[PATCH] [EXPERIMENTAL] autocrap autohardening

Fri Mar 21 09:36:31 CET 2014

On Thu, Jan 9, 2014 at 6:31 PM, Nils Goroll <slink at schokola.de> wrote:
> Hi,
>
> I stumbled over
> http://mainisusuallyafunction.blogspot.de/2012/05/automatic-binary-hardening-with.html
> today and thought to give it a try with varnish.
>
> Result is attached: I have integrated a slightly modified version of
> Keegan's configure.ac. Changes:
>
> - removed CXX support
> - replaced -fstack-protector-all with -fstack-protector-strong and fallback
> to
>   -fstack-protector
> - removed -Wstack-protector (XXXLATER: disable for specific functions only?)
>
> This survives a "make check" on
>
>         SunOS 5.11 snv_134      # ancient
>         gcc (GCC) 4.3.3
>
> and
>
>         Debian 6.0.8
>         Linux debhag 2.6.32-5-xen-amd64 #1 SMP
>         gcc (Debian 4.4.5-8) 4.4.5
>

Hi,

You could also have a look at fedora's varnish package. It should
already be be hardened [1] since it's a long running program.

You can find an outdated (fedora 13) list of flags [2] but on my
machine I get this:
> $ rpm --eval '%optflags'
> -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
>
> $ rpm --define '_hardened_build 1' --eval '%optflags'
> -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic
>
> $ cat /usr/lib/rpm/redhat/redhat-hardened-cc1
> *cc1_options:
> + %{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}}
>
> $ uname -i
> x86_64

Dridi

[1] https://fedoraproject.org/wiki/Packaging:Guidelines#PIE
[2] https://fedoraproject.org/wiki/Packaging:RPMMacros#Build_flags_macros_and_variables

>
> I have checked checksec output (attached) and run-times for make check on
> linux with -fstack-protector (-fstack-protector-strong is TODO)
>
> * hardening enabled (default)
>
> debhag:~/v/varnish-git/varnish-cache# time make check
> ...
> ====================
> All 352 tests passed
> ====================
> ...
>
> real    12m32.646s
> user    1m12.137s
> sys     0m51.791s
>
>         -
> * --disable-hardening
>
> debhag:~/v/varnish-git/varnish-cache# time make check
> ...
> ====================
> All 352 tests passed
> ====================
>
> real    12m21.915s
> user    1m11.992s
> sys     0m53.631s
>
> Should there be any interest in integrating something like this, we probably
> would need to do more extensive testing and benchmarking.
>
> Also, whether or not varnish could benefit from such hardening is a
> completely different question - personally I'd consider phk's defensive
> coding approach much more important than additional stack/buffer overflow
> protection, load address randomization and page protection.
>
> Nils
>
> _______________________________________________
> varnish-dev mailing list
> varnish-dev at varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev