Tor hardening at compile time
stars at hispeed.ch
stars at hispeed.ch
Sat May 8 07:59:38 UTC 2010
Le Fri, 07 May 2010 15:15:07 +0200,
Jacob Appelbaum <jacob at appelbaum.net> a écrit :
> Hi,
>
> I've pushed a new git branch 'compileTimeHardening' out to my git
> repo. I've also attached a patch for those that are git adverse.
> Either way, apply the patch to your current Tor master sources and
> you should be in good shape.
>
> You can use it like so:
> ./autogen.sh && ./configure --enable-gcc-warnings
> --enable-gcc-hardening --enable-linker-hardening && make && sudo make
> install
>
> The end result on Debian Lenny is a slightly hardened build when
> checked with checksec.sh[0].
>
> This is weasel's build on my x86 machine:
> RELRO STACK CANARY NX PIE
> Partial RELRO Canary found NX enabled PIE enabled
>
> This is a build with my new options on the same machine:
> RELRO STACK CANARY NX PIE
> Full RELRO Canary found NX enabled PIE enabled
>
> This is a build without my new options on the same machine:
> RELRO STACK CANARY NX PIE
> No RELRO No canary found NX enabled No PIE
>
> This seems like a useful improvement for people building from source.
>
> The gcc hardening flag works on Mac OS X. The linker hardening is
> specific to the ELF binary format and does not work on Mac OS X. So on
> Mac OS X, only use '--enable-gcc-hardening' and not
> '--enable-linker-hardening' for your builds.
>
> Checksec doesn't work on Mac OS X. It does appear to be possible to
> check if a binary has a stack canary by doing the following (Using Mac
> OS X 10.6.3 here):
>
> nm /bin/ls | grep "chk_guard"
>
> You should see something like this:
>
> U ___stack_chk_guard
>
> Also, you can check by looking for the following with otool on Mac OS
> X:
>
> otool -tvV /bin/ls | grep "___stack_chk_fail"
>
> You should see something like this:
>
> 00004bf7 calll 0x00005468 ; symbol stub for:
> ___stack_chk_fail
>
> If you look at /Applications/Vidalia.app/Contents/MacOS/tor, you will
> not see those protections at the moment. I think we can improve our
> shipping Mac OS X binaries by enabling these protections. The PIE
> protections won't really matter until Apple fixes their platform
> (perhaps in 10.7?!); still it's nice to be ready and this patch
> provides that too.
>
> It appears that FORTIFY_SOURCE is on by default on Mac OS X. We don't
> currently build Tor on Mac OS X with stack canaries though, so we're
> improving Tor's security on Mac OS X. It may not be possible to do
> this for all versions of Mac OS X - I suspect that Apple may disable
> some or all protections to make a binary more compatible with
> different Mac OS X versions.
>
> It would be useful to get some extra testing on other platforms; is
> anyone working with Windows building and interested in testing this? I
> also left a comment in the patch for hardening flags that would be
> useful with a non-gcc compiler on Windows.
>
> There is some performance cost to running Tor with these security
> enhancements. Debian already runs with most of the run time checks and
> the relays on Debian appear to be just fine. The only real enhancement
> for Linux systems is a startup time cost to gain protection from
> GOT/PLT overwrites (if you're already using Weasel's packages). If
> you're merely building from source on any of the supported platforms,
> it's a huge gain.
>
> I think this option should be enabled by default at some point in the
> future but probably not until we have a reasonably exhaustive list of
> information for our major platforms. After we have a little testing
> from Tor developers, I'll ask on or-talk for some testers.
>
> It would be nice to have it merged into master as an optional option
> soon though. Roger seemed to think this was a fine idea. I think it
> may encourage people to try it out and to help us decide if it's worth
> applying as a build default.
>
> All the best,
> Jacob
>
> [0] http://www.trapkit.de/tools/checksec.html
Hello to everyone,
I tested it on kubuntu Lucid 10.04 LTS x86 64, i has on my machine
without options, same output as Jacob and with options, all are enabled.
For info, tested on last master git branch and last libevent2 git
master branch.
Thanks for your help and this great patch Jacob.
Best regrads
SwissTorExit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20100508/651116c4/attachment.pgp>
More information about the tor-dev
mailing list