[PATCH] [EXPERIMENTAL] autocrap autohardening
Nils Goroll
slink at schokola.de
Thu Jan 9 18:31:42 CET 2014
Hi,
I stumbled over
http://mainisusuallyafunction.blogspot.de/2012/05/automatic-binary-hardening-with.html
today and thought to give it a try with varnish.
Result is attached: I have integrated a slightly modified version of Keegan's
configure.ac. Changes:
- removed CXX support
- replaced -fstack-protector-all with -fstack-protector-strong and fallback to
-fstack-protector
- removed -Wstack-protector (XXXLATER: disable for specific functions only?)
This survives a "make check" on
SunOS 5.11 snv_134 # ancient
gcc (GCC) 4.3.3
and
Debian 6.0.8
Linux debhag 2.6.32-5-xen-amd64 #1 SMP
gcc (Debian 4.4.5-8) 4.4.5
I have checked checksec output (attached) and run-times for make check on linux
with -fstack-protector (-fstack-protector-strong is TODO)
* hardening enabled (default)
debhag:~/v/varnish-git/varnish-cache# time make check
...
====================
All 352 tests passed
====================
...
real 12m32.646s
user 1m12.137s
sys 0m51.791s
-
* --disable-hardening
debhag:~/v/varnish-git/varnish-cache# time make check
...
====================
All 352 tests passed
====================
real 12m21.915s
user 1m11.992s
sys 0m53.631s
Should there be any interest in integrating something like this, we probably
would need to do more extensive testing and benchmarking.
Also, whether or not varnish could benefit from such hardening is a completely
different question - personally I'd consider phk's defensive coding approach
much more important than additional stack/buffer overflow protection, load
address randomization and page protection.
Nils
-------------- next part --------------
A non-text attachment was scrubbed...
Name: varnish_checksec_disable_hardening.png
Type: image/png
Size: 18174 bytes
Desc: not available
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-dev/attachments/20140109/15850d41/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: varnish_checksec_with_hardening.png
Type: image/png
Size: 18461 bytes
Desc: not available
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-dev/attachments/20140109/15850d41/attachment-0003.png>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0001-autocrap-auto-hardening.patch
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-dev/attachments/20140109/15850d41/attachment-0001.ksh>
More information about the varnish-dev
mailing list