| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | <!-- $NetBSD: hardening.xml,v 1.4 2021/11/02 08:28:45 nia Exp $ --> | | 1 | <!-- $NetBSD: hardening.xml,v 1.5 2021/11/07 11:30:19 nia Exp $ --> |
2 | | | 2 | |
3 | <appendix id="hardening"> | | 3 | <appendix id="hardening"> |
4 | <title>Security hardening</title> | | 4 | <title>Security hardening</title> |
5 | | | 5 | |
6 | <para> | | 6 | <para> |
7 | A number of mechanisms are available in pkgsrc to improve the security of the | | 7 | A number of mechanisms are available in pkgsrc to improve the security of the |
8 | resulting system. This page describes the mechanisms, and gives hints | | 8 | resulting system. This page describes the mechanisms, and gives hints |
9 | about detecting and fixing problems. | | 9 | about detecting and fixing problems. |
10 | </para> | | 10 | </para> |
11 | | | 11 | |
12 | <para> | | 12 | <para> |
13 | Mechanisms can be enabled individually in | | 13 | Mechanisms can be enabled individually in |
14 | <filename>mk.conf</filename>, and are | | 14 | <filename>mk.conf</filename>, and are |
| @@ -133,26 +133,57 @@ exploits harder to construct. With PIE, | | | @@ -133,26 +133,57 @@ exploits harder to construct. With PIE, |
133 | program, instead of the stack and heap only. | | 133 | program, instead of the stack and heap only. |
134 | </para> | | 134 | </para> |
135 | | | 135 | |
136 | <para> | | 136 | <para> |
137 | PIE executables will only be built for toolchains that are known to support PIE. | | 137 | PIE executables will only be built for toolchains that are known to support PIE. |
138 | Currently, this means NetBSD on x86, ARM, SPARC64, m68k, and MIPS. | | 138 | Currently, this means NetBSD on x86, ARM, SPARC64, m68k, and MIPS. |
139 | </para> | | 139 | </para> |
140 | | | 140 | |
141 | <para> | | 141 | <para> |
142 | <varname>PKGSRC_MKPIE</varname> was enabled by default after the pkgsrc-2021Q3 branch. | | 142 | <varname>PKGSRC_MKPIE</varname> was enabled by default after the pkgsrc-2021Q3 branch. |
143 | </para> | | 143 | </para> |
144 | </sect3> | | 144 | </sect3> |
145 | | | 145 | |
| | | 146 | <sect2 id="hardening.mechanisms.disabled"> |
| | | 147 | <title>Not enabled by default</title> |
| | | 148 | |
| | | 149 | <sect3 id="hardening.mechanisms.disabled.repro"> |
| | | 150 | <title>PKGSRC_MKREPRO</title> |
| | | 151 | |
| | | 152 | <para> |
| | | 153 | With this option, pkgsrc will try to build packages reproducibly. This allows |
| | | 154 | packages built from the same tree and with the same options, to produce |
| | | 155 | identical results bit by bit. This option should be combined with ASLR and |
| | | 156 | <varname>PKGSRC_MKPIE</varname> to avoid predictable address offsets for |
| | | 157 | attackers attempting to exploit security vulnerabilities. |
| | | 158 | </para> |
| | | 159 | |
| | | 160 | <para> |
| | | 161 | More details can be found here: |
| | | 162 | </para> |
| | | 163 | |
| | | 164 | <itemizedlist> |
| | | 165 | <listitem> |
| | | 166 | <para> |
| | | 167 | <ulink url="https://reproducible-builds.org/">Reproducible Builds - a set of software development practices that create an independently-verifiable path from source to binary code</ulink> |
| | | 168 | </para> |
| | | 169 | </listitem> |
| | | 170 | </itemizedlist> |
| | | 171 | |
| | | 172 | <para> |
| | | 173 | More work likely needs to be done before pkgsrc is fully reproducible. |
| | | 174 | </para> |
| | | 175 | </sect3> |
| | | 176 | |
146 | <sect3 id="hardening.mechanisms.enabled.relro"> | | 177 | <sect3 id="hardening.mechanisms.enabled.relro"> |
147 | <title>PKGSRC_USE_RELRO</title> | | 178 | <title>PKGSRC_USE_RELRO</title> |
148 | | | 179 | |
149 | <para> | | 180 | <para> |
150 | This also makes the exploitation of some security vulnerabilities more | | 181 | This also makes the exploitation of some security vulnerabilities more |
151 | difficult in some cases. | | 182 | difficult in some cases. |
152 | </para> | | 183 | </para> |
153 | | | 184 | |
154 | <para>Two different mitigation levels are available:</para> | | 185 | <para>Two different mitigation levels are available:</para> |
155 | | | 186 | |
156 | <itemizedlist> | | 187 | <itemizedlist> |
157 | <listitem> | | 188 | <listitem> |
158 | <para> | | 189 | <para> |
| @@ -161,74 +192,44 @@ precede the program's own data sections, | | | @@ -161,74 +192,44 @@ precede the program's own data sections, |
