From 55966c2189e29de1d8c3b0294f739e41ab45bf0e Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Fri, 12 Aug 2016 18:11:21 +0200 Subject: [PATCH] doc: complete the hardening documentation --- doc/stdenv.xml | 178 ++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 169 insertions(+), 9 deletions(-) diff --git a/doc/stdenv.xml b/doc/stdenv.xml index 034e0bb7590d..a6359a9cff3d 100644 --- a/doc/stdenv.xml +++ b/doc/stdenv.xml @@ -1362,19 +1362,27 @@ in the default system locations.
Hardening in Nixpkgs -By default some flags to harden packages at compile or link-time are set: +There are flags available to harden packages at compile or link-time. +These can be toggled using the stdenv.mkDerivation parameters +hardeningDisable and hardeningEnable. + + +The following flags are enabled by default and might require disabling +if the program to package is incompatible. + - hardening_format + format Adds the compiler options. At present, - this warns about calls to printf and scanf functions where the - format string is not a string literal and there are no format - arguments, as in printf(foo);. This may be - a security hole if the format string came from untrusted input - and contains %n. + this warns about calls to printf and + scanf functions where the format string is + not a string literal and there are no format arguments, as in + printf(foo);. This may be a security hole + if the format string came from untrusted input and contains + %n. This needs to be turned off or fixed for errors similar to: @@ -1387,8 +1395,10 @@ cc1plus: some warnings being treated as errors - hardening_stackprotector - Adds the + stackprotector + + Adds the compiler options. This adds safety checks against stack overwrites rendering many potential code injection attacks into aborting situations. In the best case this turns code injection vulnerabilities into denial @@ -1401,7 +1411,157 @@ bin/blib.a(bios_console.o): In function `bios_handle_cup': /tmp/nix-build-ipxe-20141124-5cbdc41.drv-0/ipxe-5cbdc41/src/arch/i386/firmware/pcbios/bios_console.c:86: undefined reference to `__stack_chk_fail' + + + fortify + + Adds the compiler + options. During code generation the compiler knows a great deal of + information about buffer sizes (where possible), and attempts to replace + insecure unlimited length buffer function calls with length-limited ones. + This is especially useful for old, crufty code. Additionally, format + strings in writable memory that contain '%n' are blocked. If an application + depends on such a format string, it will need to be worked around. + + + Addtionally, some warnings are enabled which might trigger build + failures if compiler warnings are treated as errors in the packsge build. + In this case, set to + . + + This needs to be turned off or fixed for errors similar to: + + +malloc.c:404:15: error: return type is an incomplete type +malloc.c:410:19: error: storage size of 'ms' isn't known + + +strdup.h:22:1: error: expected identifier or '(' before '__extension__' + + +strsep.c:65:23: error: register name not specified for 'delim' + + +installwatch.c:3751:5: error: conflicting types for '__open_2' + + +fcntl2.h:50:4: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT or O_TMPFILE in second argument needs 3 arguments + + + + + + pic + + Adds the compiler options. This options adds + support for position independant code in shared libraries and thus making + ASLR possible. + Most notably, the Linux kernel, kernel modules and other code + not running in an operating system environment like boot loaders won't + build with PIC enabled. The compiler will is most cases complain that + PIC is not supported for a specific build. + + + This needs to be turned off or fixed for assembler errors similar to: + + +ccbLfRgg.s: Assembler messages: +ccbLfRgg.s:33: Error: missing or invalid displacement expression `private_key_len@GOTOFF' + + + + + + strictoverflow + + Signed integer overflow is undefined behaviour according to the C + standard. If it happens, it is an error in the program as it should check + for overflow before it can happen, not afterwards. GCC provides built-in + functions to perform arithmetic with overflow checking, which are correct + and faster than any custom implementation. As a workaround, the option + makes gcc behave as if signed + integer overflows were defined. + + + This flag should not trigger any build or runtime errors. + + + + + relro + + Adds the linker option. During program + load, several ELF memory sections need to be written to by the linker, + but can be turned read-only before turning over control to the program. + This prevents some GOT (and .dtors) overwrite attacks, but at least the + part of the GOT used by the dynamic linker (.got.plt) is still vulnerable. + + + This flag can break dynamic shared object loading. For instance, the + module systems of Xorg and OpenCV are incompatible with this flag. In almost + all cases the bindnow flag must also be disabled and + incompatible programs typically fail with similar errors at runtime. + + + + + bindnow + + Adds the linker option. During program + load, all dynamic symbols are resolved, allowing for the complete GOT to + be marked read-only (due to relro). This prevents GOT + overwrite attacks. For very large applications, this can incur some + performance loss during initial load while symbols are resolved, but this + shouldn't be an issue for daemons. + + + This flag can break dynamic shared object loading. For instance, the + module systems of Xorg and PHP are incompatible with this flag. Programs + incompatible with this flag often fail at runtime due to missing symbols, + like: + + +intel_drv.so: undefined symbol: vgaHWFreeHWRec + + + + + +The following flags are disabled by default and should be enabled +for packages that take untrusted input, like network services. + + + + + + pie + + Adds the compiler and + linker options. Position Independent Executables are needed to take + advantage of Address Space Layout Randomization, supported by modern + kernel versions. While ASLR can already be enforced for data areas in + the stack and heap (brk and mmap), the code areas must be compiled as + position-independent. Shared libraries already do this with the + pic flag, so they gain ASLR automatically, but binary + .text regions need to be build with pie to gain ASLR. + When this happens, ROP attacks are much harder since there are no static + locations to bounce off of during a memory corruption attack. + + + + + + +For more in-depth information on these hardening flags and hardening in +general, refer to the +Debian Wiki, +Ubuntu Wiki, +Gentoo Wiki, +and the +Arch Wiki. + +