hardening fio build with PIE for Address Space Layout Randomization and bindnow linking

hardening fio build with PIE for Address Space Layout Randomization and bindnow linking

[Martin Steigerwald]

Hello Jens!

In my attempt to harden the fio build as recommended within Debian, I tried to 
build it with PIE by using Debian´s own mechanism via dpkg-buildflags. And I 
got:

    CC diskutil.o
    CC fifo.o
    CC blktrace.o
    CC cgroup.o
    CC trim.o
    CC engines/sg.o
    CC engines/binject.o
    CC oslib/linux-dev-lookup.o
    CC fio.o
  LINK fio
/usr/bin/ld: crc/crc16.o: relocation R_X86_64_32S against `crc16_table' can 
not be used when making a shared object; recompile with -fPIC
crc/crc16.o: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
Makefile:399: recipe for target 'fio' failed
make[1]: *** [fio] Error 1
make[1]: Leaving directory '/home/ms/Debian/fio/pkg-fio'
dh_auto_build: make -j1 returned exit code 2
debian/rules:17: recipe for target 'build' failed
make: *** [build] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2


Yet, building fio 2.10 from upstream does doesn´t produce a shared object 
file.

Any idea?




I: fio: hardening-no-pie usr/bin/fio
N: 
N:    This package provides an ELF executable that was not compiled as a
N:    position independent executable (PIE).
N:    
N:    PIE is required for fully enabling Address Space Layout Randomization
N:    (ASLR), which makes "Return-oriented" attacks more difficult.
N:    
N:    Historically, PIE has been associated with noticeable performance
N:    overhead on i386. However, GCC-5 has implemented an optimization that
N:    can reduce the overhead significantly.
N:    
N:    If you use dpkg-buildflags, you may have to add hardening=+pie or
N:    hardening=+all to DEB_BUILD_MAINT_OPTIONS.
N:    
N:    The relevant compiler flags must be passed both to the compiler and the
N:    linker (e.g. for C that would be commonly be CFLAGS and LDFLAGS).
N:    
N:    CAVEAT: Please keep in mind that the PIE flag (-fPIE) is not suitable
N:    for all cases:
N:    
N:     * It is <not> compatible with -fPIC which required for
N:       compiling shared libraries.
N:     * It is unlikely to work when compiling static libraries or
N:       executables (gcc -static).
N:    
N:    If your upstream build compiles either of the above, you may have to
N:    patch the build to ensure that only ELF executables are compiled with
N:    PIE.
N:    
N:    Refer to https://wiki.debian.org/Hardening,
N:    https://gcc.gnu.org/gcc-5/changes.html, and
N:    https://software.intel.com/en-us/blogs/2014/12/26/new-optimizations-for-x86-in-upcoming-gcc-50-32bit-pic-mode
N:    for details.
N:    
N:    Severity: wishlist, Certainty: certain
N:    
N:    Check: binaries, Type: binary, udeb
N: 
I: fio: hardening-no-pie usr/bin/fio-btrace2fio
I: fio: hardening-no-pie usr/bin/fio-dedupe
I: fio: hardening-no-pie usr/bin/fio-genzipf


Another option to harden fio works find and that is:

I: fio: hardening-no-bindnow usr/bin/fio
N: 
N:    This package provides an ELF binary that lacks the "bindnow" linker
N:    flag.
N:    
N:    If the ELF binary does not rely on late binding of symbols (e.g. weak
N:    symbols), then please consider enabling this feature. Otherwise, please
N:    consider overriding the tag (possibly with a comment about why).
N:    
N:    If you use dpkg-buildflags, you may have to add hardening=+bindnow or
N:    hardening=+all to DEB_BUILD_MAINT_OPTIONS.
N:    
N:    The relevant compiler flags are set in LDFLAGS.
N:    
N:    Refer to https://wiki.debian.org/Hardening for details.
N:    
N:    Severity: wishlist, Certainty: certain
N:    
N:    Check: binaries, Type: binary, udeb
N: 
I: fio: hardening-no-pie usr/bin/fio-btrace2fio
I: fio: hardening-no-bindnow usr/bin/fio-btrace2fio
I: fio: hardening-no-pie usr/bin/fio-dedupe
I: fio: hardening-no-bindnow usr/bin/fio-dedupe
I: fio: hardening-no-pie usr/bin/fio-genzipf
I: fio: hardening-no-bindnow usr/bin/fio-genzipf


Maybe it would be nice to have some of these in upstream build? PIE may not 
yet be advisable as for GCC 5 requirement.

