build: add -Wl,-z,separate-code to hardening flags #19525
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Sounds good to me. I'm surprised that this wasn't already the case. Read-only code and data was already kept apart from writable data. I guess mixing read-only code and read-only data has a smaller security impact. But this is better. |
I think this is a good idea, but how would you go about this? It is not entirely trivial. I think you'd have to correlate sections with LOAD headers and check that data sections are in a separate LOAD command than text ones? Or maybe it's easier. Without the option there is no But with the option, there are: Also, LOADs with different flags than the previous one are page-aligned (they need to be, otherwise it wouldn't work with MMU permission bits). Maybe that's enough of a heuristic, I don't know. edit: the load offset for the writable data is curious: 0x00000000008f7920 is not page aligned, and right after the read-only data, does this mean read-only and read-write data are stilll allowed to share a page? |
Guix builds
|
|
I've implemented a security check here: https://github.com/laanwj/bitcoin/tree/2020_07_separate_code_security_check I think it's correct, though it might be too strict, it might be enough to spot-check only a few sections like |
d9315ea to
9ae9b2a
Compare
@laanwj I've pulled in that commit, and queued up some builds. We'll see how it goes. |
Guix builds
|
|
|
That's strange. It works locally for x86_64. This temporary patch might help figure out, it prints the mismatching sections and complete diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py
index 4f315e10d1d69157f93dfc47e1be8f3deb07a11a..dd16c132dfdf275b3767e8e230988f6d1343a14f 100755
--- a/contrib/devtools/security-check.py
+++ b/contrib/devtools/security-check.py
@@ -178,11 +178,15 @@ def check_ELF_separate_code(executable):
flags_per_section[section] = flags
# Spot-check ELF LOAD program header flags per section
# If these sections exist, check them against the expected R/W/E flags
+ retval = True
for (section, flags) in flags_per_section.items():
if section in EXPECTED_FLAGS:
if EXPECTED_FLAGS[section] != flags:
- return False
- return True
+ print(f"Section {section} {flags} != {EXPECTED_FLAGS[section]}")
+ retval = False
+ if not retval:
+ subprocess.run([READELF_CMD, '-l', '-W', executable])
+ return retval
def get_PE_dll_characteristics(executable) -> int:
'''Get PE DllCharacteristics bits''' |
Gitian builds
|
|
guix error also on gitian: |
Thanks. I can recreate some issues locally, have been taking a look today. |
fanquake
commented
Jul 27, 2020
| '.plt.sec': 'R E', | ||
| '.text': 'R E', | ||
| '.fini': 'R E', | ||
| # Read-only data |
There was a problem hiding this comment.
There are some additional sections we can add here. Such as .qtmetadata and .gcc_except_table.
There was a problem hiding this comment.
Agreed, but let's get it to pass first !
I'm still spooked by this, by the way. Not sure if it is an (upstream) bug or expected behavior. I thought about adding a check that LOAD ranges with different permissions don't overlap on the same memory pages, but this is a clear violation of this, making the separation less effective. (in any case, not a reason to not move forward with this as it is, better is better) Edit: it does seem to work out locally, maybe I just miscounted? I've added a per-page permission check in this commit: laanwj@9d9fcef |
laanwj
added a commit
to laanwj/bitcoin
that referenced
this pull request
Jul 27, 2020
9ae9b2a devtools: Add security check for separate_code (Wladimir J. van der Laan) 83b8ba0 build: add -Wl,-z,separate-code to hardening flags (fanquake) Pull request description: TLDR: We are generally explicit about the hardening related flags we use, rather than letting the distro / toolchain decide via their defaults. This PR adds `-z,separate-code` which has been enabled by default for Linux targets since binutils 2.31. Ubuntu Bionic (currently used for gitian) ships with binutils 2.30, so this will enable the option for those builds. This flag was added to binutils/ld in the 2.30 release, see commit c11c786f0b45617bb8807ab6a57220d5ff50e414: > The new "-z separate-code" option will generate separate code LOAD segment which must be in wholly disjoint pages from any other data. It was made the default for Linux/x86 targets in the 2.31 release, see commit f6aec96dce1ddbd8961a3aa8a2925db2021719bb: > This patch adds --enable-separate-code to ld configure to turn on -z separate-code by default and enables it by default for