Binary hardening - pyllyukko/harden.yml GitHub Wiki

To protect against various threats, it would be good to harden at least some binaries and libraries with various memory protections / binary hardening.

The following technologies should be considered:

This can be achieved by using something like the following in SlackBuilds:

SLKCFLAGS="-O2 -fPIC -fPIE -pie -Wl,-z,relro,-z,now -fstack-protector-all --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2"

Which binaries

Here's some thoughts about which binaries should/could be hardened:

  • SSH (hardened by default)
  • Communication clients:
    • irssi (has canary, but no RELRO & PIE)
    • Pidgin
    • BitTorrent clients
    • Mail
      • mutt
      • Postfix
      • Dovecot
  • Libraries
    • OpenSSL
    • GnuTLS
    • gpgme
  • gpg
  • git
  • coreutils
  • tar
  • bzip2
  • Tools that are used against binaries etc.
    • less
    • strings
    • file
    • *sum
    • hexdump
  • PDF readers
  • Traffic analyzers (tcpdump, wireshark)
  • Clamav
  • wget/curl
  • SUID binaries
    • sudo
  • Apache/PHP
  • krb5
  • OpenLDAP

TODO

ldd all the bins and find the most common libraries to harden.

Links

Secure Code Partitioning With ELF binaries, aka. SCOP:

A Secure ELF binary should have the following mitigations applied:

  • RELRO gcc -Wl,-z,relro,-z,now
  • SCOP gcc -Wl,-z,code-separation
  • PIE (Full ASLR) gcc -fPIC -pie
  • Stack Canaries gcc -fstack-protector
  • PaX mprotect(2) paxctl -M

Do not forget that statically linked executables do not officially support PIE or RELRO, but have had some solutions proposed in the paper "ASLR and RELRO protection for statically linked executables"

Signing

Signing binaries with either elfsign or bsign? Apparently bsign doesn't work against 64-bit binaries

Look into