Binary hardening - pyllyukko/harden.yml GitHub Wiki

To protect against various threats, it would be good to harden at least some binaries and libraries with various memory protections / binary hardening.

The following technologies should be considered:

• RELRO
• PIE
• Stack canaries
  • -fstack-protector < -fstack-protector-strong < -fstack-protector-all
  • --param=ssp-buffer-size=4
  • Do note that when you're checking binary protections with checksec.sh against stripped bins, checksec.sh is unable to find the __stack_chk_fail with readelf -s as the symbol table section (.symtab) has been removed and it will print No canary found. You can use rabin2 -I file | grep '^canary' instead.
• -D_FORTIFY_SOURCE=2
• -ftrivial-auto-var-init=zero (not available in the GCC version currently packaged in Slackware 15.0)
• -fstack-clash-protection

This can be achieved by using something like the following in SlackBuilds:

SLKCFLAGS="-O2 -fPIC -fPIE -pie -Wl,-z,relro,-z,now -fstack-protector-all --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2"

Which binaries

Here's some thoughts about which binaries should/could be hardened:

• SSH (hardened by default)
• Communication clients:
  • irssi (has canary, but no RELRO & PIE)
  • Pidgin
  • BitTorrent clients
  • Mail
    • mutt
    • Postfix
    • Dovecot
• Libraries
  • OpenSSL
  • GnuTLS
  • gpgme
• gpg
• git
• coreutils
• Archiving tools:
  • tar
  • bzip2
  • rar
• Tools that are used against binaries etc.
  • less
  • strings
  • file
  • *sum
  • hexdump
• PDF readers
• Traffic analyzers (tcpdump, wireshark)
• Clamav
• wget/curl
• SUID binaries
  • sudo
• Apache/PHP
• krb5
• OpenLDAP

TODO

ldd all the bins and find the most common libraries to harden.

Links

• https://wiki.debian.org/Hardening#Environment_variables
• Determining Programs to Immunize
• -fstack-protector-strong
• https://security.stackexchange.com/questions/161799/why-does-checksec-sh-highlight-rpath-and-runpath-as-security-issues/165762#165762:
  • RPATH issue
• Using the GNU Compiler Collection (GCC): Code Gen Options
• Hardened compilation flags
• https://gcc.gnu.org/onlinedocs/gccint/target-macros/stack-layout-and-calling-conventions/stack-smashing-protection.html

Secure Code Partitioning With ELF binaries, aka. SCOP:

A Secure ELF binary should have the following mitigations applied:

• RELRO gcc -Wl,-z,relro,-z,now
• SCOP gcc -Wl,-z,code-separation
• PIE (Full ASLR) gcc -fPIC -pie
• Stack Canaries gcc -fstack-protector
• PaX mprotect(2) paxctl -M

Do not forget that statically linked executables do not officially support PIE or RELRO, but have had some solutions proposed in the paper "ASLR and RELRO protection for statically linked executables"

Signing

Signing binaries with either elfsign or bsign? Apparently bsign doesn't work against 64-bit binaries

Look into

• https://github.com/struct/mms: ld -z now
• -static-pie