Tor hardening at compile time

stars at hispeed.ch stars at hispeed.ch
Fri May 7 15:09:31 UTC 2010 

Le Fri, 07 May 2010 15:15:07 +0200,
Jacob Appelbaum <jacob at appelbaum.net> a écrit :

> Hi,
> 
> I've pushed a new git branch 'compileTimeHardening' out to my git
> repo. I've also attached a patch for those that are git adverse.
> Either way, apply the patch to your current Tor master sources and
> you should be in good shape.
> 
> You can use it like so:
> ./autogen.sh && ./configure --enable-gcc-warnings
> --enable-gcc-hardening --enable-linker-hardening && make && sudo make
> install
> 
> The end result on Debian Lenny is a slightly hardened build when
> checked with checksec.sh[0].
> 
> This is weasel's build on my x86 machine:
> RELRO           STACK CANARY      NX            PIE
>    Partial RELRO   Canary found      NX enabled    PIE enabled
> 
> This is a build with my new options on the same machine:
> RELRO           STACK CANARY      NX            PIE
> Full RELRO      Canary found      NX enabled    PIE enabled
> 
> This is a build without my new options on the same machine:
> RELRO           STACK CANARY      NX            PIE
> No RELRO        No canary found   NX enabled    No PIE
> 
> This seems like a useful improvement for people building from source.
> 
> The gcc hardening flag works on Mac OS X. The linker hardening is
> specific to the ELF binary format and does not work on Mac OS X. So on
> Mac OS X, only use '--enable-gcc-hardening' and not
> '--enable-linker-hardening' for your builds.
> 
> Checksec doesn't work on Mac OS X. It does appear to be possible to
> check if a binary has a stack canary by doing the following (Using Mac
> OS X 10.6.3 here):
> 
> 	nm /bin/ls | grep "chk_guard"
> 
> You should see something like this:
> 
> 	U ___stack_chk_guard
> 
> Also, you can check by looking for the following with otool on Mac OS
> X:
> 
> 	otool -tvV /bin/ls | grep "___stack_chk_fail"
> 
> You should see something like this:
> 
> 	00004bf7        calll   0x00005468      ; symbol stub for:
> ___stack_chk_fail
> 
> If you look at /Applications/Vidalia.app/Contents/MacOS/tor, you will
> not see those protections at the moment. I think we can improve our
> shipping Mac OS X binaries by enabling these protections. The PIE
> protections won't really matter until Apple fixes their platform
> (perhaps in 10.7?!); still it's nice to be ready and this patch
> provides that too.
> 
> It appears that FORTIFY_SOURCE is on by default on Mac OS X. We don't
> currently build Tor on Mac OS X with stack canaries though, so we're
> improving Tor's security on Mac OS X. It may not be possible to do
> this for all versions of Mac OS X - I suspect that Apple may disable
> some or all protections to make a binary more compatible with
> different Mac OS X versions.
> 
> It would be useful to get some extra testing on other platforms; is
> anyone working with Windows building and interested in testing this? I
> also left a comment in the patch for hardening flags that would be
> useful with a non-gcc compiler on Windows.
> 
> There is some performance cost to running Tor with these security
> enhancements. Debian already runs with most of the run time checks and
> the relays on Debian appear to be just fine. The only real enhancement
> for Linux systems is a startup time cost to gain protection from
> GOT/PLT overwrites (if you're already using Weasel's packages).  If
> you're merely building from source on any of the supported platforms,
> it's a huge gain.
> 
> I think this option should be enabled by default at some point in the
> future but probably not until we have a reasonably exhaustive list of
> information for our major platforms. After we have a little testing
> from Tor developers, I'll ask on or-talk for some testers.
> 
> It would be nice to have it merged into master as an optional option
> soon though. Roger seemed to think this was a fine idea. I think it
> may encourage people to try it out and to help us decide if it's worth
> applying as a build default.
> 
> All the best,
> Jacob
> 
> [0] http://www.trapkit.de/tools/checksec.html

Hello Jacob,

I run linux OS but it will great to have a few infos about what are
this features, So far with my knowledge, it mean nothing...

So any details welcome :P

Best regards

SWissTorExit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20100507/44240c6d/attachment.pgp>

More information about the tor-dev mailing list