[OpenWrt-Devel,0/6] buildsystem: Activate PIE ASLR for some packages
mbox series

Message ID 20191027174438.25795-1-hauke@hauke-m.de
Headers show
Series
  • buildsystem: Activate PIE ASLR for some packages
Related show

Message

Hauke Mehrtens Oct. 27, 2019, 5:44 p.m. UTC
This is a follow up patch on this discussion on the mailing list:
https://patchwork.ozlabs.org/patch/1041647/

This allows to activate PIE only for some packages where we thing it is 
necessary and not only globally for all of them.

Hauke Mehrtens (6):
  buildsystem: Make PIE ASLR option tristate
  dnsmasq: Activate PIE by default
  dropbear: Activate PIE by default
  hostapd: Activate PIE by default
  uhttpd: Activate PIE by default
  lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers

 config/Config-build.in                       | 22 ++++++++++++++++----
 include/hardening.mk                         |  9 +++++++-
 package/kernel/lantiq/ltq-adsl/Makefile      |  1 -
 package/kernel/lantiq/ltq-ifxos/Makefile     |  1 -
 package/kernel/lantiq/ltq-tapi/Makefile      |  1 -
 package/kernel/lantiq/ltq-vdsl-mei/Makefile  |  2 --
 package/kernel/lantiq/ltq-vdsl/Makefile      |  1 -
 package/kernel/lantiq/ltq-vmmc/Makefile      |  1 -
 package/network/config/ltq-vdsl-app/Makefile |  1 -
 package/network/services/dnsmasq/Makefile    |  1 +
 package/network/services/dropbear/Makefile   |  1 +
 package/network/services/hostapd/Makefile    |  1 +
 package/network/services/uhttpd/Makefile     |  1 +
 13 files changed, 30 insertions(+), 13 deletions(-)

Comments

Daniel Engberg Oct. 28, 2019, 9:14 a.m. UTC | #1
On 2019-10-27 18:44, Hauke Mehrtens wrote:
> This is a follow up patch on this discussion on the mailing list:
> https://patchwork.ozlabs.org/patch/1041647/
> 
> This allows to activate PIE only for some packages where we thing it is
> necessary and not only globally for all of them.
> 
> Hauke Mehrtens (6):
>   buildsystem: Make PIE ASLR option tristate
>   dnsmasq: Activate PIE by default
>   dropbear: Activate PIE by default
>   hostapd: Activate PIE by default
>   uhttpd: Activate PIE by default
>   lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers
> 
>  config/Config-build.in                       | 22 ++++++++++++++++----
>  include/hardening.mk                         |  9 +++++++-
>  package/kernel/lantiq/ltq-adsl/Makefile      |  1 -
>  package/kernel/lantiq/ltq-ifxos/Makefile     |  1 -
>  package/kernel/lantiq/ltq-tapi/Makefile      |  1 -
>  package/kernel/lantiq/ltq-vdsl-mei/Makefile  |  2 --
>  package/kernel/lantiq/ltq-vdsl/Makefile      |  1 -
>  package/kernel/lantiq/ltq-vmmc/Makefile      |  1 -
>  package/network/config/ltq-vdsl-app/Makefile |  1 -
>  package/network/services/dnsmasq/Makefile    |  1 +
>  package/network/services/dropbear/Makefile   |  1 +
>  package/network/services/hostapd/Makefile    |  1 +
>  package/network/services/uhttpd/Makefile     |  1 +
>  13 files changed, 30 insertions(+), 13 deletions(-)

I think ASLRs value needs to be evaluated especially due to the 
performance penalty (hostapd mainly in that regard) and not to forget 
size increase depending on for how long OpenWrt intends to keep 8Mbyte 
devices around as 4Mbyte devices are more or less unsupported by now. 
It's probably a better idea to only enable it on aarch64 and x86-64 
where size isn't as much of a concern and where it probably(?) receives 
most exposure to avoid uncessary breakage.

http://intx0x80.blogspot.com/2018/04/bypass-aslrnx-part-1.html
https://svnweb.freebsd.org/base?view=revision&revision=343964
Might also be worth taking into consideration.

