guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hardening

From: ng0
Subject: Re: Hardening
Date: Fri, 19 Aug 2016 09:30:55 +0000 
ng0 <address@hidden> writes:

> Alex Vong <address@hidden> writes:
>
>> Hi,
>>
>> Wow, this was long time ago. I've forgot this completely.
>>
>> Ricardo Wurmus <address@hidden> writes:
>>
>>> Leo Famulari <address@hidden> writes:
>>>
>>>> On Wed, Dec 30, 2015 at 05:06:30PM +0100, Ludovic Courtès wrote:
>>>>> Alex Vong <address@hidden> skribis:
>>>>> > Yes, I grep for `fstack-protector-strong' in the guix code base and no
>>>>> > matches are found. It appears no packages are setting this flag
>>>>> > currently. I think this flag (perhaps also a couple others) should be
>>>>> > set by default since they help protect against buffer overflow
>>>>> > <https://en.wikipedia.org/wiki/Buffer_overflow_protection>.
>>>>> 
>>>>> I definitely agree, that’s something I’ve been wanting to try out.
>>>>> 
>>>>> The question is more how.  Do we change the default #:configure-flags
>>>>> for ‘gnu-build-system’ to something like:
>>>>> 
>>>>>   '("CPPFLAGS=-D_FORTIFY_SOURCE=2"
>>>>>     "CFLAGS=-O2 -g -fstack-protector-strong")
>>>>> 
>>>>> ?
>>>>> 
>>>>> That sounds like a good starting point, but I expect that (1) one third
>>>>> of the packages will fail to build, and (2) another third of the
>>>>> packages will not get these flags, for instance because they pass their
>>>>> own #:configure-flags.
>>>>> 
>>>>> IOW, it will take a whole rebuild to find out exactly what’s going on
>>>>> and to fix any issues.
>>>>> 
>>>>> Would you like to start working on it?  Then we could create a branch,
>>>>> have Hydra build it, and incrementally fix things.
>>>>
>>>> We should pick this project back up. I was suprised to find we haven't
>>>> done anything like this after reading this recent blog post about Nix's
>>>> hardening effort:
>>>>
>>>> https://blog.mayflower.de/5800-Hardening-Compiler-Flags-for-NixOS.html?utm_source=twitterfeed&utm_medium=twitter
>>>
>>> Are the above flags the only flags we’d like to play with?  There’s no
>>> harm in letting hydra rebuild the world with these flags on a separate
>>> branch — provided that all build nodes are usable.
>>>
>> There are indeed additional flags (for debian's hardening).
>>
>>
>> Here is the complete output (from the testing distribution):
>>
>> address@hidden:~$ DEB_BUILD_MAINT_OPTIONS=hardening=+all dpkg-buildflags
>> CFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE 
>> -fstack-protector-strong -Wformat -Werror=format-security
>> CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2
>> CXXFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE 
>> -fstack-protector-strong -Wformat -Werror=format-security
>> FCFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE 
>> -fstack-protector-strong
>> FFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE 
>> -fstack-protector-strong
>> GCJFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE 
>> -fstack-protector-strong
>> LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now
>> OBJCFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE 
>> -fstack-protector-strong -Wformat -Werror=format-security
>> OBJCXXFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE 
>> -fstack-protector-strong -Wformat -Werror=format-security
>>
>>
>> The `-fdebug-prefix-map' flag seems to be using the current working
>> directory.
>>
>>> ~~ Ricardo
>>
>> Cheers,
>> Alex
>>
>
> I think there's even more, I can add to this thread when I have access
> to my hardened vm systems again.

I mean there is more, but it depends on what we want. What I can share
is in the direction of Gentoo Hardened
( https://wiki.gentoo.org/wiki/Project:Hardened ,
https://wiki.gentoo.org/wiki/Project:Hardened/PaX_Quickstart )
and there are repos at https://gitweb.gentoo.org of the hardened project
showing the depths you can go to. Depending on what you will apply,
certain applications become difficult to compile but with patches
applied they succeed. Runtime gets difficult once you apply on top of a
PaX enabled kernel with GRSec the addtional useful things like paxctl-ng
for XATTR_PAX markings.

Gentoo hardened has not stabilized the gcc we use and use some other
version as stable, gcc-6 is testing in gentoo if I remember correctly.
If desired, I can setup a hardened gentoo again (my VM is currently
busy) and look at what their patches do in practice.

> Good to see that this is being picked up again.


-- 
ng0
For non-prism friendly talk find me on http://www.psyced.org
reply via email to
[Prev in Thread] Current Thread [Next in Thread]