Linux/x86. This avoids mixing code pages with data to improve cache performance as well as security. > To reduce x86-64 executable and shared object sizes, the maximum page size is reduced from 2MB to 4KB when -z separate-code is turned on by default. Note: -z max-page-size= can be used to set the maximum page size. > We compared SPEC CPU 2017 performance before and after this change on Skylake server. There are no any significant performance changes. Everything is mostly below +/-1%. Support was also added to LLVMs lld: https://reviews.llvm.org/D64903, however there it remains off by default. There were concerns about an increase in binary size, however in our case, the difference would seem negligible, given we are shipping a multi-megabyte binary, which then downloads 100's of GBs of data. Also note that most recent versions of distros are shipping a new enough version of binutils that this is available and/or already on by default (assuming the distro has not turned it off, I haven't checked everywhere): CentOS 8: 2.30 Debian Buster 2.31.1 Fedora 29: 2.31.1 FreeBSD: 2.33 GNU Guix: 2.33 / 2.34 Ubuntu 18.04: 2.30 Related threads / discussion: https://bugzilla.redhat.com/show_bug.cgi?id=1623218 The ELF header when building on Debian Buster (where it's already enabled by default in binutils): ```bash Program Header: PHDR off 0x0000000000000040 vaddr 0x0000000000000040 paddr 0x0000000000000040 align 2**3 filesz 0x00000000000002a0 memsz 0x00000000000002a0 flags r-- INTERP off 0x00000000000002e0 vaddr 0x00000000000002e0 paddr 0x00000000000002e0 align 2**0 filesz 0x000000000000001c memsz 0x000000000000001c flags r-- LOAD off 0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**12 filesz 0x0000000000038f10 memsz 0x0000000000038f10 flags r-- LOAD off 0x0000000000039000 vaddr 0x0000000000039000 paddr 0x0000000000039000 align 2**12 filesz 0x00000000006b9389 memsz 0x00000000006b9389 flags r-x LOAD off 0x00000000006f3000 vaddr 0x00000000006f3000 paddr 0x00000000006f3000 align 2**12 filesz 0x0000000000204847 memsz 0x0000000000204847 flags r-- LOAD off 0x00000000008f7920 vaddr 0x00000000008f8920 paddr 0x00000000008f8920 align 2**12 filesz 0x00000000000183e0 memsz 0x0000000000022fd0 flags rw- DYNAMIC off 0x000000000090adb0 vaddr 0x000000000090bdb0 paddr 0x000000000090bdb0 align 2**3 filesz 0x0000000000000240 memsz 0x0000000000000240 flags rw- ``` vs when opting out using `-Wl,-z,noseparate-code`: ```bash Program Header: PHDR off 0x0000000000000040 vaddr 0x0000000000000040 paddr 0x0000000000000040 align 2**3 filesz 0x0000000000000230 memsz 0x0000000000000230 flags r-- INTERP off 0x0000000000000270 vaddr 0x0000000000000270 paddr 0x0000000000000270 align 2**0 filesz 0x000000000000001c memsz 0x000000000000001c flags r-- LOAD off 0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**12 filesz 0x00000000008f6a87 memsz 0x00000000008f6a87 flags r-x LOAD off 0x00000000008f7920 vaddr 0x00000000008f8920 paddr 0x00000000008f8920 align 2**12 filesz 0x00000000000183e0 memsz 0x0000000000022fd0 flags rw- DYNAMIC off 0x000000000090adb0 vaddr 0x000000000090bdb0 paddr 0x000000000090bdb0 align 2**3 filesz 0x0000000000000240 memsz 0x0000000000000240 flags rw- ```
This flag was added to binutils/ld in the 2.30 release, see commit c11c786f0b45617bb8807ab6a57220d5ff50e414: > The new "-z separate-code" option will generate separate code LOAD segment which must be in wholly disjoint pages from any other data. It was made the default for Linux/x86 targets in the 2.31 release, see commit f6aec96dce1ddbd8961a3aa8a2925db2021719bb: > This patch adds --enable-separate-code to ld configure to turn on -z separate-code by default and enables it by default for Linux/x86. This avoids mixing code pages with data to improve cache performance as well as security. > To reduce x86-64 executable and shared object sizes, the maximum page size is reduced from 2MB to 4KB when -z separate-code is turned on by default. Note: -z max-page-size= can be used to set the maximum page size. > We compared SPEC CPU 2017 performance before and after this change on Skylake server. There are no any significant performance changes. Everything is mostly below +/-1%. Support was also added to LLVMs lld: https://reviews.llvm.org/D64903, however there is remains off by default. There were concerns about an increase in binary size, however in our case, the increase (1 page worth of bytes) would seem negligible, given we are shipping a multi-megabyte binary, which then downloads 100's of GBs of data. Also note that most recent versions of distros are shipping a new enough version of binutils that this is available and/or on by default (assuming the distro has not turned it off, I haven't checked everywhere): CentOS 8: 2.30 Debian Buster 2.31.1 Fedora 29: 2.31.1 FreeBSD: 2.33 GNU Guix: 2.33 / 2.34 Ubuntu 18.04: 2.30 Related threads / discussion: https://bugzilla.redhat.com/show_bug.cgi?id=1623218
