From patchwork Wed Oct 25 03:25:00 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Weber X-Patchwork-Id: 830085 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3yMFrY0jLrz9sPk for ; Wed, 25 Oct 2017 14:25:16 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 5F0B489A55; Wed, 25 Oct 2017 03:25:13 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IkMn3CsdTpOA; Wed, 25 Oct 2017 03:25:10 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id 02D0089A4C; Wed, 25 Oct 2017 03:25:10 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 6DBE71C3EC3 for ; Wed, 25 Oct 2017 03:25:06 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 67912889CA for ; Wed, 25 Oct 2017 03:25:06 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b3ZLFZhdOhAx for ; Wed, 25 Oct 2017 03:25:05 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from ch3vs04.rockwellcollins.com (ch3vs04.rockwellcollins.com [205.175.226.52]) by hemlock.osuosl.org (Postfix) with ESMTPS id 4B10A8899A for ; Wed, 25 Oct 2017 03:25:05 +0000 (UTC) Received: from ofwch3n02.rockwellcollins.com (HELO ciulimr02.rockwellcollins.com) ([205.175.226.14]) by ch3vs04.rockwellcollins.com with ESMTP; 24 Oct 2017 22:25:05 -0500 X-Received: from largo.rockwellcollins.com (unknown [192.168.140.76]) by ciulimr02.rockwellcollins.com (Postfix) with ESMTP id 3E60820070; Tue, 24 Oct 2017 22:25:04 -0500 (CDT) From: Matt Weber To: buildroot@buildroot.org Date: Tue, 24 Oct 2017 22:25:00 -0500 Message-Id: <1508901900-11190-2-git-send-email-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1508901900-11190-1-git-send-email-matthew.weber@rockwellcollins.com> References: <1508901900-11190-1-git-send-email-matthew.weber@rockwellcollins.com> Subject: [Buildroot] [PATCH 2/2] security hardening: add RELFO, FORTIFY options X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" This enables a user to build a complete system using these options. It is important to note that not all packages will build correctly to start with. Additional initial patches which update linker ordering changes, etc will be upstreamed and then submitted to buildroot as a patch or bump. A good testing tool to check a target's elf files for compliance to an array of hardening techniques can be found here: https://github.com/slimm609/checksec.sh Signed-off-by: Matthew Weber --- Config.in | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++ package/Makefile.in | 25 +++++++++++++++++++++++ 2 files changed, 83 insertions(+) diff --git a/Config.in b/Config.in index f3c9dcd..4129e85 100644 --- a/Config.in +++ b/Config.in @@ -730,6 +730,64 @@ endchoice comment "Stack Smashing Protection needs a toolchain w/ SSP" depends on !BR2_TOOLCHAIN_HAS_SSP +choice + bool "RELRO protection" + help + Enable a link-time protection know as RELRO (RELocation Read Only) + which helps to protect from certain type of exploitation techniques + altering the content of some ELF sections. + +config BR2_RELRO_NONE + bool "None" + help + Enables Relocation link-time protections. + +config BR2_RELRO_PARTIAL + bool "Partial" + help + This option makes the dynamic section not writeable after + initialization (with almost no performance penalty). + +config BR2_RELRO_FULL + bool "Full" + help + This option includes the partial configuration, but also + marks the GOT as read-only at the cost of initialization time + during program loading, i.e every time an executable is started. + +endchoice + +choice + bool "Buffer-overflow detection (FORTIFY_SOURCE)" + help + Enable the _FORTIFY_SOURCE macro which introduces additional + checks to detect buffer-overflows in the following standard library + functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy, + strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf, + gets. + +config BR2_FORTIFY_SOURCE_NONE + bool "None" + help + Enables additional checks to detect buffer-overflows. + +config BR2_FORTIFY_SOURCE_1 + bool "Conservative" + help + This option sets _FORTIFY_SOURCE set to 1 and only introduces + checks that shouldn't change the behavior of conforming programs. + Adds checks at compile-time only. + +config BR2_FORTIFY_SOURCE_2 + bool "Aggressive" + help + This option sets _FORTIFY_SOURCES set to 2 and some more checking + is added, but some conforming programs might fail. + Also adds checks at run-time (detected buffer overflow terminates + the program) + +endchoice + endmenu endmenu diff --git a/package/Makefile.in b/package/Makefile.in index a1a5316..c99361f 100644 --- a/package/Makefile.in +++ b/package/Makefile.in @@ -144,6 +144,9 @@ TARGET_CXXFLAGS = $(TARGET_CFLAGS) TARGET_FCFLAGS = $(TARGET_ABI) $(TARGET_OPTIMIZATION) $(TARGET_DEBUGGING) TARGET_LDFLAGS = $(call qstrip,$(BR2_TARGET_LDFLAGS)) +TARGET_CFLAGS_RELRO = -Wl,-z,relro +TARGET_CFLAGS_RELRO_FULL = -Wl,-z,now $(TARGET_CFLAGS_RELRO) + ifeq ($(BR2_BINFMT_FLAT),y) TARGET_CFLAGS += $(if $($(PKG)_FLAT_STACKSIZE),-Wl$(comma)-elf2flt=-s$($(PKG)_FLAT_STACKSIZE),\ -Wl$(comma)-elf2flt) @@ -181,6 +184,28 @@ TARGET_CXXFLAGS += -fstack-protector-all TARGET_FCFLAGS += -fstack-protector-all endif +ifeq ($(BR2_RELRO_PARTIAL),y) +TARGET_CFLAGS += $(TARGET_CFLAGS_RELRO) +TARGET_CXXFLAGS += $(TARGET_CFLAGS_RELRO) +TARGET_FCFLAGS += $(TARGET_CFLAGS_RELRO) +TARGET_LDFLAGS += $(TARGET_CFLAGS_RELRO) +else ifeq ($(BR2_RELRO_FULL),y) +TARGET_CFLAGS += -fPIE $(TARGET_CFLAGS_RELRO_FULL) +TARGET_CXXFLAGS += -fPIE $(TARGET_CFLAGS_RELRO_FULL) +TARGET_FCFLAGS += -fPIE $(TARGET_CFLAGS_RELRO_FULL) +TARGET_LDFLAGS += -pie +endif + +ifeq ($(BR2_FORTIFY_SOURCE_1),y) +TARGET_CFLAGS += -D_FORTIFY_SOURCE=1 +TARGET_CXXFLAGS += -D_FORTIFY_SOURCE=1 +TARGET_FCFLAGS += -D_FORTIFY_SOURCE=1 +else ifeq ($(BR2_FORTIFY_SOURCE_2),y) +TARGET_CFLAGS += -D_FORTIFY_SOURCE=2 +TARGET_CXXFLAGS += -D_FORTIFY_SOURCE=2 +TARGET_FCFLAGS += -D_FORTIFY_SOURCE=2 +endif + ifeq ($(BR2_TOOLCHAIN_BUILDROOT),y) TARGET_CROSS = $(HOST_DIR)/bin/$(GNU_TARGET_NAME)- else