[tor-bugs] #15138 [Tor Browser]: Investigate TBB 4.5 hardening (e.g. DEP/ASLR) on all Platforms

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Mar 15 20:06:45 UTC 2015 

#15138: Investigate TBB 4.5 hardening (e.g. DEP/ASLR) on all Platforms
--------------------------+------------------------------------------------
     Reporter:  tom       |      Owner:  tom
         Type:  defect    |     Status:  new
     Priority:  normal    |  Milestone:
    Component:  Tor       |    Version:
  Browser                 |   Keywords:  TorBrowserTeam201503, tbb-security
   Resolution:            |  Parent ID:
Actual Points:            |
       Points:            |
--------------------------+------------------------------------------------

Comment (by tom):

 4.5a4-build3 is good on Windows with regards to DEP/ASLR. I confirmed this
 using VMMap and Process Explorer, checked that everything was DEP and ASLR
 enabled and checked that the PTs were not ASLR enabled.

 You can check the status of DEP and ASLR in an auotmated fashion on Linux
 using the python-pefile module (that's what it's named on apt on Ubuntu)
 and the below python script which I got from
 http://security.stackexchange.com/a/43690 and edited a little.  (It does
 require the files to be unpacked though, and I didn't look into how to do
 that on Linux. Wine may be able to run the installer/unpacker though?.)

 As far as stack canaries go, it's possible to build a signature for them
 and look at the executables to see if they have it, but I couldn't find
 one for /GS (Visual Studio-compiled) binaries, so it's even less likely
 one exists for gcc-for-windows cross-compiled binaries.  I will try and
 identify manually if this compiler option is missing as I get my build
 machine back up and building, but as before, it's not as big a deal as
 missing DEP or ASLR.

 {{{
 #!/usr/bin/env python

 import argparse
 import os
 import pefile


 class DllFlags:
     def __init__(self):
         self.IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = False
         self.IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = False
         self.IMAGE_DLLCHARACTERISTICS_NO_BIND = False
         self.IMAGE_DLLCHARACTERISTICS_NO_SEH = False
         self.IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = False
         self.IMAGE_DLLCHARACTERISTICS_NX_COMPAT = False
         self.IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY = False
         self.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE = False


 def get_dll_characteristics(path):
     foo = DllFlags()

     pe = pefile.PE(path, fast_load=True)
     dll_characteristics = pe.OPTIONAL_HEADER.DllCharacteristics

     if dll_characteristics > 0:
         if dll_characteristics >= 32768:
             foo.IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = True
             dll_characteristics -= 32768

         if dll_characteristics >= 8192:
             foo.IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = True
             dll_characteristics -= 8192

         if dll_characteristics == 2048 or dll_characteristics > 2080:
             foo.IMAGE_DLLCHARACTERISTICS_NO_BIND = True
             dll_characteristics -= 2048

         if dll_characteristics == 1024 or dll_characteristics > 1056:
             foo.IMAGE_DLLCHARACTERISTICS_NO_SEH = True
             dll_characteristics -= 1024

         if dll_characteristics == 512 or dll_characteristics > 544:
             foo.IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = True
             dll_characteristics -= 512

         if dll_characteristics == 256 or dll_characteristics > 288:
             foo.IMAGE_DLLCHARACTERISTICS_NX_COMPAT = True
             dll_characteristics -= 256

         if dll_characteristics >= 128:
             foo.IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY = True
             dll_characteristics -= 128

         if dll_characteristics == 64:
             foo.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE = True
             dll_characteristics -= 64

     return foo


 if __name__ == '__main__':
     parser = argparse.ArgumentParser()
     parser.add_argument('dir', help='Directory to scan')
     args = parser.parse_args()

     dep_enabled = []
     dep_disabled = []

     aslr_enabled = []
     aslr_disabled = []

     for root, dirs, files in os.walk(args.dir):
         for f in files:
             try:
                 bar = get_dll_characteristics(os.path.join(root, f))
             except:
                 continue

             if bar.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE:
                 aslr_enabled.append(os.path.join(root, f))
             else:
                 aslr_disabled.append(os.path.join(root, f))

             if bar.IMAGE_DLLCHARACTERISTICS_NX_COMPAT:
                 dep_enabled.append(os.path.join(root, f))
             else:
                 dep_disabled.append(os.path.join(root, f))

     print "ASLR Enabled: "
     print "=============="
     for i in aslr_enabled:
         print i
     print ""

     print "ASLR Disabled: "
     print "==============="
     for i in aslr_disabled:
         print i
     print ""

     print "DEP Enabled: "
     print "============="
     for i in dep_enabled:
         print i
     print ""

     print "DEP Disabled: "
     print "=============="
     for i in dep_disabled:
         print i
     print ""
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15138#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list