Check that sections are appropriately separated in virtual memory, based on their (expected) permissions. This checks for missing -Wl,-z,separate-code and potentially other problems. Co-authored-by: fanquake <fanquake@gmail.com>
9ae9b2a to
65d0f1a
Compare
|
I've pushed up a modified version of @laanwj's test that works for me across all binaries, and I think is a bit more robust. One of the issues with the previous test was that when the binaries were large (i.e If someone wants to test, one way to at least sanity-check the behaviour is to modify the permission of one of the sections in diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py
index dc74de919..965a9b250 100755
--- a/contrib/devtools/security-check.py
+++ b/contrib/devtools/security-check.py
@@ -146,7 +146,7 @@ def check_ELF_separate_code(executable):
# Read + execute
'.init': 'R E',
'.plt': 'R E',
- '.plt.got': 'R E',
+ '.plt.got': 'WRONG!',
'.plt.sec': 'R E',
'.text': 'R E',
'.fini': 'R E',and check that the test fails for all binaries (assuming you've chosen a section that is in all binaries. i.e NOT make -C src check-security
make: Entering directory '/home/ubuntu/build/bitcoin/distsrc-x86_64-linux-gnu/src'
Checking binary security...
bitcoind: failed separate_code
bitcoin-cli: failed separate_code
bitcoin-tx: failed separate_code
bitcoin-wallet: failed separate_code
test/test_bitcoin: failed separate_code
qt/bitcoin-qt: failed separate_code
Now that I've got this test working, I'll take a look here as well. In any case, I think any changes / an additional test for that behaviour could be a in a followup PR. |
Guix builds
|
|
ACK 65d0f1a |
Gitian builds
|
Closed
sidhujag
pushed a commit
to syscoin/syscoin
that referenced
this pull request
Jul 31, 2020
65d0f1a devtools: Add security check for separate_code (Wladimir J. van der Laan) 2e9e637 build: add -Wl,-z,separate-code to hardening flags (fanquake) Pull request description: TLDR: We are generally explicit about the hardening related flags we use, rather than letting the distro / toolchain decide via their defaults. This PR adds `-z,separate-code` which has been enabled by default for Linux targets since binutils 2.31. Ubuntu Bionic (currently used for gitian) ships with binutils 2.30, so this will enable the option for those builds. This flag was added to binutils/ld in the 2.30 release, see commit c11c786f0b45617bb8807ab6a57220d5ff50e414: > The new "-z separate-code" option will generate separate code LOAD segment which must be in wholly disjoint pages from any other data. It was made the default for Linux/x86 targets in the 2.31 release, see commit f6aec96dce1ddbd8961a3aa8a2925db2021719bb: > This patch adds --enable-separate-code to ld configure to turn on -z separate-code by default and enables it by default for Linux/x86. This avoids mixing code pages with data to improve cache performance as well as security. > To reduce x86-64 executable and shared object sizes, the maximum page size is reduced from 2MB to 4KB when -z separate-code is turned on by default. Note: -z max-page-size= can be used to set the maximum page size. > We compared SPEC CPU 2017 performance before and after this change on Skylake server. There are no any significant performance changes. Everything is mostly below +/-1%. Support was also added to LLVMs lld: https://reviews.llvm.org/D64903, however there it remains off by default. There were concerns about an increase in binary size, however in our case, the difference would seem negligible, given we are shipping a multi-megabyte binary, which then downloads 100's of GBs of data. Also note that most recent versions of distros are shipping a new enough version of binutils that this is available and/or already on by default (assuming the distro has not turned it off, I haven't checked everywhere): CentOS 8: 2.30 Debian Buster 2.31.1 Fedora 29: 2.31.1 FreeBSD: 2.33 GNU Guix: 2.33 / 2.34 Ubuntu 18.04: 2.30 Related threads / discussion: https://bugzilla.redhat.com/show_bug.cgi?id=1623218 The ELF header when building on Debian Buster (where it's already enabled by default in binutils): ```bash Program Header: PHDR off 0x0000000000000040 vaddr 0x0000000000000040 paddr 0x0000000000000040 align 2**3 filesz 0x00000000000002a0 