Best regards,
Daniel
Hauke Mehrtens Oct. 30, 2019, 3:30 p.m. UTC | #2
On 10/28/19 10:14 AM, Daniel Engberg wrote:
> On 2019-10-27 18:44, Hauke Mehrtens wrote:
>> This is a follow up patch on this discussion on the mailing list:
>> https://patchwork.ozlabs.org/patch/1041647/
>>
>> This allows to activate PIE only for some packages where we thing it is
>> necessary and not only globally for all of them.
>>
>> Hauke Mehrtens (6):
>>   buildsystem: Make PIE ASLR option tristate
>>   dnsmasq: Activate PIE by default
>>   dropbear: Activate PIE by default
>>   hostapd: Activate PIE by default
>>   uhttpd: Activate PIE by default
>>   lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers
>>
>>  config/Config-build.in                       | 22 ++++++++++++++++----
>>  include/hardening.mk                         |  9 +++++++-
>>  package/kernel/lantiq/ltq-adsl/Makefile      |  1 -
>>  package/kernel/lantiq/ltq-ifxos/Makefile     |  1 -
>>  package/kernel/lantiq/ltq-tapi/Makefile      |  1 -
>>  package/kernel/lantiq/ltq-vdsl-mei/Makefile  |  2 --
>>  package/kernel/lantiq/ltq-vdsl/Makefile      |  1 -
>>  package/kernel/lantiq/ltq-vmmc/Makefile      |  1 -
>>  package/network/config/ltq-vdsl-app/Makefile |  1 -
>>  package/network/services/dnsmasq/Makefile    |  1 +
>>  package/network/services/dropbear/Makefile   |  1 +
>>  package/network/services/hostapd/Makefile    |  1 +
>>  package/network/services/uhttpd/Makefile     |  1 +
>>  13 files changed, 30 insertions(+), 13 deletions(-)
> 
> I think ASLRs value needs to be evaluated especially due to the
> performance penalty (hostapd mainly in that regard) and not to forget
> size increase depending on for how long OpenWrt intends to keep 8Mbyte
> devices around as 4Mbyte devices are more or less unsupported by now.
> It's probably a better idea to only enable it on aarch64 and x86-64
> where size isn't as much of a concern and where it probably(?) receives
> most exposure to avoid uncessary breakage.
> 
> http://intx0x80.blogspot.com/2018/04/bypass-aslrnx-part-1.html
> https://svnweb.freebsd.org/base?view=revision&revision=343964
> Might also be worth taking into consideration.
> 
> Best regards,
> Daniel

Yes ASLR is not preventing any exploits it just makes it harder for an
attacker like most other mechanisms too. Especially on 32 bit platforms
like MIPS 32 bit and ARM 32 bit we only use 8 bit of the address for
ASLR, on 64 bit platforms this feature is a lot more useful as we have a
lot more bits.

I am wondering why the kernel takes CONFIG_ARCH_MMAP_RND_BITS_MIN as the
default for CONFIG_ARCH_MMAP_RND_BITS and not the max value, on MIPS 32
bit min is 8 bits and max is 16 bit.
https://elixir.bootlin.com/linux/v4.19.79/source/arch/Kconfig#L598

Do you know any benchmark results measuring the performance penalty of
ASLR and PIE?

