Re: Improving security for pkgsrc

To: tech-pkg%netbsd.org@localhost
Subject: Re: Improving security for pkgsrc
From: Joerg Sonnenberger <joerg%britannica.bec.de@localhost>
Date: Sat, 18 Jul 2015 21:56:26 +0200

On Sat, Jul 18, 2015 at 07:14:36PM +0200, Pierre Pronchery wrote:
> > It has been shown to be pretty weak in practise, so YMMV.
> 
> Maybe, but meanwhile:
[snip]

Of course, just because everyone uses it, it must be good.

> I know that it does not mean it is a silver bullet, but it seems to be
> more than mature, and a significant number of community- and
> enterprise-driven projects have embraced it. And then, most are using
> more aggressive versions even. Personally, I consider it
> state-of-the-art, and we should at least provide the option.

It is not state-of-the-art, far from it. That would be control flow
integrity. The problem with stack smashing protection are two fold:
(1) As soon as more than one buffer in a function is present, it can
only effectively protect overflows in one of them.
(2) Even assuming the most dumb attack vector, repeated tries can easily
defeat it.

Now I am not arguing that it doesn't make a certain class of attacks
more harder. But the main point is that it is at most security in depth.
It does not prevent exploits, it just makes them harder.

> >> 2. Building position-independent code:
> >>
> >>   +_GCC_CFLAGS+=  -fPIC
> >>   +_GCC_LDFLAGS+= -Wl,-pie
> > 
> > This is not the correct way to create position independent binaries.
> 
> Would you care mentioning what the correct way is then?
> As a matter of fact, like I said, I have tested this to be working,
> except for the issue I mentioned.

The correct way is to compile *and* link with -fPIE as documented. There
are real differences for code generation purposes like whether access to
the GOT can be bypassed. For linking, -Wl,-pie will result in the wrong
CRT routines to be used.

> >> 3. Linking with RELRO by default:
> >>
> >>   +_GCC_LDFLAGS+= -Wl,-z,relro
> >>
> >> I am less familiar with this one, which OpenBSD has been advocating
> >> for a while now:
> >> http://undeadly.org/cgi?action=article&sid=20030126143902
> >> (and in some slides from theo)
> > 
> > This one has major performance implementations and requires support from
> > the system for proper behavior.
> 
> Would you have pointers for this too?

Most trivially, relro as implemented by OpenBSD disables lazy binding.

Joerg

Follow-Ups:
- Re: Improving security for pkgsrc
  - From: Pierre Pronchery

References:
- Improving security for pkgsrc
  - From: Pierre Pronchery
- Re: Improving security for pkgsrc
  - From: Joerg Sonnenberger
- Re: Improving security for pkgsrc
  - From: Pierre Pronchery

Prev by Date: Re: Improving security for pkgsrc
Next by Date: Re: Improving security for pkgsrc
Previous by Thread: Re: Improving security for pkgsrc
Next by Thread: Re: Improving security for pkgsrc
Indexes:

Home | Main Index | Thread Index | Old Index