[tor-bugs] #15138 [Tor Browser]: Investigate TBB 4.5 hardening (e.g. DEP/ASLR) on all Platforms
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Mar 15 19:31:52 UTC 2015
#15138: Investigate TBB 4.5 hardening (e.g. DEP/ASLR) on all Platforms
--------------------------+------------------------------------------------
Reporter: tom | Owner: tom
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor | Version:
Browser | Keywords: TorBrowserTeam201503, tbb-security
Resolution: | Parent ID:
Actual Points: |
Points: |
--------------------------+------------------------------------------------
Comment (by tom):
++gk
I have some builds going to try and figure out if it will be easy to
enable the stack smashing flags.
The hardening-check tool on Linux (part of hardening-includes on
Debian/Ubuntu) can be used to do some stuff automatically.
https://wiki.debian.org/HardeningWalkthrough#Testing_your_packages_after_conversion
A one-liner is:
{{{
hardening-check -q ` find . | xargs -- file | \grep ELF | cut -d " " -f 1
| sed 's/://' | tr '\n' ' ' `
}}}
I used it to double-check the tor-qa test results (at http://test-
reports.tbb.torproject.org/reports/r/4.5a4-build3-Fedora20-x86_64/ ), and
they agree. I think the Pluggable Transports can be whitelisted as being
expected to fail the stack canary and RELRO tests.
To be redundant, it yielded the following warnings (identical on x32 and
x64). While having the stack smashing protection would be nice, I believe
that to exploit a stack smash you would also need to bypass ASLR. (There
may another way, but nothing is coming to mind immediately.)
{{{
./Browser/libmozalloc.so:
Stack protected: no, not found!
./Browser/libnssckbi.so:
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
./Browser/libplc4.so:
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
./Browser/libplds4.so:
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
./Browser/libsmime3.so:
Fortify Source functions: no, only unprotected functions found!
./Browser/TorBrowser/Tor/libstdc++.so.6:
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
}}}
And the following known PT stuff:
{{{
./Browser/TorBrowser/Tor/PluggableTransports/fte/cDFA.so:
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
./Browser/TorBrowser/Tor/PluggableTransports/Crypto/Util/_counter.so:
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
./Browser/TorBrowser/Tor/PluggableTransports/Crypto/Cipher/_ARC4.so:
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
./Browser/TorBrowser/Tor/PluggableTransports/Crypto/Cipher/_CAST.so:
Fortify Source functions: no, only unprotected functions found!
./Browser/TorBrowser/Tor/PluggableTransports/Crypto/Cipher/_AES.so:
Fortify Source functions: no, only unprotected functions found!
./Browser/TorBrowser/Tor/PluggableTransports/Crypto/Cipher/_DES3.so:
Fortify Source functions: no, only unprotected functions found!
./Browser/TorBrowser/Tor/PluggableTransports/Crypto/Cipher/_XOR.so:
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
./Browser/TorBrowser/Tor/PluggableTransports/Crypto/Cipher/_Blowfish.so:
Fortify Source functions: no, only unprotected functions found!
./Browser/TorBrowser/Tor/PluggableTransports/Crypto/Cipher/_DES.so:
Fortify Source functions: no, only unprotected functions found!
./Browser/TorBrowser/Tor/PluggableTransports/Crypto/Cipher/_ARC2.so:
Fortify Source functions: no, only unprotected functions found!
./Browser/TorBrowser/Tor/PluggableTransports/Crypto/Hash/_MD2.so:
Fortify Source functions: no, only unprotected functions found!
./Browser/TorBrowser/Tor/PluggableTransports/Crypto/Hash/_MD4.so:
Fortify Source functions: no, only unprotected functions found!
./Browser/TorBrowser/Tor/PluggableTransports/Crypto/Hash/_RIPEMD160.so:
Fortify Source functions: no, only unprotected functions found!
./Browser/TorBrowser/Tor/PluggableTransports/meek-client-torbrowser:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Read-only relocations: no, not found!
Immediate binding: no, not found!
./Browser/TorBrowser/Tor/PluggableTransports/twisted/runner/portmap.so:
Stack protected: no, not found!
./Browser/TorBrowser/Tor/PluggableTransports/twisted/python/sendmsg.so:
Fortify Source functions: no, only unprotected functions found!
./Browser/TorBrowser/Tor/PluggableTransports/twisted/python/_initgroups.so:
Stack protected: no, not found!
./Browser/TorBrowser/Tor/PluggableTransports/twisted/test/raiser.so:
Stack protected: no, not found!
./Browser/TorBrowser/Tor/PluggableTransports/obfs4proxy:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Read-only relocations: no, not found!
Immediate binding: no, not found!
./Browser/TorBrowser/Tor/PluggableTransports/zope/interface/_zope_interface_coptimizations.so:
Stack protected: no, not found!
./Browser/TorBrowser/Tor/PluggableTransports/meek-client:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Read-only relocations: no, not found!
Immediate binding: no, not found!
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15138#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list