Re: hardening fio build with PIE for Address Space Layout Randomization and bindnow linking

[Martin Steigerwald <ms@teamix.de>]

On Dienstag, 24. Mai 2016 08:17:27 CEST Jens Axboe wrote:
> On 05/24/2016 04:10 AM, Martin Steigerwald wrote:
> > Hello Jens!
> > 
> > In my attempt to harden the fio build as recommended within Debian, I
> > tried to build it with PIE by using Debian´s own mechanism via
> > dpkg-buildflags. And I> 
> > got:
> >      CC diskutil.o
> >      CC fifo.o
> >      CC blktrace.o
> >      CC cgroup.o
> >      CC trim.o
> >      CC engines/sg.o
> >      CC engines/binject.o
> >      CC oslib/linux-dev-lookup.o
> >      CC fio.o
> >    
> >    LINK fio
> > 
> > /usr/bin/ld: crc/crc16.o: relocation R_X86_64_32S against `crc16_table'
> > can
> > not be used when making a shared object; recompile with -fPIC
> > crc/crc16.o: error adding symbols: Bad value
> > collect2: error: ld returned 1 exit status
> > Makefile:399: recipe for target 'fio' failed
> > make[1]: *** [fio] Error 1
> > make[1]: Leaving directory '/home/ms/Debian/fio/pkg-fio'
> > dh_auto_build: make -j1 returned exit code 2
> > debian/rules:17: recipe for target 'build' failed
> > make: *** [build] Error 2
> > dpkg-buildpackage: error: debian/rules build gave error exit status 2
> > 
> > 
> > Yet, building fio 2.10 from upstream does doesn´t produce a shared object
> > file.
> > 
> > Any idea?
> > 
> > 
> > 
> > 
> > I: fio: hardening-no-pie usr/bin/fio
> > N:
> > N:    This package provides an ELF executable that was not compiled as a
> > N:    position independent executable (PIE).
> > N:
> > N:    PIE is required for fully enabling Address Space Layout
> > Randomization
> > N:    (ASLR), which makes "Return-oriented" attacks more difficult.
> > N:
> > N:    Historically, PIE has been associated with noticeable performance
> > N:    overhead on i386. However, GCC-5 has implemented an optimization
> > that
> > N:    can reduce the overhead significantly.
> > N:
> > N:    If you use dpkg-buildflags, you may have to add hardening=+pie or
> > N:    hardening=+all to DEB_BUILD_MAINT_OPTIONS.
> > N:
> > N:    The relevant compiler flags must be passed both to the compiler and
> > the N:    linker (e.g. for C that would be commonly be CFLAGS and
> > LDFLAGS). N:
> > N:    CAVEAT: Please keep in mind that the PIE flag (-fPIE) is not
> > suitable
> > N:    for all cases:
> > N:
> > N:     * It is <not> compatible with -fPIC which required for
> > N:       compiling shared libraries.
> > N:     * It is unlikely to work when compiling static libraries or
> > N:       executables (gcc -static).
> > N:
> > N:    If your upstream build compiles either of the above, you may have to
> > N:    patch the build to ensure that only ELF executables are compiled
> > with
> > N:    PIE.
> > N:
> > N:    Refer to https://wiki.debian.org/Hardening,
> > N:    https://gcc.gnu.org/gcc-5/changes.html, and
> > N:   
> > https://software.intel.com/en-us/blogs/2014/12/26/new-optimizations-for-x
> > 86-in-upcoming-gcc-50-32bit-pic-mode N:    for details.
> > N:
> > N:    Severity: wishlist, Certainty: certain
> > N:
> > N:    Check: binaries, Type: binary, udeb
> > N:
> > I: fio: hardening-no-pie usr/bin/fio-btrace2fio
> > I: fio: hardening-no-pie usr/bin/fio-dedupe
> > I: fio: hardening-no-pie usr/bin/fio-genzipf
> > 
> > 
> > Another option to harden fio works find and that is:
> > 
> > I: fio: hardening-no-bindnow usr/bin/fio
> > N:
> > N:    This package provides an ELF binary that lacks the "bindnow" linker
> > N:    flag.
> > N:
> > N:    If the ELF binary does not rely on late binding of symbols (e.g.
> > weak
> > N:    symbols), then please consider enabling this feature. Otherwise,
> > please N:    consider overriding the tag (possibly with a comment about
> > why). N:
> > N:    If you use dpkg-buildflags, you may have to add hardening=+bindnow
> > or
> > N:    hardening=+all to DEB_BUILD_MAINT_OPTIONS.
> > N:
> > N:    The relevant compiler flags are set in LDFLAGS.
> > N:
> > N:    Refer to https://wiki.debian.org/Hardening for details.
> > N:
> > N:    Severity: wishlist, Certainty: certain
> > N:
> > N:    Check: binaries, Type: binary, udeb
> > N:
> > I: fio: hardening-no-pie usr/bin/fio-btrace2fio
> > I: fio: hardening-no-bindnow usr/bin/fio-btrace2fio
> > I: fio: hardening-no-pie usr/bin/fio-dedupe
> > I: fio: hardening-no-bindnow usr/bin/fio-dedupe
> > I: fio: hardening-no-pie usr/bin/fio-genzipf
> > I: fio: hardening-no-bindnow usr/bin/fio-genzipf
> > 
> > 
> > Maybe it would be nice to have some of these in upstream build? PIE may
> > not
> > yet be advisable as for GCC 5 requirement.
> 
> What extra compiler/linker flags are being set? I tried with just -fPIE
> here, and it builds and links fine.
> 
> axboe@xps13:/home/axboe/git/fio $ gcc --version
> gcc (Ubuntu 6.1.1-3ubuntu11~14.04.1) 6.1.1 20160511
> 
> I have gcc 5.3 installed as well, works for that too. So I'm guessing
> -fPIE isn't all that's being set?