Thanks,

Re: hardening fio build with PIE for Address Space Layout Randomization and bindnow linking

[Jens Axboe]

On 05/24/2016 04:10 AM, Martin Steigerwald wrote:
> Hello Jens!
>
> In my attempt to harden the fio build as recommended within Debian, I tried to
> build it with PIE by using Debian�s own mechanism via dpkg-buildflags. And I
> got:
>
>      CC diskutil.o
>      CC fifo.o
>      CC blktrace.o
>      CC cgroup.o
>      CC trim.o
>      CC engines/sg.o
>      CC engines/binject.o
>      CC oslib/linux-dev-lookup.o
>      CC fio.o
>    LINK fio
> /usr/bin/ld: crc/crc16.o: relocation R_X86_64_32S against `crc16_table' can
> not be used when making a shared object; recompile with -fPIC
> crc/crc16.o: error adding symbols: Bad value
> collect2: error: ld returned 1 exit status
> Makefile:399: recipe for target 'fio' failed
> make[1]: *** [fio] Error 1
> make[1]: Leaving directory '/home/ms/Debian/fio/pkg-fio'
> dh_auto_build: make -j1 returned exit code 2
> debian/rules:17: recipe for target 'build' failed
> make: *** [build] Error 2
> dpkg-buildpackage: error: debian/rules build gave error exit status 2
>
>
> Yet, building fio 2.10 from upstream does doesn�t produce a shared object
> file.
>
> Any idea?
>
>
>
>
> I: fio: hardening-no-pie usr/bin/fio
> N:
> N:    This package provides an ELF executable that was not compiled as a
> N:    position independent executable (PIE).
> N:
> N:    PIE is required for fully enabling Address Space Layout Randomization
> N:    (ASLR), which makes "Return-oriented" attacks more difficult.
> N:
> N:    Historically, PIE has been associated with noticeable performance
> N:    overhead on i386. However, GCC-5 has implemented an optimization that
> N:    can reduce the overhead significantly.
> N:
> N:    If you use dpkg-buildflags, you may have to add hardening=+pie or
> N:    hardening=+all to DEB_BUILD_MAINT_OPTIONS.
> N:
> N:    The relevant compiler flags must be passed both to the compiler and the
> N:    linker (e.g. for C that would be commonly be CFLAGS and LDFLAGS).
> N:
> N:    CAVEAT: Please keep in mind that the PIE flag (-fPIE) is not suitable
> N:    for all cases:
> N:
> N:     * It is <not> compatible with -fPIC which required for
> N:       compiling shared libraries.
> N:     * It is unlikely to work when compiling static libraries or
> N:       executables (gcc -static).
> N:
> N:    If your upstream build compiles either of the above, you may have to
> N:    patch the build to ensure that only ELF executables are compiled with
> N:    PIE.
> N:
> N:    Refer to https://wiki.debian.org/Hardening,
> N:    https://gcc.gnu.org/gcc-5/changes.html, and
> N:    https://software.intel.com/en-us/blogs/2014/12/26/new-optimizations-for-x86-in-upcoming-gcc-50-32bit-pic-mode
> N:    for details.
> N:
> N:    Severity: wishlist, Certainty: certain
> N:
> N:    Check: binaries, Type: binary, udeb
> N:
> I: fio: hardening-no-pie usr/bin/fio-btrace2fio
> I: fio: hardening-no-pie usr/bin/fio-dedupe
> I: fio: hardening-no-pie usr/bin/fio-genzipf
>
>
> Another option to harden fio works find and that is:
>
> I: fio: hardening-no-bindnow usr/bin/fio
> N:
> N:    This package provides an ELF binary that lacks the "bindnow" linker
> N:    flag.
> N:
> N:    If the ELF binary does not rely on late binding of symbols (e.g. weak
> N:    symbols), then please consider enabling this feature. Otherwise, please
> N:    consider overriding the tag (possibly with a comment about why).
> N:
> N:    If you use dpkg-buildflags, you may have to add hardening=+bindnow or
> N:    hardening=+all to DEB_BUILD_MAINT_OPTIONS.
> N:
> N:    The relevant compiler flags are set in LDFLAGS.
> N:
> N:    Refer to https://wiki.debian.org/Hardening for details.
> N:
> N:    Severity: wishlist, Certainty: certain
> N:
> N:    Check: binaries, Type: binary, udeb
> N:
> I: fio: hardening-no-pie usr/bin/fio-btrace2fio
> I: fio: hardening-no-bindnow usr/bin/fio-btrace2fio
> I: fio: hardening-no-pie usr/bin/fio-dedupe
> I: fio: hardening-no-bindnow usr/bin/fio-dedupe
> I: fio: hardening-no-pie usr/bin/fio-genzipf
> I: fio: hardening-no-bindnow usr/bin/fio-genzipf
>
>
> Maybe it would be nice to have some of these in upstream build? PIE may not
> yet be advisable as for GCC 5 requirement.

