#702349 lintian should not complain about hardening for package written in pure Ocaml

#702349#5
Date:
2013-03-05 15:25:45 UTC
From:
To:
lintian should not complain about hardening for package written in
pure Ocaml [0],[1],[2]


[0] https://lists.debian.org/debian-ocaml-maint/2012/05/msg00091.html
[1] http://lintian.debian.org/maintainer/debian-ocaml-maint@lists.debian.org.html
[2] http://wiki.debian.org/HardeningWalkthrough#What_is_all_this_about.3F

Regrads,

#702349#12
Date:
2013-03-05 15:35:17 UTC
From:
To:
Does ELF binaries produced by "pure" Ocaml have any distinct feature
that can be used to tell them apart from any other ELF binary?

~Niels

#702349#19
Date:
2013-03-05 19:57:01 UTC
From:
To:
Le 05/03/2013 16:35, Niels Thykier a écrit :

ELF binaries produced by the OCaml compiler always include a bit of C
code (the runtime), so they are never actually "pure".

I don't think that the lintian tag (whatever its level) should be
removed at the moment. I am not planning to have a deeper looker at this
issue before next release or next debconf, though.


Cheers,

#702349#24
Date:
2013-03-06 08:37:00 UTC
From:
To:
Prach Pongpanich <prachpub@gmail.com> writes:

   lintian should not complain about hardening for package written in
   pure Ocaml [0],[1],[2]

The problem is, that even pure OCaml contains enough features
that may permit arbitrary memory corruptions by an attacker. For
instance, String.unsafe_blit has no bounds checks, Obj.magic is
an unsafe cast, Marshal.from_channel may break the type
system, ...

Moreover, it is almost impossible to avoid these unsafe
functions, because they are used in the standard library.

In principle I agree, that programs written in a certain subset
of OCaml do not need these hardening features. However, at the
moment this safe subset is not even identified...

Bye,

Hendrik

#702349#29
Date:
2013-03-06 09:41:55 UTC
From:
To:
Le 06/03/2013 09:37, Hendrik Tews a écrit :

OCaml has a built-in notion of "unsafe" feature (see ocamlobjinfo
output) that could serve as a starting point for that.


Cheers,

#702349#34
Date:
2013-03-06 09:48:26 UTC
From:
To:
   OCaml has a built-in notion of "unsafe" feature (see ocamlobjinfo
   output) that could serve as a starting point for that.

Yes, I tried this on

    let f b =
      let a = "abcde" in
      let c = Obj.magic b in
      String.unsafe_blit c 0 a 0 5

For the .cmo, ocamlobjinfo surprisingly reports

   Uses unsafe features: no

and for the .cmx it doesn't say anything about unsafe features.

Bye,

Hendrik

#702349#39
Date:
2013-03-06 09:55:06 UTC
From:
To:
Le 06/03/2013 10:48, Hendrik Tews a écrit :

But Obj (obviously) uses unsafe features!

Sure, Pervasives also uses unsafe features, but I was thinking about
adding some kind of whitelist system.

I was trying to be very cautious when I said "notion" and "starting
point" and put quotes around "unsafe"...


Cheers,

#702349#44
Date:
2014-01-06 15:24:38 UTC
From:
To:
Could you please add a note to https://wiki.debian.org/HardeningWalkthrough
that while Ocaml packages produce ELF binaries they are not covered by
the hardening effort?

Cheers,
        Moritz

#702349#49
Date:
2014-02-03 16:42:35 UTC
From:
To:
Le 06/01/2014 16:24, Moritz Muehlenhoff a écrit :

I just did that.

BTW, the OCaml build system is quite messy and it will take longer than
expected to "fix" it for hardening...

Cheers,

#702349#54
Date:
2015-07-15 09:56:06 UTC
From:
To:
W: ocaml-base: hardening-no-relro usr/lib/ocaml/graphics.cmxs
W: ocaml-base: hardening-no-relro usr/lib/ocaml/stublibs/dllgraphics.so
W: ocaml-nox: hardening-no-relro usr/lib/ocaml/objinfo_helper
W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/bigarray.cmxs
W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/nums.cmxs
W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/str.cmxs
W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllbigarray.so
W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllcamlstr.so
W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllnums.so
W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllthreads.so
W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllunix.so
W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/stublibs/dllvmthreads.so
W: ocaml-base-nox: hardening-no-relro usr/lib/ocaml/unix.cmxs

FWIW 'hardening-check ocamlopt.opt' now says:
ocamlopt.opt:
 Position Independent Executable: no, normal executable!
 Stack protected: no, not found!
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes


Although perhaps it'd be better to patch configure to include CCLINKFLAGS in $nativecclinkopts, in objinfo_helper's build command, and in the flag used for linking .so and .cmxs
(haven't found its name yet though). What do you think?

#702349#59
Date:
2015-07-15 13:37:22 UTC
From:
To:
block 702349 by 792502
Thanks

Updated patch attached, all the hardening-no-relro warnings are gone now.
I've opened a bug for the ocaml package.

#702349#66
Date:
2017-12-29 22:43:13 UTC
From:
To:
tags 702349 + moreinfo
thanks

Hi,

Any update on this? Does Lintian need to do anything anymore? :)


Regards,