[OpenWrt-Devel,packages] Support for building a hardened OpenWRT with ASLR PIE support

Submitted by Yongkui Han (yonhan) on June 12, 2017, 1:26 p.m.

Details

Message ID 95fe7a1257cb470aaa5380224024d785@XCH-RTP-010.cisco.com
State New
Headers show

Commit Message

Yongkui Han (yonhan) June 12, 2017, 1:26 p.m.
From: Yongkui Han <yonhan@cisco.com>

Introduce a configuration option to build a "hardened" OpenWRT with ASLR PIE support.

A new option PKG_ASLR_PIE to enable Address Space Layout Randomization (ASLR)
Position Independent Executables (PIE) support has been introduced.
This new option protects against "return-to-text" attacks.

Tested with GCC 4.4.7, uClibc and a subset of the available packages.

Signed-off-by: Yongkui Han <yonhan@cisco.com>
---
config/Config-build.in    |   15 +++++++++++++++
include/hardened-build-ld |    2 ++
include/hardening.mk      |    7 +++++++
3 files changed, 24 insertions(+)

Patch hide | download patch | download mbox

diff --git a/config/Config-build.in b/config/Config-build.in
index 23cf83b..fa7ecfb 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -221,6 +221,21 @@  menu "Global build settings"
                     this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
                     Makefile.
+        config PKG_ASLR_PIE
+                  bool
+                  prompt "User space ASLR PIE compilation"
+                  default n
+                  help
+                    Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
+                    This enables package build as Position Independent Executables (PIE)
+                    to protect against "return-to-text" attacks. This belongs to the
+                    feature of Address Space Layout Randomisation (ASLR), which is
+                    implemented by the kernel and the ELF loader by randomising the
+                    location of memory allocations. This makes memory addresses harder
+                    to predict when an attacker is attempting a memory-corruption exploit.
+                    You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
+                    Makefile.
+
         choice
                   prompt "User space Stack-Smashing Protection"
                   depends on USE_MUSL
diff --git a/include/hardening.mk b/include/hardening.mk
index c277081..7b09c3e 100644
--- a/include/hardening.mk
+++ b/include/hardening.mk
@@ -6,6 +6,7 @@ 
#
 PKG_CHECK_FORMAT_SECURITY ?= 1
+PKG_ASLR_PIE ?= 1
PKG_SSP ?= 1
PKG_FORTIFY_SOURCE ?= 1
PKG_RELRO ?= 1
@@ -15,6 +16,12 @@  ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
     TARGET_CFLAGS += -Wformat -Werror=format-security
   endif
endif
+ifdef CONFIG_PKG_ASLR_PIE
+  ifeq ($(strip $(PKG_ASLR_PIE)),1)
+    TARGET_CFLAGS += -fPIC
+    TARGET_LDFLAGS += -specs=$(INCLUDE_DIR)/hardened-build-ld
+  endif
+endif
ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
   ifeq ($(strip $(PKG_SSP)),1)
     TARGET_CFLAGS += -fstack-protector
diff --git a/include/hardened-build-ld b/include/hardened-build-ld
new file mode 100644
index 0000000..97dbd92
--- /dev/null
+++ b/include/hardened-build-ld
@@ -0,0 +1,2 @@ 
+*self_spec:
++ %{!static:%{!shared:-pie}}