Tor hardening at compile time

Jacob Appelbaum jacob at appelbaum.net
Fri May 7 13:15:07 UTC 2010 

Hi,

I've pushed a new git branch 'compileTimeHardening' out to my git repo.
I've also attached a patch for those that are git adverse. Either way,
apply the patch to your current Tor master sources and you should be in
good shape.

You can use it like so:
./autogen.sh && ./configure --enable-gcc-warnings --enable-gcc-hardening
--enable-linker-hardening && make && sudo make install

The end result on Debian Lenny is a slightly hardened build when checked
with checksec.sh[0].

This is weasel's build on my x86 machine:
RELRO           STACK CANARY      NX            PIE
   Partial RELRO   Canary found      NX enabled    PIE enabled

This is a build with my new options on the same machine:
RELRO           STACK CANARY      NX            PIE
Full RELRO      Canary found      NX enabled    PIE enabled

This is a build without my new options on the same machine:
RELRO           STACK CANARY      NX            PIE
No RELRO        No canary found   NX enabled    No PIE

This seems like a useful improvement for people building from source.

The gcc hardening flag works on Mac OS X. The linker hardening is
specific to the ELF binary format and does not work on Mac OS X. So on
Mac OS X, only use '--enable-gcc-hardening' and not
'--enable-linker-hardening' for your builds.

Checksec doesn't work on Mac OS X. It does appear to be possible to
check if a binary has a stack canary by doing the following (Using Mac
OS X 10.6.3 here):

	nm /bin/ls | grep "chk_guard"

You should see something like this:

	U ___stack_chk_guard

Also, you can check by looking for the following with otool on Mac OS X:

	otool -tvV /bin/ls | grep "___stack_chk_fail"

You should see something like this:

	00004bf7        calll   0x00005468      ; symbol stub for:
___stack_chk_fail

If you look at /Applications/Vidalia.app/Contents/MacOS/tor, you will
not see those protections at the moment. I think we can improve our
shipping Mac OS X binaries by enabling these protections. The PIE
protections won't really matter until Apple fixes their platform
(perhaps in 10.7?!); still it's nice to be ready and this patch provides
that too.

It appears that FORTIFY_SOURCE is on by default on Mac OS X. We don't
currently build Tor on Mac OS X with stack canaries though, so we're
improving Tor's security on Mac OS X. It may not be possible to do this
for all versions of Mac OS X - I suspect that Apple may disable some or
all protections to make a binary more compatible with different Mac OS X
versions.

It would be useful to get some extra testing on other platforms; is
anyone working with Windows building and interested in testing this? I
also left a comment in the patch for hardening flags that would be
useful with a non-gcc compiler on Windows.

There is some performance cost to running Tor with these security
enhancements. Debian already runs with most of the run time checks and
the relays on Debian appear to be just fine. The only real enhancement
for Linux systems is a startup time cost to gain protection from GOT/PLT
overwrites (if you're already using Weasel's packages).  If you're
merely building from source on any of the supported platforms, it's a
huge gain.

I think this option should be enabled by default at some point in the
future but probably not until we have a reasonably exhaustive list of
information for our major platforms. After we have a little testing from
Tor developers, I'll ask on or-talk for some testers.

It would be nice to have it merged into master as an optional option
soon though. Roger seemed to think this was a fine idea. I think it may
encourage people to try it out and to help us decide if it's worth
applying as a build default.

All the best,
Jacob

[0] http://www.trapkit.de/tools/checksec.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gcc-hardening-linker-hardening.patch
Type: text/x-patch
Size: 1306 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20100507/d71bd72a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 155 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20100507/d71bd72a/attachment.pgp>

More information about the tor-dev mailing list