Re: Improving security for pkgsrc

To: tech-pkg%netbsd.org@localhost
Subject: Re: Improving security for pkgsrc
From: Pierre Pronchery <khorben%defora.org@localhost>
Date: Sat, 18 Jul 2015 19:14:36 +0200

On 07/18/15 18:56, Joerg Sonnenberger wrote:
> On Sat, Jul 18, 2015 at 06:38:09PM +0200, Pierre Pronchery wrote:
>> 1. Building with stack smashing protection: (SSP)
>>
>>   +_GCC_CFLAGS+=  -fstack-protector
>>
>> This one is already described in NetBSD's build process; for a minor
>> performance penalty, the compiler will have a canary checked to be
>> present unmodified on a the stack, thereby helping with the mitigation
>> of stack-based buffer overflows.
> 
> It has been shown to be pretty weak in practise, so YMMV.

Maybe, but meanwhile:

1997 First implementation for GCC
1998 First publication at USENIX
1998 By default in Immunix Linux
2001 IBM write ProPolice
2003 Ready for GCC 3.x
2005 RedHat improves further for GCC 4.1
2005 MSVC has it by default
2006 Fedora Core 5 enables it by default
2006 Ubuntu 6.10 enables it by default
2009 FreeBSD enables it by default in the base system
2011 ArchLinux uses enables it by default in packages
2012 Google improves some more
2013 Fedora Core 20 strenghtens the default
2014 ArchLinux strenghtens the default

???? OpenBSD uses it
???? Hardened Gentoo also
???? DragonFlyBSD as well

I know that it does not mean it is a silver bullet, but it seems to be
more than mature, and a significant number of community- and
enterprise-driven projects have embraced it. And then, most are using
more aggressive versions even. Personally, I consider it
state-of-the-art, and we should at least provide the option.

>> 2. Building position-independent code:
>>
>>   +_GCC_CFLAGS+=  -fPIC
>>   +_GCC_LDFLAGS+= -Wl,-pie
> 
> This is not the correct way to create position independent binaries.

Would you care mentioning what the correct way is then?
As a matter of fact, like I said, I have tested this to be working,
except for the issue I mentioned.

>> 3. Linking with RELRO by default:
>>
>>   +_GCC_LDFLAGS+= -Wl,-z,relro
>>
>> I am less familiar with this one, which OpenBSD has been advocating
>> for a while now:
>> http://undeadly.org/cgi?action=article&sid=20030126143902
>> (and in some slides from theo)
> 
> This one has major performance implementations and requires support from
> the system for proper behavior.

Would you have pointers for this too?

>> This commit adds all those flags to CFLAGS and LDFLAGS, iff building
>> on NetBSD with gcc. It enables all three improvements by default as-is
>> (on this platform only). This is one reason it is not suitable for
>> inclusion yet, and I will welcome help to achieve it.
> 
> Please do not merge this. While (1) might be reasonable, the rest is
> not acceptable.

I said explicitly that I am not going to merge this as-is. Just saying
no is not helpful nor helping in any way.

Cheers,
-- 
khorben

Follow-Ups:
- Re: Improving security for pkgsrc
  - From: Marc Espie
- Re: Improving security for pkgsrc
  - From: John Nemeth
- Re: Improving security for pkgsrc
  - From: Joerg Sonnenberger

References:
- Improving security for pkgsrc
  - From: Pierre Pronchery
- Re: Improving security for pkgsrc
  - From: Joerg Sonnenberger

Prev by Date: Re: Improving security for pkgsrc
Next by Date: Re: Improving security for pkgsrc
Previous by Thread: Re: Improving security for pkgsrc
Next by Thread: Re: Improving security for pkgsrc
Indexes:

Home | Main Index | Thread Index | Old Index