memsz 0x00000000000002a0 flags r-- INTERP off 0x00000000000002e0 vaddr 0x00000000000002e0 paddr 0x00000000000002e0 align 2**0 filesz 0x000000000000001c memsz 0x000000000000001c flags r-- LOAD off 0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**12 filesz 0x0000000000038f10 memsz 0x0000000000038f10 flags r-- LOAD off 0x0000000000039000 vaddr 0x0000000000039000 paddr 0x0000000000039000 align 2**12 filesz 0x00000000006b9389 memsz 0x00000000006b9389 flags r-x LOAD off 0x00000000006f3000 vaddr 0x00000000006f3000 paddr 0x00000000006f3000 align 2**12 filesz 0x0000000000204847 memsz 0x0000000000204847 flags r-- LOAD off 0x00000000008f7920 vaddr 0x00000000008f8920 paddr 0x00000000008f8920 align 2**12 filesz 0x00000000000183e0 memsz 0x0000000000022fd0 flags rw- DYNAMIC off 0x000000000090adb0 vaddr 0x000000000090bdb0 paddr 0x000000000090bdb0 align 2**3 filesz 0x0000000000000240 memsz 0x0000000000000240 flags rw- ``` vs when opting out using `-Wl,-z,noseparate-code`: ```bash Program Header: PHDR off 0x0000000000000040 vaddr 0x0000000000000040 paddr 0x0000000000000040 align 2**3 filesz 0x0000000000000230 memsz 0x0000000000000230 flags r-- INTERP off 0x0000000000000270 vaddr 0x0000000000000270 paddr 0x0000000000000270 align 2**0 filesz 0x000000000000001c memsz 0x000000000000001c flags r-- LOAD off 0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**12 filesz 0x00000000008f6a87 memsz 0x00000000008f6a87 flags r-x LOAD off 0x00000000008f7920 vaddr 0x00000000008f8920 paddr 0x00000000008f8920 align 2**12 filesz 0x00000000000183e0 memsz 0x0000000000022fd0 flags rw- DYNAMIC off 0x000000000090adb0 vaddr 0x000000000090bdb0 paddr 0x000000000090bdb0 align 2**3 filesz 0x0000000000000240 memsz 0x0000000000000240 flags rw- ``` ACKs for top commit: laanwj: ACK 65d0f1a Tree-SHA512: 6e40e434efea8a8e39f6cb244dfd16aaa5a9db5a2ea762a05d1727357b20e33b7e47c1a652ee88490c9d7952a4caa2f992396fb30346239300d37ae123e36d49
luke-jr
pushed a commit
to bitcoinknots/bitcoin
that referenced
this pull request
Aug 15, 2020
This flag was added to binutils/ld in the 2.30 release, see commit c11c786f0b45617bb8807ab6a57220d5ff50e414: > The new "-z separate-code" option will generate separate code LOAD segment which must be in wholly disjoint pages from any other data. It was made the default for Linux/x86 targets in the 2.31 release, see commit f6aec96dce1ddbd8961a3aa8a2925db2021719bb: > This patch adds --enable-separate-code to ld configure to turn on -z separate-code by default and enables it by default for Linux/x86. This avoids mixing code pages with data to improve cache performance as well as security. > To reduce x86-64 executable and shared object sizes, the maximum page size is reduced from 2MB to 4KB when -z separate-code is turned on by default. Note: -z max-page-size= can be used to set the maximum page size. > We compared SPEC CPU 2017 performance before and after this change on Skylake server. There are no any significant performance changes. Everything is mostly below +/-1%. Support was also added to LLVMs lld: https://reviews.llvm.org/D64903, however there is remains off by default. There were concerns about an increase in binary size, however in our case, the increase (1 page worth of bytes) would seem negligible, given we are shipping a multi-megabyte binary, which then downloads 100's of GBs of data. Also note that most recent versions of distros are shipping a new enough version of binutils that this is available and/or on by default (assuming the distro has not turned it off, I haven't checked everywhere): CentOS 8: 2.30 Debian Buster 2.31.1 Fedora 29: 2.31.1 FreeBSD: 2.33 GNU Guix: 2.33 / 2.34 Ubuntu 18.04: 2.30 Related threads / discussion: https://bugzilla.redhat.com/show_bug.cgi?id=1623218 Github-Pull: bitcoin#19525 Rebased-From: 2e9e637
luke-jr
pushed a commit
to bitcoinknots/bitcoin
that referenced
this pull request
Aug 15, 2020
Check that sections are appropriately separated in virtual memory, based on their (expected) permissions. This checks for missing -Wl,-z,separate-code and potentially other problems. Co-authored-by: fanquake <fanquake@gmail.com> Github-Pull: bitcoin#19525 Rebased-From: 65d0f1a
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TLDR: We are generally explicit about the hardening related flags we use,
rather than letting the distro / toolchain decide via their defaults. This PR
adds
-z,separate-codewhich has been enabled by default for Linux targetssince binutils 2.31. Ubuntu Bionic (currently used for gitian) ships with
binutils 2.30, so this will enable the option for those builds.
