Tor hardening at compile time
Anthony G. Basile
basile at opensource.dyc.edu
Mon May 10 13:10:01 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/08/2010 10:07 AM, Jacob Appelbaum wrote:
> Anthony G. Basile wrote:
>> Hi Jacob,
>>
>> FYI, I have been compiling tor with these hardening features using the
>> gcc compiler that Magnus and I hacked up and are now trying to get
>> migrating into Gentoo. The goodies are in Gentoo overlays. The ebuilds
>> are at
>>
>
> Fantastic!
>
> Can you build with your normal options, run checksec.sh, and collect the
> output? Furthermore, if you can rebuild with these options, run
> checksec.sh, and send it along with the first set of data?
>
> We'd love to hear about how it runs over days or weeks too, if you can
> send that along as well.
>
> Thanks in advance,
> Jacob
>
Hi Jacob,
Here's what you wanted. All were done against master at
git://git.torproject.org/git/tor.git as of this morning.
1. Test with hardened gcc and no hardening flags added via ./configure
i686-pc-linux-gnu-4.4.3 - from hardened gentoo overlay [1]
./configure WITHOUT --enable-gcc-hardening --enable-linker-hardening
~/GIT/tor-hardened-gcc/src $ checksec.sh --file or/tor
RELRO STACK CANARY NX PIE FILE
Full RELRO Canary found NX enabled PIE enabled or/tor
2. Test with vanilla gcc and no hardening flags added via ./configure
i686-pc-linux-gnu-4.4.3-vanilla - from [1]
./configure WITHOUT --enable-gcc-hardening --enable-linker-hardening
~/GIT/tor-soft-gcc/src $ checksec.sh --file or/tor
RELRO STACK CANARY NX PIE FILE
Partial RELRO No canary found NX enabled No PIE or/tor
3. Test with vanilla gcc and hardening flags added via ./configure
i686-pc-linux-gnu-4.4.3-vanilla
./configure --enable-gcc-hardening --enable-linker-hardening
~/GIT/tor-soft-gcc-hardening/src $ checksec.sh --file or/tor
RELRO STACK CANARY NX PIE FILE
Full RELRO Canary found NX enabled PIE enabled or/tor
4. As for testing hardening with tor, *all* tor-ramdisk images [2] were
compiled/linked with the above hardening from day one. However since
these are statically linked against uclibc, it may not be the test
you're looking for.
Currently node "rafiki" at IP 67.151.215.240 is running tor built by #3
above. I'll give you the results in a few days.
The host is a fully hardened desktop gentoo system --- see [3] for
checksec.sh on running binaries. Its also a xen virtual machine. If you
want, I can move rafiki to a more traditional system, stock debian or
centos. It might be a more realistic test of what you'll get in the wild.
[1] git://git.overlays.gentoo.org/proj/hardened-dev.git
[2] http://opensource.dyc.edu/tor-ramdisk
[3] http://opensource.dyc.edu/sites/default/files/tinhat-checksec.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkvoBakACgkQl5yvQNBFVTVwNACeIcm632u4mGhSqhRuyljyXvvS
DX4AoJ83Vl13vfBeBG7JOXVgY4JVJ3PD
=cekq
-----END PGP SIGNATURE-----
More information about the tor-dev
mailing list