[tbb-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them

Wed Mar 1 08:16:47 UTC 2017

#21448: Identify what build flags we should be using for security, and use them
--------------------------------------+--------------------------
 Reporter:  arthuredelstein           |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-security              |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by cypherpunks):

 > hardening-wrapper is obsolete and has been removed from unstable. Please
 use dpkg-buildflags as explained above.
 https://wiki.debian.org/Hardening#hardening-wrapper
 > hardening-check can only check the resulting binaries and thus might not
 catch missing hardening flags if they are only missing in a few places.
 blhc is a small parser written in Perl which checks the build logs for
 missing hardening flags. It can be used on build logs created by dpkg-
 buildpackage or buildd.
 http://ruderich.org/simon/blhc/

 > For comparison, here are the current Firefox release build flags:
 For comparison we need ESR52 build options, both 32-bit and 64-bit for
 every OS. What about official MinGW builds?

 > I'm not familiar with Windows/mingw build flags, but it looks like we
 could possibly switch to -fstack-protector-strong.
 All occurrences of {{{-fstack-protector --param ssp-buffer-size=4}}}
 should be replaced with at least {{{-fstack-protector=strong}}}.
 http://www.outflux.net/blog/archives/2014/01/27/fstack-protector-strong/
 > For those who want to protect all the functions then -fstack-protector-
 all is recommended.
 https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_STACKPROTECTOR_.28gcc.2Fg.2B-.2B-_
 -fstack-protector-strong.29
 > Also I wonder if -D_FORTIFY_SOURCE=2 and the relro flags make sense.
 {{{-D_FORTIFY_SOURCE=2 -O1}}} is a
 > Compile-time protection against static sized buffer overflows. No known
 regressions or performance loss. This should be enabled system-wide.
 https://wiki.debian.org/Hardening#gcc_-D_FORTIFY_SOURCE.3D2_-O1

 Some info about using {{{-Os}}}:
 https://stackoverflow.com/questions/19470873/why-does-gcc-generate-15-20
 -faster-code-if-i-optimize-for-size-instead-of-speed?rq=1

 About integer overflow checking, {{{-ftrapv}}} in particular:
 Research: https://people.csail.mit.edu/nickolai/papers/wang-stack-tocs.pdf
 {{{-ftrapv}}} is not the best option:
 https://stackoverflow.com/questions/20851061/how-to-make-gcc-ftrapv-
 work#20851708
 Practical usage: https://danluu.com/integer-overflow/

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21448#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online