This flag was added to binutils/ld in the 2.30 release,
see commit c11c786f0b45617bb8807ab6a57220d5ff50e414:
It was made the default for Linux/x86 targets in the 2.31 release, see commit
f6aec96dce1ddbd8961a3aa8a2925db2021719bb:
Support was also added to LLVMs lld: https://reviews.llvm.org/D64903, however
there it remains off by default.
There were concerns about an increase in binary size, however in our case, the
difference would seem negligible, given we are shipping a
multi-megabyte binary, which then downloads 100's of GBs of data.
Also note that most recent versions of distros are shipping a new enough version
of binutils that this is available and/or already on by default (assuming the distro
has not turned it off, I haven't checked everywhere):
CentOS 8: 2.30
Debian Buster 2.31.1
Fedora 29: 2.31.1
FreeBSD: 2.33
GNU Guix: 2.33 / 2.34
Ubuntu 18.04: 2.30
Related threads / discussion:
https://bugzilla.redhat.com/show_bug.cgi?id=1623218
The ELF header when building on Debian Buster (where it's already enabled by default in binutils):
Program Header: PHDR off 0x0000000000000040 vaddr 0x0000000000000040 paddr 0x0000000000000040 align 2**3 filesz 0x00000000000002a0 memsz 0x00000000000002a0 flags r-- INTERP off 0x00000000000002e0 vaddr 0x00000000000002e0 paddr 0x00000000000002e0 align 2**0 filesz 0x000000000000001c memsz 0x000000000000001c flags r-- LOAD off 0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**12 filesz 0x0000000000038f10 memsz 0x0000000000038f10 flags r-- LOAD off 0x0000000000039000 vaddr 0x0000000000039000 paddr 0x0000000000039000 align 2**12 filesz 0x00000000006b9389 memsz 0x00000000006b9389 flags r-x LOAD off 0x00000000006f3000 vaddr 0x00000000006f3000 paddr 0x00000000006f3000 align 2**12 filesz 0x0000000000204847 memsz 0x0000000000204847 flags r-- LOAD off 0x00000000008f7920 vaddr 0x00000000008f8920 paddr 0x00000000008f8920 align 2**12 filesz 0x00000000000183e0 memsz 0x0000000000022fd0 flags rw- DYNAMIC off 0x000000000090adb0 vaddr 0x000000000090bdb0 paddr 0x000000000090bdb0 align 2**3 filesz 0x0000000000000240 memsz 0x0000000000000240 flags rw-vs when opting out using
-Wl,-z,noseparate-code:Program Header: PHDR off 0x0000000000000040 vaddr 0x0000000000000040 paddr 0x0000000000000040 align 2**3 filesz 0x0000000000000230 memsz 0x0000000000000230 flags r-- INTERP off 0x0000000000000270 vaddr 0x0000000000000270 paddr 0x0000000000000270 align 2**0 filesz 0x000000000000001c memsz 0x000000000000001c flags r-- LOAD off 0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**12 filesz 0x00000000008f6a87 memsz 0x00000000008f6a87 flags r-x LOAD off 0x00000000008f7920 vaddr 0x00000000008f8920 paddr 0x00000000008f8920 align 2**12 filesz 0x00000000000183e0 memsz 0x0000000000022fd0 flags rw- DYNAMIC off 0x000000000090adb0 vaddr 0x000000000090bdb0 paddr 0x000000000090bdb0 align 2**3 filesz 0x0000000000000240 memsz 0x0000000000000240 flags rw-