Hauke
Hauke Mehrtens Jan. 7, 2020, 10:21 p.m. UTC | #3
On 10/27/19 6:44 PM, Hauke Mehrtens wrote:
> This is a follow up patch on this discussion on the mailing list:
> https://patchwork.ozlabs.org/patch/1041647/
> 
> This allows to activate PIE only for some packages where we thing it is 
> necessary and not only globally for all of them.
> 
> Hauke Mehrtens (6):
>   buildsystem: Make PIE ASLR option tristate
>   dnsmasq: Activate PIE by default
>   dropbear: Activate PIE by default
>   hostapd: Activate PIE by default
>   uhttpd: Activate PIE by default
>   lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers
> 
>  config/Config-build.in                       | 22 ++++++++++++++++----
>  include/hardening.mk                         |  9 +++++++-
>  package/kernel/lantiq/ltq-adsl/Makefile      |  1 -
>  package/kernel/lantiq/ltq-ifxos/Makefile     |  1 -
>  package/kernel/lantiq/ltq-tapi/Makefile      |  1 -
>  package/kernel/lantiq/ltq-vdsl-mei/Makefile  |  2 --
>  package/kernel/lantiq/ltq-vdsl/Makefile      |  1 -
>  package/kernel/lantiq/ltq-vmmc/Makefile      |  1 -
>  package/network/config/ltq-vdsl-app/Makefile |  1 -
>  package/network/services/dnsmasq/Makefile    |  1 +
>  package/network/services/dropbear/Makefile   |  1 +
>  package/network/services/hostapd/Makefile    |  1 +
>  package/network/services/uhttpd/Makefile     |  1 +
>  13 files changed, 30 insertions(+), 13 deletions(-)
> 

Hi,

I would like to apply these patches to master?

Are there any objections to this? I already activated LTO to reduce the
size for all these components and the lantiq patch is already applied.

Hauke
Rosen Penev Jan. 8, 2020, 1:24 a.m. UTC | #4
On Tue, Jan 7, 2020 at 2:21 PM Hauke Mehrtens <hauke@hauke-m.de> wrote:
>
> On 10/27/19 6:44 PM, Hauke Mehrtens wrote:
> > This is a follow up patch on this discussion on the mailing list:
> > https://patchwork.ozlabs.org/patch/1041647/
> >
> > This allows to activate PIE only for some packages where we thing it is
> > necessary and not only globally for all of them.
> >
> > Hauke Mehrtens (6):
> >   buildsystem: Make PIE ASLR option tristate
> >   dnsmasq: Activate PIE by default
> >   dropbear: Activate PIE by default
> >   hostapd: Activate PIE by default
> >   uhttpd: Activate PIE by default
> >   lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers
> >
> >  config/Config-build.in                       | 22 ++++++++++++++++----
> >  include/hardening.mk                         |  9 +++++++-
> >  package/kernel/lantiq/ltq-adsl/Makefile      |  1 -
> >  package/kernel/lantiq/ltq-ifxos/Makefile     |  1 -
> >  package/kernel/lantiq/ltq-tapi/Makefile      |  1 -
> >  package/kernel/lantiq/ltq-vdsl-mei/Makefile  |  2 --
> >  package/kernel/lantiq/ltq-vdsl/Makefile      |  1 -
> >  package/kernel/lantiq/ltq-vmmc/Makefile      |  1 -
> >  package/network/config/ltq-vdsl-app/Makefile |  1 -
> >  package/network/services/dnsmasq/Makefile    |  1 +
> >  package/network/services/dropbear/Makefile   |  1 +
> >  package/network/services/hostapd/Makefile    |  1 +
> >  package/network/services/uhttpd/Makefile     |  1 +
> >  13 files changed, 30 insertions(+), 13 deletions(-)
> >
>
> Hi,
>
> I would like to apply these patches to master?
>
> Are there any objections to this? I already activated LTO to reduce the
> size for all these components and the lantiq patch is already applied.
ACK from me.
>
> Hauke
>
Petr Štetiar Jan. 8, 2020, 6:24 a.m. UTC | #5
Hauke Mehrtens <hauke@hauke-m.de> [2020-01-07 23:21:19]:

Hi,

thanks for your work.

> > Hauke Mehrtens (6):
> >   buildsystem: Make PIE ASLR option tristate
> >   dnsmasq: Activate PIE by default
> >   dropbear: Activate PIE by default
> >   hostapd: Activate PIE by default
> >   uhttpd: Activate PIE by default
> >   lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers

just wondering, if there is any particular reason for leaving odhcp6c and
odhcpd out as this are network exposed services and running in default
install.

Thinking about it now, we should probably consider ubus, procd, rpcd and
cgi-io (perhaps missed something) which might possibly process malicious
inputs as well.

