Tor hardening at compile time

Anthony G. Basile basile at opensource.dyc.edu
Mon May 10 13:10:01 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/08/2010 10:07 AM, Jacob Appelbaum wrote:
> Anthony G. Basile wrote:
>> Hi Jacob,
>>
>> FYI, I have been compiling tor with these hardening features using the
>> gcc compiler that Magnus and I hacked up and are now trying to get
>> migrating into Gentoo.  The goodies are in Gentoo overlays.  The ebuilds
>> are at
>>  
> 
> Fantastic!
> 
> Can you build with your normal options, run checksec.sh, and collect the
> output? Furthermore, if you can rebuild with these options, run
> checksec.sh, and send it along with the first set of data?
> 
> We'd love to hear about how it runs over days or weeks too, if you can
> send that along as well.
> 
> Thanks in advance,
> Jacob
> 


Hi Jacob,

Here's what you wanted.  All were done against master at
git://git.torproject.org/git/tor.git as of this morning.


1. Test with hardened gcc and no hardening flags added via ./configure

i686-pc-linux-gnu-4.4.3 - from hardened gentoo overlay [1]
./configure WITHOUT --enable-gcc-hardening --enable-linker-hardening

~/GIT/tor-hardened-gcc/src $ checksec.sh --file or/tor
RELRO           STACK CANARY      NX            PIE               FILE
Full RELRO      Canary found      NX enabled    PIE enabled       or/tor



2. Test with vanilla gcc and no hardening flags added via ./configure

i686-pc-linux-gnu-4.4.3-vanilla - from [1]
./configure WITHOUT --enable-gcc-hardening --enable-linker-hardening

~/GIT/tor-soft-gcc/src $ checksec.sh --file or/tor
RELRO           STACK CANARY      NX            PIE              FILE
Partial RELRO   No canary found   NX enabled    No PIE           or/tor



3. Test with vanilla gcc and hardening flags added via ./configure

i686-pc-linux-gnu-4.4.3-vanilla
./configure --enable-gcc-hardening --enable-linker-hardening

~/GIT/tor-soft-gcc-hardening/src $ checksec.sh --file or/tor
RELRO           STACK CANARY      NX            PIE              FILE
Full RELRO      Canary found      NX enabled    PIE enabled      or/tor



4. As for testing hardening with tor, *all* tor-ramdisk images [2] were
compiled/linked with the above hardening from day one.  However since
these are statically linked against uclibc, it may not be the test
you're looking for.

Currently node "rafiki" at IP 67.151.215.240 is running tor built by #3
above. I'll give you the results in a few days.

The host is a fully hardened desktop gentoo system --- see [3] for
checksec.sh on running binaries. Its also a xen virtual machine.  If you
want, I can move rafiki to a more traditional system, stock debian or
centos.  It might be a more realistic test of what you'll get in the wild.



[1] git://git.overlays.gentoo.org/proj/hardened-dev.git
[2] http://opensource.dyc.edu/tor-ramdisk
[3] http://opensource.dyc.edu/sites/default/files/tinhat-checksec.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvoBakACgkQl5yvQNBFVTVwNACeIcm632u4mGhSqhRuyljyXvvS
DX4AoJ83Vl13vfBeBG7JOXVgY4JVJ3PD
=cekq
-----END PGP SIGNATURE-----

More information about the tor-dev mailing list