Tor hardening at compile time
Jacob Appelbaum
jacob at appelbaum.net
Fri May 7 13:15:07 UTC 2010
Hi,
I've pushed a new git branch 'compileTimeHardening' out to my git repo.
I've also attached a patch for those that are git adverse. Either way,
apply the patch to your current Tor master sources and you should be in
good shape.
You can use it like so:
./autogen.sh && ./configure --enable-gcc-warnings --enable-gcc-hardening
--enable-linker-hardening && make && sudo make install
The end result on Debian Lenny is a slightly hardened build when checked
with checksec.sh[0].
This is weasel's build on my x86 machine:
RELRO STACK CANARY NX PIE
Partial RELRO Canary found NX enabled PIE enabled
This is a build with my new options on the same machine:
RELRO STACK CANARY NX PIE
Full RELRO Canary found NX enabled PIE enabled
This is a build without my new options on the same machine:
RELRO STACK CANARY NX PIE
No RELRO No canary found NX enabled No PIE
This seems like a useful improvement for people building from source.
The gcc hardening flag works on Mac OS X. The linker hardening is
specific to the ELF binary format and does not work on Mac OS X. So on
Mac OS X, only use '--enable-gcc-hardening' and not
'--enable-linker-hardening' for your builds.
Checksec doesn't work on Mac OS X. It does appear to be possible to
check if a binary has a stack canary by doing the following (Using Mac
OS X 10.6.3 here):
nm /bin/ls | grep "chk_guard"
You should see something like this:
U ___stack_chk_guard
Also, you can check by looking for the following with otool on Mac OS X:
otool -tvV /bin/ls | grep "___stack_chk_fail"
You should see something like this:
00004bf7 calll 0x00005468 ; symbol stub for:
___stack_chk_fail
If you look at /Applications/Vidalia.app/Contents/MacOS/tor, you will
not see those protections at the moment. I think we can improve our
shipping Mac OS X binaries by enabling these protections. The PIE
protections won't really matter until Apple fixes their platform
(perhaps in 10.7?!); still it's nice to be ready and this patch provides
that too.
It appears that FORTIFY_SOURCE is on by default on Mac OS X. We don't
currently build Tor on Mac OS X with stack canaries though, so we're
improving Tor's security on Mac OS X. It may not be possible to do this
for all versions of Mac OS X - I suspect that Apple may disable some or
all protections to make a binary more compatible with different Mac OS X
versions.
It would be useful to get some extra testing on other platforms; is
anyone working with Windows building and interested in testing this? I
also left a comment in the patch for hardening flags that would be
useful with a non-gcc compiler on Windows.
There is some performance cost to running Tor with these security
enhancements. Debian already runs with most of the run time checks and
the relays on Debian appear to be just fine. The only real enhancement
for Linux systems is a startup time cost to gain protection from GOT/PLT
overwrites (if you're already using Weasel's packages). If you're
merely building from source on any of the supported platforms, it's a
huge gain.
I think this option should be enabled by default at some point in the
future but probably not until we have a reasonably exhaustive list of
information for our major platforms. After we have a little testing from
Tor developers, I'll ask on or-talk for some testers.
It would be nice to have it merged into master as an optional option
soon though. Roger seemed to think this was a fine idea. I think it may
encourage people to try it out and to help us decide if it's worth
applying as a build default.
All the best,
Jacob
[0] http://www.trapkit.de/tools/checksec.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gcc-hardening-linker-hardening.patch
Type: text/x-patch
Size: 1306 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20100507/d71bd72a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 155 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20100507/d71bd72a/attachment.pgp>
More information about the tor-dev
mailing list