[tor-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Feb 27 09:15:53 UTC 2017
#21448: Identify what build flags we should be using for security, and use them
--------------------------------------+--------------------------
Reporter: arthuredelstein | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-security | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by gk):
Replying to [comment:8 arthuredelstein]:
> Replying to [comment:7 gk]:
> > Replying to [comment:6 arthuredelstein]:
> > > Here are some security flags I think we can add to the gcc-based
builds (Linux and mingw). There is heavy overlap with the proposed flags
in https://bugzilla.mozilla.org/show_bug.cgi?id=620058. (I think we should
be able to add similar flags to the clang based builds -- I will look into
that after we settle on flags to add to gcc.)
> > > {{{
> > > -Werror=format
> > > -Werror=format-security
> > > -fstack-protector-strong
> > > --param ssp-buffer-size=4
> > > -pie -fPIE
> > > -D_FORTIFY_SOURCE=2 -O1
> > > -Wl,-z,relro,-z,now
> > > -ftrapv
> > > }}}
> >
> > Uhm. We are doing already most of those things. Have you looked at our
gitian build scripts?
>
> Sorry I hadn't found the existing build flags before posting this
ticket. I discussed with gk what is already in our build scripts.
>
> * On linux, we have in [https://gitweb.torproject.org/builders/tor-
browser-bundle.git/tree/gitian/descriptors/linux/gitian-firefox.yml#n50
gitian/descriptors/linux/gitian-firefox.yml]:
> {{{
> export DEB_BUILD_HARDENING=1
> export DEB_BUILD_HARDENING_STACKPROTECTOR=1
> export DEB_BUILD_HARDENING_FORTIFY=1
> export DEB_BUILD_HARDENING_FORMAT=1
> export DEB_BUILD_HARDENING_PIE=1
> }}}
>
> Indeed this covers most of the flags I mentioned. I'm not sure about
`-Wl,-z,relro,-z,now`. gk, do you know how these are covered? boklm
pointed me to [https://gitweb.torproject.org/boklm/tor-browser-bundle-
testsuite.git/tree/TBBTestSuite/TestSuite/BrowserBundleTests.pm#n45 a part
of the Tor Browser test suite] that seems to indicate that full relro is
applied. Is that correct?
Yes, full relro is applied. I think we get the flags you mentioned by
`export DEB_BUILD_HARDENING=1`. The other *HARDENING flags should not be
needed. I opened #21565 for the clean-up.
[snip]
> > And I am not so sure we should build with `ftrapv` see
comment:1:ticket:18310.
>
> That's interesting. I'm not sure what the right answer is. RCE seems a
lot worse than DOS, though.
`-ftrapv` is not the only means we apply to Tor Browser. A useful exercise
would be to understand for which cases `-ftrapv` would be needed given all
our other hardening flags.
[snip]
> Something else that occurs to me is it would be nice to document our
hardening flags for each build (hardened, alpha, release) in the Tor
Browser design document.
True. I've opened #21566.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21448#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list