Hmmm, according to

DEB_BUILD_HARDENING_PIE (gcc/g++ -fPIE -pie)

https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_PIE_.28gcc.2Fg.2B-.2B-_-fPIE_-pie.29

Its not all. It also does "-pie".

Yes, if I try this as in:

diff --git a/Makefile b/Makefile
index 108e6ee..a559971 100644
--- a/Makefile
+++ b/Makefile
@@ -23,7 +23,7 @@ endif
 DEBUGFLAGS = -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -DFIO_INC_DEBUG
 CPPFLAGS= -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DFIO_INTERNAL $(DEBUGFLAGS)
 OPTFLAGS= -g -ffast-math
-CFLAGS = -std=gnu99 -Wwrite-strings -Wall -Wdeclaration-after-statement $(OPTFLAGS) $(EXTFLAGS) $(BUILD_CFLAGS) -I. -I$(SRCDIR)
+CFLAGS = -std=gnu99 -Wwrite-strings -Wall -Wdeclaration-after-statement -fPIE -pie $(OPTFLAGS) $(EXTFLAGS) $(BUILD_CFLAGS) -I. -I$(SRCD
IR)
 LIBS   += -lm $(EXTLIBS)
 PROGS  = fio
 SCRIPTS = $(addprefix $(SRCDIR)/,tools/fio_generate_plots tools/plot/fio2gnuplot tools/genfio tools/fiologparser.py)


I get a working build:

# hardening-check fio
fio:
 Position Independent Executable: yes
 Stack protected: no, not found!
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: no, not found!
 Immediate binding: no, not found!

Well, I wonder about:

You set CFLAGS hard without +=, maybe thats the issue, unless dpkg stuffes
the build flags into BUILD_CFLAGS or so.


Yes, that is it:

A patch as simple as

… pkg-fio> cat debian/patches/makefile-hardening 
--- a/Makefile
+++ b/Makefile
@@ -23,7 +23,7 @@
 DEBUGFLAGS = -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -DFIO_INC_DEBUG
 CPPFLAGS= -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DFIO_INTERNAL $(DEBUGFLAGS)
 OPTFLAGS= -g -ffast-math
-CFLAGS = -std=gnu99 -Wwrite-strings -Wall -Wdeclaration-after-statement $(OPTFLAGS) $(EXTFLAGS) $(BUILD_CFLAGS) -I. -I$(SRCDIR)
+CFLAGS += -std=gnu99 -Wwrite-strings -Wall -Wdeclaration-after-statement $(OPTFLAGS) $(EXTFLAGS) $(BUILD_CFLAGS) -I. -I$(SRCDIR)
 LIBS   += -lm $(EXTLIBS)
 PROGS  = fio
 SCRIPTS = $(addprefix $(SRCDIR)/,tools/fio_generate_plots tools/plot/fio2gnuplot tools/genfio tools/fiologparser.py)


Does the trick. Seems that Debian set some linker flag and the compiler flag
was not set, leading to:

> > /usr/bin/ld: crc/crc16.o: relocation R_X86_64_32S against `crc16_table'
> > can
> > not be used when making a shared object; recompile with -fPIC


Will create a patch to merge for you.

Thanks,

-- 
Martin Steigerwald  | Trainer

teamix GmbH
Südwestpark 43
90449 Nürnberg

Tel.:  +49 911 30999 55 | Fax: +49 911 30999 99
mail: martin.steigerwald@teamix.de | web:  http://www.teamix.de | blog: http://blog.teamix.de

Amtsgericht Nürnberg, HRB 18320 | Geschäftsführer: Oliver Kügow, Richard Müller

teamix Support Hotline: +49 911 30999-112
 
 Flexibilität im Haus – Sicherheit im Kopf, testen Sie jetzt 30 Tage kostenfrei unsere Cloud Backup Lösung FlexVault: www.teamix.de/cloud-backup