore is not a typo.)

Enabling

native build

  • install the hardening-wrapper package

  • export DEB_BUILD_HARDENING=1 in your shell

single package

  • add "hardening-wrapper" to Build-Depends
  • add export DEB_BUILD_HARDENING=1 to debian/rules.

sbuild

  • Set the environment variable "DEB_BUILD_HARDENING=1"
  • Add -a "PKG: & hardening-wrapper" to the command line, where PKG is the package you're building

e.g.:

  • DEB_BUILD_HARDENING=1 sbuild -q -A -d hardy -b -a "hello: & hardening-wrapper" hello*.dsc

pbuilder

  • documentation needed!

Common Failures

As with GccSsp, there will be some packages that do not compile correctly with the hardening-wrapper. As noted above, please try disabling various features to determine the cause of the failure, and document common cases here. Also please note specific package failures in the "Record of problems" section below.

  • PIE failure
    • Error looks like:

      relocation R_X86_64_32S against `__libc_csu_fini' can not be used when making a shared object; recompile with -fPIC
    • Try setting DEB_BUILD_HARDENING_PIE=0

Archive Rebuild Logs

All of Hardy "main" was test-rebuilt with the hardening-wrapper. Attempts were made for full hardening, and with PIE disabled. Results:

Early PIE Targets

These candidates were chosen as they are network daemons provided either in tasksel or typical installations:

  • apache2
  • php5
  • mysql
  • bind9
  • openldap2.3
  • postfix
  • cupsys
  • openssh
  • postgresql
  • samba
  • dovecot
  • dhcpd
  • dhcp3-client

Record of problems

  • None yet! Wink ;)

How Debian is using the wrapper

Security/HardeningWrapper (last edited 2008-09-02 23:56:11 by sites)