BTW I'm wondering how does this work with the shared libraries, like musl
libc, openssl, libubox? Don't they need PKG_ASLR_PIE_REGULAR enabled as well
in order to get `TARGET_LDFLAGS += $(FPIC)
-specs=$(INCLUDE_DIR)/hardened-ld-pie.specs` ?

> I would like to apply these patches to master?

I don't know if you've something newer in your tree, just looked at your aslr
branch in your staging tree:

 + default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)

Nice, that you've enabled this for !SMALL_FLASH devices. BTW what is the
reason for !SDK? That way binary/library.

> Are there any objections to this? I already activated LTO to reduce the
> size for all these components and the lantiq patch is already applied.

I don't have any objections, I welcome this additional hardening. Which branch
can I use for runtime testing? I plan to test it and give you my Acked-by.

-- ynezz
Hauke Mehrtens Jan. 8, 2020, 11:10 p.m. UTC | #6
On 1/8/20 7:24 AM, Petr Štetiar wrote:
> Hauke Mehrtens <hauke@hauke-m.de> [2020-01-07 23:21:19]:
> 
> Hi,
> 
> thanks for your work.
> 
>>> Hauke Mehrtens (6):
>>>   buildsystem: Make PIE ASLR option tristate
>>>   dnsmasq: Activate PIE by default
>>>   dropbear: Activate PIE by default
>>>   hostapd: Activate PIE by default
>>>   uhttpd: Activate PIE by default
>>>   lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers
> 
> just wondering, if there is any particular reason for leaving odhcp6c and
> odhcpd out as this are network exposed services and running in default
> install.

I just didn't thought about them. We could just add an extra patch to
activate it for them too.

> Thinking about it now, we should probably consider ubus, procd, rpcd and
> cgi-io (perhaps missed something) which might possibly process malicious
> inputs as well.

Then we have more or less everything. ;-)

> BTW I'm wondering how does this work with the shared libraries, like musl
> libc, openssl, libubox? Don't they need PKG_ASLR_PIE_REGULAR enabled as well
> in order to get `TARGET_LDFLAGS += $(FPIC)
> -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs` ?

Shared libraries are always linked position independent and then the
kernel is already loading them to random address offsets.

>> I would like to apply these patches to master?
> 
> I don't know if you've something newer in your tree, just looked at your aslr
> branch in your staging tree:

You can find the newest version here:
https://git.openwrt.org/?p=openwrt/staging/hauke.git;a=shortlog;h=refs/heads/aslr

>  + default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
> 
> Nice, that you've enabled this for !SMALL_FLASH devices. BTW what is the
> reason for !SDK? That way binary/library.

When something is build in the SDK I always want to use
PKG_ASLR_PIE_REGULAR by default. In our build infrastructure we build
packages common to multiple targets in the SDK and there I always want
to use PKG_ASLR_PIE_REGULAR as default option to activate ASLR when the
same package is used on a tiny and a normal target. I hope it will work
like this. I want to prevent that some tiny target is used to build the
additional packages and then this gets accidentally deactivated.

>> Are there any objections to this? I already activated LTO to reduce the
>> size for all these components and the lantiq patch is already applied.
> 
> I don't have any objections, I welcome this additional hardening. Which branch
> can I use for runtime testing? I plan to test it and give you my Acked-by.

The disadvantage is that the size increases, otherwise I would activate
it for all binaries.

