Tor hardening at compile time

stars at hispeed.ch stars at hispeed.ch
Sat May 8 07:59:38 UTC 2010


Le Fri, 07 May 2010 15:15:07 +0200,
Jacob Appelbaum <jacob at appelbaum.net> a écrit :

> Hi,
> 
> I've pushed a new git branch 'compileTimeHardening' out to my git
> repo. I've also attached a patch for those that are git adverse.
> Either way, apply the patch to your current Tor master sources and
> you should be in good shape.
> 
> You can use it like so:
> ./autogen.sh && ./configure --enable-gcc-warnings
> --enable-gcc-hardening --enable-linker-hardening && make && sudo make
> install
> 
> The end result on Debian Lenny is a slightly hardened build when
> checked with checksec.sh[0].
> 
> This is weasel's build on my x86 machine:
> RELRO           STACK CANARY      NX            PIE
>    Partial RELRO   Canary found      NX enabled    PIE enabled
> 
> This is a build with my new options on the same machine:
> RELRO           STACK CANARY      NX            PIE
> Full RELRO      Canary found      NX enabled    PIE enabled
> 
> This is a build without my new options on the same machine:
> RELRO           STACK CANARY      NX            PIE
> No RELRO        No canary found   NX enabled    No PIE
> 
> This seems like a useful improvement for people building from source.
> 
> The gcc hardening flag works on Mac OS X. The linker hardening is
> specific to the ELF binary format and does not work on Mac OS X. So on
> Mac OS X, only use '--enable-gcc-hardening' and not
> '--enable-linker-hardening' for your builds.
> 
> Checksec doesn't work on Mac OS X. It does appear to be possible to
> check if a binary has a stack canary by doing the following (Using Mac
> OS X 10.6.3 here):
> 
> 	nm /bin/ls | grep "chk_guard"
> 
> You should see something like this:
> 
> 	U ___stack_chk_guard
> 
> Also, you can check by looking for the following with otool on Mac OS
> X:
> 
> 	otool -tvV /bin/ls | grep "___stack_chk_fail"
> 
> You should see something like this:
> 
> 	00004bf7        calll   0x00005468      ; symbol stub for:
> ___stack_chk_fail
> 
> If you look at /Applications/Vidalia.app/Contents/MacOS/tor, you will
> not see those protections at the moment. I think we can improve our
> shipping Mac OS X binaries by enabling these protections. The PIE
> protections won't really matter until Apple fixes their platform
> (perhaps in 10.7?!); still it's nice to be ready and this patch
> provides that too.
> 
> It appears that FORTIFY_SOURCE is on by default on Mac OS X. We don't
> currently build Tor on Mac OS X with stack canaries though, so we're
> improving Tor's security on Mac OS X. It may not be possible to do
> this for all versions of Mac OS X - I suspect that Apple may disable
> some or all protections to make a binary more compatible with
> different Mac OS X versions.
> 
> It would be useful to get some extra testing on other platforms; is
> anyone working with Windows building and interested in testing this? I
> also left a comment in the patch for hardening flags that would be
> useful with a non-gcc compiler on Windows.
> 
> There is some performance cost to running Tor with these security
> enhancements. Debian already runs with most of the run time checks and
> the relays on Debian appear to be just fine. The only real enhancement
> for Linux systems is a startup time cost to gain protection from
> GOT/PLT overwrites (if you're already using Weasel's packages).  If
> you're merely building from source on any of the supported platforms,
> it's a huge gain.
> 
> I think this option should be enabled by default at some point in the
> future but probably not until we have a reasonably exhaustive list of
> information for our major platforms. After we have a little testing
> from Tor developers, I'll ask on or-talk for some testers.
> 
> It would be nice to have it merged into master as an optional option
> soon though. Roger seemed to think this was a fine idea. I think it
> may encourage people to try it out and to help us decide if it's worth
> applying as a build default.
> 
> All the best,
> Jacob
> 
> [0] http://www.trapkit.de/tools/checksec.html

Hello to everyone,

I tested it on kubuntu Lucid 10.04 LTS x86 64, i has on my machine
without options, same output as Jacob and with options, all are enabled.

For info, tested on last master git branch and last libevent2 git
master branch.

Thanks for your help and this great patch Jacob.

Best regrads

SwissTorExit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20100508/651116c4/attachment.pgp>


More information about the tor-dev mailing list