Binary hardening - pyllyukko/harden.yml GitHub Wiki
To protect against various threats, it would be good to harden at least some binaries and libraries with various memory protections / binary hardening.
The following technologies should be considered:
- RELRO
- PIE
- Stack canaries
-fstack-protector
<-fstack-protector-strong
<-fstack-protector-all
--param=ssp-buffer-size=4
- Do note that when you're checking binary protections with checksec.sh against
strip
ped bins,checksec.sh
is unable to find the__stack_chk_fail
withreadelf -s
as the symbol table section (.symtab
) has been removed and it will printNo canary found
. You can userabin2 -I file | grep '^canary'
instead.
- -D_FORTIFY_SOURCE=2
- -ftrivial-auto-var-init=zero (not available in the GCC version currently packaged in Slackware 15.0)
-fstack-clash-protection
This can be achieved by using something like the following in SlackBuilds:
SLKCFLAGS="-O2 -fPIC -fPIE -pie -Wl,-z,relro,-z,now -fstack-protector-all --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2"
Which binaries
Here's some thoughts about which binaries should/could be hardened:
- SSH (hardened by default)
- Communication clients:
- irssi (has canary, but no RELRO & PIE)
- Pidgin
- BitTorrent clients
- Mail
- mutt
- Postfix
- Dovecot
- Libraries
- OpenSSL
- GnuTLS
- gpgme
- gpg
- git
- coreutils
- Archiving tools:
- tar
- bzip2
- rar
- Tools that are used against binaries etc.
- less
- strings
- file
- *sum
- hexdump
- PDF readers
- Traffic analyzers (tcpdump, wireshark)
- Clamav
- wget/curl
- SUID binaries
sudo
- Apache/PHP
- krb5
- OpenLDAP
TODO
ldd
all the bins and find the most common libraries to harden.
Links
- https://wiki.debian.org/Hardening#Environment_variables
- Determining Programs to Immunize
- -fstack-protector-strong
- https://security.stackexchange.com/questions/161799/why-does-checksec-sh-highlight-rpath-and-runpath-as-security-issues/165762#165762:
- Using the GNU Compiler Collection (GCC): Code Gen Options
- Hardened compilation flags
- https://gcc.gnu.org/onlinedocs/gccint/target-macros/stack-layout-and-calling-conventions/stack-smashing-protection.html
Secure Code Partitioning With ELF binaries, aka. SCOP:
A Secure ELF binary should have the following mitigations applied:
- RELRO gcc -Wl,-z,relro,-z,now
- SCOP gcc -Wl,-z,code-separation
- PIE (Full ASLR) gcc -fPIC -pie
- Stack Canaries gcc -fstack-protector
- PaX mprotect(2) paxctl -M
Do not forget that statically linked executables do not officially support PIE or RELRO, but have had some solutions proposed in the paper "ASLR and RELRO protection for statically linked executables"
Signing
Signing binaries with either elfsign
or bsign
? Apparently bsign
doesn't work against 64-bit binaries
Look into
- https://github.com/struct/mms:
ld -z now
- -static-pie