[tbb-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Mar 1 08:16:47 UTC 2017

#21448: Identify what build flags we should be using for security, and use them
 Reporter:  arthuredelstein           |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-security              |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by cypherpunks):

 > hardening-wrapper is obsolete and has been removed from unstable. Please
 use dpkg-buildflags as explained above.
 > hardening-check can only check the resulting binaries and thus might not
 catch missing hardening flags if they are only missing in a few places.
 blhc is a small parser written in Perl which checks the build logs for
 missing hardening flags. It can be used on build logs created by dpkg-
 buildpackage or buildd.

 > For comparison, here are the current Firefox release build flags:
 For comparison we need ESR52 build options, both 32-bit and 64-bit for
 every OS. What about official MinGW builds?

 > I'm not familiar with Windows/mingw build flags, but it looks like we
 could possibly switch to -fstack-protector-strong.
 All occurrences of {{{-fstack-protector --param ssp-buffer-size=4}}}
 should be replaced with at least {{{-fstack-protector=strong}}}.
 > For those who want to protect all the functions then -fstack-protector-
 all is recommended.
 > Also I wonder if -D_FORTIFY_SOURCE=2 and the relro flags make sense.
 {{{-D_FORTIFY_SOURCE=2 -O1}}} is a
 > Compile-time protection against static sized buffer overflows. No known
 regressions or performance loss. This should be enabled system-wide.

 Some info about using {{{-Os}}}:

 About integer overflow checking, {{{-ftrapv}}} in particular:
 Research: https://people.csail.mit.edu/nickolai/papers/wang-stack-tocs.pdf
 {{{-ftrapv}}} is not the best option:
 Practical usage: https://danluu.com/integer-overflow/

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21448#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list