#779615 Please enable more hardening flags

Package:
iceweasel
Source:
firefox-esr
Submitter:
Florent Daigniere
Date:
2015-03-03 04:36:04 UTC
Severity:
wishlist
Tags:
#779615#5
Date:
2011-12-24 22:40:02 UTC
From:
To:
Please source the hardened build flags from dpkg-buildflags for
CPPFLAGS, CXXFLAGS and LDFLAGS for the iceweasel build.

Cheers,
        Moritz

#779615#10
Date:
2011-12-26 07:43:18 UTC
From:
To:
FWIW, dpkg-buildflags is extremely unuseful for that, because it mixes
hardening flags with other flags.

Mike

#779615#17
Date:
2011-12-31 14:20:27 UTC
From:
To:
Is that because you use a different optimization level other than
O2?

I've noticed that issue with a couple of packages, so I'm considering to
submit a patch for dpkg-buildflags, but I'd like to know if you see
different issues?

Cheers,
        Moritz

#779615#22
Date:
2012-01-01 09:59:28 UTC
From:
To:
Yeah basically I like that the old way of doing hardening didn't mess
with other flags. Though I'm not sure I like that there's not much of a
fine grained tuning. For instance, I'm not sure -z relro buys anything
worth, while it may have a significant startup performance impact on big
applications. (and if I'm not mistaken, -z relro actually makes things
not work with selinux, seeing how selinux already breaks the mprotect
that removes the write bit on code sections after text relocations)

Mike

#779615#27
Date:
2012-01-14 12:34:45 UTC
From:
To:
DEB_CFLAGS_MAINT_APPEND can be used to select different optimisation levels,
see 653846.

dpkg-buildflags support fine-grained tuning, e.g. relro can be disabled by
this:

jmm@pisco:~$ DEB_BUILD_MAINT_OPTIONS="hardening=-relro" dpkg-buildflags
CFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security
CPPFLAGS=-D_FORTIFY_SOURCE=2
CXXFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security
FFLAGS=-g -O2
LDFLAGS=

jmm@pisco:~$ dpkg-buildflags
CFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security
CPPFLAGS=-D_FORTIFY_SOURCE=2
CXXFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security
FFLAGS=-g -O2
LDFLAGS=-Wl,-z,relro

IIRC you work on startup performance at Mozilla, so I won't argue with
you on that :-)

But it would be nice if you could enable the protected stack and fortified
source features for iceweasel and iceape.

I'm not aware of such problems. Many high-profile apps in Debian have used
relro for quite some time and Ubuntu has it enabled it distro-wide for at
least two releases.

(Support for selinux in Debian is marginal at best, anyway.)

Cheers,
        Moritz

#779615#32
Date:
2012-03-07 20:28:31 UTC
From:
To:
Dear Maintainer,

Can you start building packages with the other hardening options, even if RELRO
is left behind for now?

Regards,
        Florent

#779615#37
Date:
2012-04-18 08:06:00 UTC
From:
To:
tags 653191 + patch
thanks

Hi Mike,

Moritz Mühlenhoff wrote (14 Jan 2012 12:34:45 GMT) :

The attached patch enables the protected stack and fortified source
build flags.

Given concerns were raised regarding dpkg-buildflags injecting
non-hardening flags, the attached patch uses the DEB_*_MAINT_STRIP
variables to strip any such non-hardening flags dpkg-buildflags would
normally inject (namely: -g -O2).

The resulting binary (10.0.3esr-3 + my patch) works fine for me on my
Debian sid system.

For the record, I have intentionally left relro, bindnow and PIE for
further discussion and iterations: better have iceweasel built with
minimal hardening flags than none. Note, though, that Ubuntu's Firefox
binary has been built with all these features for a while; any idea
how other major distributions do?

Regards,
--
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

#779615#56
Date:
2013-10-09 08:05:39 UTC
From:
To:
Hi,

As of today, with current Sid on amd64:

$hardening-check /usr/bin/iceweasel
/usr/bin/iceweasel:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: no, not found!
 Immediate binding: no, not found!

Is it possible to re-consider enabling the other hardening options?
Namely PIE, RELRO and BINDNOW

Virtually all the other distributions enable all hardening bells and
whistles as they consider web-browsers critical packages. IMHO
 firefox had enough memory corruption bugs documented over the years
 to warrant the performance cost of enabling these options.

Regards,
	Florent

#779615#61
Date:
2013-10-09 08:54:24 UTC
From:
To:
Hi Florent & all,

Florent Daigniere wrote (09 Oct 2013 08:05:39 GMT) :

Thank you for raising this again.

Summing up previous discussion so that we don't have to rehash it:

  * Mike Hommey wrote: "I'm really not a big fan of -Wl,-z,relro
    and -Wl,-z,now. For instance, I'm not sure -z relro buys anything
    worth, while it may have a significant startup performance impact
    on big applications. (and if I'm not mistaken, -z relro actually
    makes things not work with selinux, seeing how selinux already
    breaks the mprotect that removes the write bit on code sections
    after text relocations)."

  * Moritz replied that he had doubts about the relro part, and that
    "Support for selinux in Debian is marginal at best, anyway".

Regarding relro and bindnow, could anyone with the relevant skills
please sum up what kind of attacks this protects against, what are the
limitations in terms of security, and what is the performance cost in
the context of something like Iceweasel? Cc'ing Jake in case he feels
like giving a hand :)

Mike, I don't think you put it clearly why you may dislike -Wl,-z,now
yet — could you please elaborate?

Regarding SELinux, there's now a release goal proposal [1] for Jessie,
but it didn't seem to get any more serious traction than the rest of
SELinux work in Debian these days. I can only wish them good luck, but
I cannot say I'm convinced this goal will be reached.

[1] https://wiki.debian.org/ReleaseGoals/SELinux

Indeed, Ubuntu enables all of PIE, stack protected, Fortify Source
functions, Read-only relocations, and Immediate binding. They're doing
it with hardening-wrapper. I failed to port this to the Iceweasel
packaging (FTBFS, IIRC), but I didn't try that hard. It might be that
they're relying on their gcc hardening patches too (if that still
applies these days, I guess Moritz will know better).

Cheers,

#779615#66
Date:
2013-10-09 09:30:07 UTC
From:
To:
Am I reading correctly - there is no objection to enabling PIE (ASLR)
here?

Is it a done deal? :)
https://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf section
"6.1.1 GOT Overwrite" sums it up nicely (the document is from 2001,
there's obviously prior art... but the technique hasn't changed)

About the performance cost:
Very likely to be irrelevant compared to enabling PIE. All the linker
hardening options will slow the program start-up down... whereas PIE
will slow runtime down.

About each individual option:
http://tk-blog.blogspot.com/2009/02/relro-not-so-well-known-memory.html

-> The conclusion is that security-wise you want both. From the link
above:
"Interim conclusion: In case of a bss or data overflow bug partial and
full RELRO protect the ELF internal data sections from being overwritten
(as the ELF sections are reordered). Only full RELRO mitigates the well
known technique of modifying a GOT entry to get control over the program
execution flow"


Regards,
	Florent

#779615#67
Date:
2014-02-20 13:55:19 UTC
From:
To:
Hello

As can be seen here, the version of firefox in unstable builds with the
hardening flags
https://buildd.debian.org/status/fetch.php?pkg=iceweasel&arch=i386&ver=24.3.0esr-1&stamp=1391622521

 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security
-D_FORTIFY_SOURCE=2


etc

So, closing this bug
S