This is one example for dropbear:
------------------------------------------------------------------------
root@OpenWrt:/# cat /proc/1200/maps
5561e000-5564d000 r-xp 00000000 fe:00 1024       /usr/sbin/dropbear
5565d000-5565e000 r-xp 0002f000 fe:00 1024       /usr/sbin/dropbear
5565e000-5565f000 rwxp 00030000 fe:00 1024       /usr/sbin/dropbear
77e89000-77eab000 r-xp 00000000 fe:00 288        /lib/libgcc_s.so.1
77eab000-77eac000 r-xp 00012000 fe:00 288        /lib/libgcc_s.so.1
77eac000-77ead000 rwxp 00013000 fe:00 288        /lib/libgcc_s.so.1
77ead000-77f44000 r-xp 00000000 fe:00 286        /lib/libc.so
77f53000-77f55000 rwxp 00096000 fe:00 286        /lib/libc.so
77f55000-77f57000 rwxp 00000000 00:00 0
7fc95000-7fcb6000 rw-p 00000000 00:00 0          [stack]
7fefc000-7fefd000 r-xp 00000000 00:00 0
7ff70000-7ff72000 r--p 00000000 00:00 0          [vvar]
7ff72000-7ff73000 r-xp 00000000 00:00 0          [vdso]
root@OpenWrt:/# /etc/init.d/dropbear restart
root@OpenWrt:/# ps |grep dropbear
 2299 root      1108 S    /usr/sbin/dropbear -F -P
/var/run/dropbear.1.pid -p
 2315 root      1212 S    grep dropbear
root@OpenWrt:/# cat /proc/2299/maps
55557000-55586000 r-xp 00000000 fe:00 1024       /usr/sbin/dropbear
55596000-55597000 r-xp 0002f000 fe:00 1024       /usr/sbin/dropbear
55597000-55598000 rwxp 00030000 fe:00 1024       /usr/sbin/dropbear
77f12000-77f34000 r-xp 00000000 fe:00 288        /lib/libgcc_s.so.1
77f34000-77f35000 r-xp 00012000 fe:00 288        /lib/libgcc_s.so.1
77f35000-77f36000 rwxp 00013000 fe:00 288        /lib/libgcc_s.so.1
77f36000-77fcd000 r-xp 00000000 fe:00 286        /lib/libc.so
77fdc000-77fde000 rwxp 00096000 fe:00 286        /lib/libc.so
77fde000-77fe0000 rwxp 00000000 00:00 0
7fcbc000-7fcdd000 rw-p 00000000 00:00 0          [stack]
7fefc000-7fefd000 r-xp 00000000 00:00 0
7ff73000-7ff75000 r--p 00000000 00:00 0          [vvar]
7ff75000-7ff76000 r-xp 00000000 00:00 0          [vdso]
root@OpenWrt:/#
------------------------------------------------------------------------

All sections are loaded to different addresses the second time, except
7fefc000 ;-)