161 | </para> | | 192 | </para> |
162 | </listitem> | | 193 | </listitem> |
163 | <listitem> | | 194 | <listitem> |
164 | <para> | | 195 | <para> |
165 | full: in addition to partial RELRO, every relocation is performed immediately | | 196 | full: in addition to partial RELRO, every relocation is performed immediately |
166 | when starting the program (with a slight performance impact), allowing the | | 197 | when starting the program (with a slight performance impact), allowing the |
167 | entire GOT to be read-only. | | 198 | entire GOT to be read-only. |
168 | </para> | | 199 | </para> |
169 | </listitem> | | 200 | </listitem> |
170 | </itemizedlist> | | 201 | </itemizedlist> |
171 | | | 202 | |
172 | <para> | | 203 | <para> |
173 | This is currently supported by GCC. Many software distributions now enable this | | 204 | This is currently supported by GCC. Many software distributions now enable this |
174 | feature by default, at the "partial" level. | | 205 | feature by default, at the "partial" level. However, it cannot yet be enforced |
| | | 206 | globally in pkgsrc through cwrappers. |
175 | </para> | | 207 | </para> |
176 | | | 208 | |
177 | <para> | | 209 | <para> |
178 | More details can be found here: | | 210 | More details can be found here: |
179 | </para> | | 211 | </para> |
180 | | | 212 | |
181 | <itemizedlist> | | 213 | <itemizedlist> |
182 | <listitem> | | 214 | <listitem> |
183 | <para> | | 215 | <para> |
184 | <ulink url="https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro">Hardening ELF binaries using Relocation Read-Only (RELRO)</ulink> | | 216 | <ulink url="https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro">Hardening ELF binaries using Relocation Read-Only (RELRO)</ulink> |
185 | </para> | | 217 | </para> |
186 | </listitem> | | 218 | </listitem> |
187 | </itemizedlist> | | 219 | </itemizedlist> |
188 | </sect3> | | 220 | </sect3> |
189 | </sect2> | | 221 | </sect2> |
190 | | | 222 | |
191 | <sect2 id="hardening.mechanisms.disabled"> | | | |
192 | <title>Not enabled by default</title> | | | |
193 | | | | |
194 | <sect3 id="hardening.mechanisms.disabled.repro"> | | | |
195 | <title>PKGSRC_MKREPRO</title> | | | |
196 | | | | |
197 | <para> | | | |
198 | With this option, pkgsrc will try to build packages reproducibly. This allows | | | |
199 | packages built from the same tree and with the same options, to produce | | | |
200 | identical results bit by bit. This option should be combined with ASLR and | | | |
201 | <varname>PKGSRC_MKPIE</varname> to avoid predictable address offsets for | | | |
202 | attackers attempting to exploit security vulnerabilities. | | | |
203 | </para> | | | |
204 | | | | |
205 | <para> | | | |
206 | More details can be found here: | | | |
207 | </para> | | | |
208 | | | | |
209 | <itemizedlist> | | | |
210 | <listitem> | | | |
211 | <para> | | | |
212 | <ulink url="https://reproducible-builds.org/">Reproducible Builds - a set of software development practices that create an independently-verifiable path from source to binary code</ulink> | | | |
213 | </para> | | | |
214 | </listitem> | | | |
215 | </itemizedlist> | | | |
216 | | | | |
217 | <para> | | | |
218 | More work likely needs to be done before pkgsrc is fully reproducible. | | | |
219 | </para> | | | |
220 | </sect3> | | | |
221 | | | | |
222 | <sect3 id="hardening.mechanisms.disabled.stackcheck"> | | 223 | <sect3 id="hardening.mechanisms.disabled.stackcheck"> |
223 | <title>PKGSRC_USE_STACK_CHECK</title> | | 224 | <title>PKGSRC_USE_STACK_CHECK</title> |
224 | | | 225 | |
225 | <para> | | 226 | <para> |
226 | This uses <literal>-fstack-check</literal> with GCC for | | 227 | This uses <literal>-fstack-check</literal> with GCC for |
227 | another stack protection mitigation. | | 228 | another stack protection mitigation. |
228 | </para> | | 229 | </para> |
229 | | | 230 | |
230 | <para> | | 231 | <para> |
231 | It asks the compiler to generate code verifying that it does not corrupt the | | 232 | It asks the compiler to generate code verifying that it does not corrupt the |
232 | stack. According to GCC's manual page, this is really only useful for | | 233 | stack. According to GCC's manual page, this is really only useful for |
233 | multi-threaded programs. | | 234 | multi-threaded programs. |
234 | </para> | | 235 | </para> |