Hi, I've pushed a new git branch 'compileTimeHardening' out to my git repo. I've also attached a patch for those that are git adverse. Either way, apply the patch to your current Tor master sources and you should be in good shape. You can use it like so: ./autogen.sh && ./configure --enable-gcc-warnings --enable-gcc-hardening --enable-linker-hardening && make && sudo make install The end result on Debian Lenny is a slightly hardened build when checked with checksec.sh[0]. This is weasel's build on my x86 machine: RELRO STACK CANARY NX PIE Partial RELRO Canary found NX enabled PIE enabled This is a build with my new options on the same machine: RELRO STACK CANARY NX PIE Full RELRO Canary found NX enabled PIE enabled This is a build without my new options on the same machine: RELRO STACK CANARY NX PIE No RELRO No canary found NX enabled No PIE This seems like a useful improvement for people building from source. The gcc hardening flag works on Mac OS X. The linker hardening is specific to the ELF binary format and does not work on Mac OS X. So on Mac OS X, only use '--enable-gcc-hardening' and not '--enable-linker-hardening' for your builds. Checksec doesn't work on Mac OS X. It does appear to be possible to check if a binary has a stack canary by doing the following (Using Mac OS X 10.6.3 here): nm /bin/ls | grep "chk_guard" You should see something like this: U ___stack_chk_guard Also, you can check by looking for the following with otool on Mac OS X: otool -tvV /bin/ls | grep "___stack_chk_fail" You should see something like this: 00004bf7 calll 0x00005468 ; symbol stub for: ___stack_chk_fail If you look at /Applications/Vidalia.app/Contents/MacOS/tor, you will not see those protections at the moment. I think we can improve our shipping Mac OS X binaries by enabling these protections. The PIE protections won't really matter until Apple fixes their platform (perhaps in 10.7?!); still it's nice to be ready and this patch provides that too. It appears that FORTIFY_SOURCE is on by default on Mac OS X. We don't currently build Tor on Mac OS X with stack canaries though, so we're improving Tor's security on Mac OS X. It may not be possible to do this for all versions of Mac OS X - I suspect that Apple may disable some or all protections to make a binary more compatible with different Mac OS X versions. It would be useful to get some extra testing on other platforms; is anyone working with Windows building and interested in testing this? I also left a comment in the patch for hardening flags that would be useful with a non-gcc compiler on Windows. There is some performance cost to running Tor with these security enhancements. Debian already runs with most of the run time checks and the relays on Debian appear to be just fine. The only real enhancement for Linux systems is a startup time cost to gain protection from GOT/PLT overwrites (if you're already using Weasel's packages). If you're merely building from source on any of the supported platforms, it's a huge gain. I think this option should be enabled by default at some point in the future but probably not until we have a reasonably exhaustive list of information for our major platforms. After we have a little testing from Tor developers, I'll ask on or-talk for some testers. It would be nice to have it merged into master as an optional option soon though. Roger seemed to think this was a fine idea. I think it may encourage people to try it out and to help us decide if it's worth applying as a build default. All the best, Jacob [0] http://www.trapkit.de/tools/checksec.html
diff --git a/configure.in b/configure.in
index 10e509d..2b1210c 100644
--- a/configure.in
+++ b/configure.in
@@ -90,6 +90,26 @@ AC_ARG_ENABLE(gcc-warnings,
AC_ARG_ENABLE(gcc-warnings-advisory,
AS_HELP_STRING(--enable-gcc-warnings-advisory, [enable verbose warnings, excluding -Werror]))
+dnl Adam shostack suggests the following for Windows:
+dnl -D_FORTIFY_SOURCE=2 -fstack-protector-all
+dnl Others suggest '/gs /safeseh /nxcompat /dynamicbase' for non-gcc on Windows
+AC_ARG_ENABLE(gcc-hardening,
+ AS_HELP_STRING(--enable-gcc-hardening, enable compiler security checks),
+[if test x$enableval = xyes; then
+ CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2 -O2 -fstack-protector-all"
+ CFLAGS+=" -Wstack-protector -fwrapv -fPIE -Wformat -Wformat-security"
+ CFLAGS+=" -Wpointer-sign"
+ LDFLAGS+=" -pie"
+fi])
+
+dnl Linker hardening options
+dnl Currently these options are ELF specific - you can't use this with MacOSX
+AC_ARG_ENABLE(linker-hardening,
+ AS_HELP_STRING(--enable-linker-hardening, enable linker security fixups),
+[if test x$enableval = xyes; then
+ LDFLAGS+=" -z relro -z now"
+fi])
+
AC_ARG_ENABLE(local-appdata,
AS_HELP_STRING(--enable-local-appdata, default to host local application data paths on Windows))
if test "$enable_local_appdata" = "yes"; then
Attachment:
signature.asc
Description: OpenPGP digital signature