Hauke
Rosen Penev Jan. 9, 2020, 12:49 a.m. UTC | #7
> On Jan 8, 2020, at 3:10 PM, Hauke Mehrtens <hauke@hauke-m.de> wrote:
> 
> On 1/8/20 7:24 AM, Petr Štetiar wrote:
>> Hauke Mehrtens <hauke@hauke-m.de> [2020-01-07 23:21:19]:
>> 
>> Hi,
>> 
>> thanks for your work.
>> 
>>>> Hauke Mehrtens (6):
>>>>  buildsystem: Make PIE ASLR option tristate
>>>>  dnsmasq: Activate PIE by default
>>>>  dropbear: Activate PIE by default
>>>>  hostapd: Activate PIE by default
>>>>  uhttpd: Activate PIE by default
>>>>  lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers
>> 
>> just wondering, if there is any particular reason for leaving odhcp6c and
>> odhcpd out as this are network exposed services and running in default
>> install.
> 
> I just didn't thought about them. We could just add an extra patch to
> activate it for them too.
> 
>> Thinking about it now, we should probably consider ubus, procd, rpcd and
>> cgi-io (perhaps missed something) which might possibly process malicious
>> inputs as well.
> 
> Then we have more or less everything. ;-)
> 
>> BTW I'm wondering how does this work with the shared libraries, like musl
>> libc, openssl, libubox? Don't they need PKG_ASLR_PIE_REGULAR enabled as well
>> in order to get `TARGET_LDFLAGS += $(FPIC)
>> -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs` ?
> 
> Shared libraries are always linked position independent and then the
> kernel is already loading them to random address offsets.
> 
>>> I would like to apply these patches to master?
>> 
>> I don't know if you've something newer in your tree, just looked at your aslr
>> branch in your staging tree:
> 
> You can find the newest version here:
> https://git.openwrt.org/?p=openwrt/staging/hauke.git;a=shortlog;h=refs/heads/aslr
> 
>> + default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
>> 
>> Nice, that you've enabled this for !SMALL_FLASH devices. BTW what is the
>> reason for !SDK? That way binary/library.
> 
> When something is build in the SDK I always want to use
> PKG_ASLR_PIE_REGULAR by default. In our build infrastructure we build
> packages common to multiple targets in the SDK and there I always want
> to use PKG_ASLR_PIE_REGULAR as default option to activate ASLR when the
> same package is used on a tiny and a normal target. I hope it will work
> like this. I want to prevent that some tiny target is used to build the
> additional packages and then this gets accidentally deactivated.
> 
>>> Are there any objections to this? I already activated LTO to reduce the
>>> size for all these components and the lantiq patch is already applied.
>> 
>> I don't have any objections, I welcome this additional hardening. Which branch
>> can I use for runtime testing? I plan to test it and give you my Acked-by.
> 
> The disadvantage is that the size increases, otherwise I would activate
> it for all binaries.
> 
> This is one example for dropbear:
> ------------------------------------------------------------------------
> root@OpenWrt:/# cat /proc/1200/maps
> 5561e000-5564d000 r-xp 00000000 fe:00 1024       /usr/sbin/dropbear
> 5565d000-5565e000 r-xp 0002f000 fe:00 1024       /usr/sbin/dropbear
> 5565e000-5565f000 rwxp 00030000 fe:00 1024       /usr/sbin/dropbear
> 77e89000-77eab000 r-xp 00000000 fe:00 288        /lib/libgcc_s.so.1
> 77eab000-77eac000 r-xp 00012000 fe:00 288        /lib/libgcc_s.so.1
> 77eac000-77ead000 rwxp 00013000 fe:00 288        /lib/libgcc_s.so.1
> 77ead000-77f44000 r-xp 00000000 fe:00 286        /lib/libc.so
> 77f53000-77f55000 rwxp 00096000 fe:00 286        /lib/libc.so
> 77f55000-77f57000 rwxp 00000000 00:00 0
> 7fc95000-7fcb6000 rw-p 00000000 00:00 0          [stack]
> 7fefc000-7fefd000 r-xp 00000000 00:00 0
> 7ff70000-7ff72000 r--p 00000000 00:00 0          [vvar]
> 7ff72000-7ff73000 r-xp 00000000 00:00 0          [vdso]
> root@OpenWrt:/# /etc/init.d/dropbear restart
> root@OpenWrt:/# ps |grep dropbear
> 2299 root      1108 S    /usr/sbin/dropbear -F -P
> /var/run/dropbear.1.pid -p
> 2315 root      1212 S    grep dropbear
> root@OpenWrt:/# cat /proc/2299/maps
> 55557000-55586000 r-xp 00000000 fe:00 1024       /usr/sbin/dropbear
> 55596000-55597000 r-xp 0002f000 fe:00 1024       /usr/sbin/dropbear
> 55597000-55598000 rwxp 00030000 fe:00 1024       /usr/sbin/dropbear
> 77f12000-77f34000 r-xp 00000000 fe:00 288        /lib/libgcc_s.so.1
> 77f34000-77f35000 r-xp 00012000 fe:00 288        /lib/libgcc_s.so.1
> 77f35000-77f36000 rwxp 00013000 fe:00 288        /lib/libgcc_s.so.1
> 77f36000-77fcd000 r-xp 00000000 fe:00 286        /lib/libc.so
> 77fdc000-77fde000 rwxp 00096000 fe:00 286        /lib/libc.so
> 77fde000-77fe0000 rwxp 00000000 00:00 0
> 7fcbc000-7fcdd000 rw-p 00000000 00:00 0          [stack]
> 7fefc000-7fefd000 r-xp 00000000 00:00 0
> 7ff73000-7ff75000 r--p 00000000 00:00 0          [vvar]
> 7ff75000-7ff76000 r-xp 00000000 00:00 0          [vdso]
> root@OpenWrt:/#
> ------------------------------------------------------------------------
> 
> All sections are loaded to different addresses the second time, except
> 7fefc000 ;-)
Yousong has a patch that gets rid of that. What happened to it?
> 
> Hauke
>