Security hardening for Debian
Making the programs in a distribution more resistant to exploits—a process known as hardening—is a fairly common way to reduce the attack surface for the distribution. Many distributions have made an effort in this area, with some adding in an overall security architecture, like AppArmor for SUSE or SELinux for Red Hat and Fedora distributions. Debian is currently looking at enabling some hardening features, potentially throughout a large swath of packages that it distributes. The features being considered and the concerns raised provide an interesting look at the tradeoffs.
A posting to debian-devel-announce regarding hardening features for Lenny started the conversation. Those packages that are most susceptible—network services, packages that parse files from untrusted sources, or those that have been the subject of a security alert—should enable a set of security tools that will help deflect attacks against them. Various attacks rely upon certain characteristics of Linux binaries that allow them to be exploited. By altering the way the binaries are built, those particular threats can be mitigated.
The experimental hardening-wrapper package makes enabling the various toolchain differences as easy as setting DEB_BUILD_HARDENING=1 in the environment. This will change gcc, g++, and ld to use the desired flags when building packages. Each hardening feature can also be disabled separately by setting DEB_BUILD_HARDENING_xyzzy=0 (where xyzzy is the name of a hardening feature) if they cause build or performance problems for a particular package.
The specific features enabled are described in the original posting as well as with more detail on the Debian wiki entry for Hardening. They are:
- using -Wformat to catch printf() family calls that do not have a string literal for the format string which can lead to problems if the argument came from an untrusted source and contains format specifiers.
- using -D_FORTIFY_SOURCE_ to validate glibc calls such as strcpy() when the buffer sizes are known at compile time, which can help stop buffer overflow attacks.
- using -fstack-protector to thwart most stack smashing attacks.
- creating Position Independent Executables (PIE) which facilitates using the Address Space Layout Randomization that is available in some kernels. This makes it difficult for an attacker to have any knowledge of what the addresses for the program's sections will look like.
- using ld -z relro to change certain sections to be read-only once ld has made its modifications while loading the program. This can thwart attacks that try to overwrite the Global Offset Table (GOT).
Many other distributions have already been down this path: Gentoo has a page describing their hardened toolchain, Mark Cox of Red Hat has a detailed look at the evolution of security features in Red Hat and Fedora releases, OpenSUSE has a page about its security features, and so on. There is a price to be paid in binary size, execution speed, and cache behavior for these techniques, but for most environments, where resources are not massively constrained, the cost is worth it. It makes new attacks against those systems more difficult to design, which will make users and administrators sleep a little better at night.
| Index entries for this article | |
|---|---|
| Security | Distribution security |
| Security | Hardening |
Posted Feb 7, 2008 5:37 UTC (Thu)
by jimparis (guest, #38647)
[Link] (1 responses)
Posted Feb 7, 2008 12:45 UTC (Thu)
by nix (subscriber, #2304)
[Link]
Posted Feb 7, 2008 21:19 UTC (Thu)
by jengelh (guest, #33263)
[Link] (1 responses)
Posted Feb 7, 2008 21:52 UTC (Thu)
by nix (subscriber, #2304)
[Link]
Security hardening for Debian
For format string attacks, why isn't there a simple option to just disable "%n" processing
entirely? So few applications actually need it. You'd still be vulnerable to information
disclosure if you process an untrusted format string, but an actual exploit capable of running
external code should be nigh impossible without %n.
Security hardening for Debian
That's pretty much how -D_FORTIFY_SOURCE=2 differs from -D_FORTIFY_SOURCE. (Debian is using
the former.)
Security hardening for Debian
-D_FORTIFY_SOURCE, not -D_FORTIFY_SOURCE_.
(It takes a value, so is -D_FORTIFY_SOURCE=2 actually, for example.)
openSUSE uses FORTIFY_SOURCE for all packages for quite some time now, I am somehow always
amazed how some popular distros lag behind simple features.
I also remember finding a buffer "overflow" (now corrected) in btrfs 0.10 - but only with
-D_FORTIFY_SOURCE=2 (it just did not fire without fortification, and you do not immediately
think of running valgrind on everything you get to execute), so this macro is really useful.
Security hardening for Debian
Likewise me, a bug in GNU locate (probably nonexploitable) which only
triggers if compiled with -fstack-protector-all...
(that has quite a hefty performance hit, like PIE, so I only enable it for
Internet-facing services, and for everything in my firewall VMs.)