lintian should not complain about hardening for package written in pure Ocaml [0],[1],[2] [0] https://lists.debian.org/debian-ocaml-maint/2012/05/msg00091.html [1] http://lintian.debian.org/maintainer/debian-ocaml-maint@lists.debian.org.html [2] http://wiki.debian.org/HardeningWalkthrough#What_is_all_this_about.3F Regrads,
Does ELF binaries produced by "pure" Ocaml have any distinct feature that can be used to tell them apart from any other ELF binary? ~Niels
Le 05/03/2013 16:35, Niels Thykier a écrit : ELF binaries produced by the OCaml compiler always include a bit of C code (the runtime), so they are never actually "pure". I don't think that the lintian tag (whatever its level) should be removed at the moment. I am not planning to have a deeper looker at this issue before next release or next debconf, though. Cheers,
Prach Pongpanich <prachpub@gmail.com> writes: lintian should not complain about hardening for package written in pure Ocaml [0],[1],[2] The problem is, that even pure OCaml contains enough features that may permit arbitrary memory corruptions by an attacker. For instance, String.unsafe_blit has no bounds checks, Obj.magic is an unsafe cast, Marshal.from_channel may break the type system, ... Moreover, it is almost impossible to avoid these unsafe functions, because they are used in the standard library. In principle I agree, that programs written in a certain subset of OCaml do not need these hardening features. However, at the moment this safe subset is not even identified... Bye, Hendrik
Le 06/03/2013 09:37, Hendrik Tews a écrit : OCaml has a built-in notion of "unsafe" feature (see ocamlobjinfo output) that could serve as a starting point for that. Cheers,
OCaml has a built-in notion of "unsafe" feature (see ocamlobjinfo
output) that could serve as a starting point for that.
Yes, I tried this on
let f b =
let a = "abcde" in
let c = Obj.magic b in
String.unsafe_blit c 0 a 0 5
For the .cmo, ocamlobjinfo surprisingly reports
Uses unsafe features: no
and for the .cmx it doesn't say anything about unsafe features.
Bye,
Hendrik
Le 06/03/2013 10:48, Hendrik Tews a écrit : But Obj (obviously) uses unsafe features! Sure, Pervasives also uses unsafe features, but I was thinking about adding some kind of whitelist system. I was trying to be very cautious when I said "notion" and "starting point" and put quotes around "unsafe"... Cheers,
Could you please add a note to https://wiki.debian.org/HardeningWalkthrough
that while Ocaml packages produce ELF binaries they are not covered by
the hardening effort?
Cheers,
Moritz
Le 06/01/2014 16:24, Moritz Muehlenhoff a écrit : I just did that. BTW, the OCaml build system is quite messy and it will take longer than expected to "fix" it for hardening... Cheers,
W: ocaml-base: hardening-no-relro usr/lib/ocaml/graphics.cmxs W: ocaml-base: hardening-no-relro usr/lib/ocaml/stublibs/dllgraphics.so W: ocaml-nox: hardening-no-relro usr/lib/ocaml/objinfo_helper W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/bigarray.cmxs W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/nums.cmxs W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/str.cmxs W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllbigarray.so W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllcamlstr.so W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllnums.so W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllthreads.so W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllunix.so W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllvmthreads.so W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/unix.cmxs FWIW 'hardening-check ocamlopt.opt' now says: ocamlopt.opt: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes Although perhaps it'd be better to patch configure to include CCLINKFLAGS in $nativecclinkopts, in objinfo_helper's build command, and in the flag used for linking .so and .cmxs (haven't found its name yet though). What do you think?
block 702349 by 792502 Thanks Updated patch attached, all the hardening-no-relro warnings are gone now. I've opened a bug for the ocaml package.
tags 702349 + moreinfo thanks Hi, Any update on this? Does Lintian need to do anything anymore? :) Regards,