What extra compiler/linker flags are being set? I tried with just -fPIE 
here, and it builds and links fine.

axboe@xps13:/home/axboe/git/fio $ gcc --version
gcc (Ubuntu 6.1.1-3ubuntu11~14.04.1) 6.1.1 20160511

I have gcc 5.3 installed as well, works for that too. So I'm guessing 
-fPIE isn't all that's being set?

-- 
Jens Axboe

Re: hardening fio build with PIE for Address Space Layout Randomization and bindnow linking

[Martin Steigerwald]

On Dienstag, 24. Mai 2016 08:17:27 CEST Jens Axboe wrote:
> On 05/24/2016 04:10 AM, Martin Steigerwald wrote:
> > Hello Jens!
> > 
> > In my attempt to harden the fio build as recommended within Debian, I
> > tried to build it with PIE by using Debian´s own mechanism via
> > dpkg-buildflags. And I> 
> > got:
> >      CC diskutil.o
> >      CC fifo.o
> >      CC blktrace.o
> >      CC cgroup.o
> >      CC trim.o
> >      CC engines/sg.o
> >      CC engines/binject.o
> >      CC oslib/linux-dev-lookup.o
> >      CC fio.o
> >    
> >    LINK fio
> > 
> > /usr/bin/ld: crc/crc16.o: relocation R_X86_64_32S against `crc16_table'
> > can
> > not be used when making a shared object; recompile with -fPIC
> > crc/crc16.o: error adding symbols: Bad value
> > collect2: error: ld returned 1 exit status
> > Makefile:399: recipe for target 'fio' failed
> > make[1]: *** [fio] Error 1
> > make[1]: Leaving directory '/home/ms/Debian/fio/pkg-fio'
> > dh_auto_build: make -j1 returned exit code 2
> > debian/rules:17: recipe for target 'build' failed
> > make: *** [build] Error 2
> > dpkg-buildpackage: error: debian/rules build gave error exit status 2
> > 
> > 
> > Yet, building fio 2.10 from upstream does doesn´t produce a shared object
> > file.
> > 
> > Any idea?
> > 
> > 
> > 
> > 
> > I: fio: hardening-no-pie usr/bin/fio
> > N:
> > N:    This package provides an ELF executable that was not compiled as a
> > N:    position independent executable (PIE).
> > N:
> > N:    PIE is required for fully enabling Address Space Layout
> > Randomization
> > N:    (ASLR), which makes "Return-oriented" attacks more difficult.
> > N:
> > N:    Historically, PIE has been associated with noticeable performance
> > N:    overhead on i386. However, GCC-5 has implemented an optimization
> > that
> > N:    can reduce the overhead significantly.
> > N:
> > N:    If you use dpkg-buildflags, you may have to add hardening=+pie or
> > N:    hardening=+all to DEB_BUILD_MAINT_OPTIONS.
> > N:
> > N:    The relevant compiler flags must be passed both to the compiler and
> > the N:    linker (e.g. for C that would be commonly be CFLAGS and
> > LDFLAGS). N:
> > N:    CAVEAT: Please keep in mind that the PIE flag (-fPIE) is not
> > suitable
> > N:    for all cases:
> > N:
> > N:     * It is <not> compatible with -fPIC which required for
> > N:       compiling shared libraries.
> > N:     * It is unlikely to work when compiling static libraries or
> > N:       executables (gcc -static).
> > N:
> > N:    If your upstream build compiles either of the above, you may have to
> > N:    patch the build to ensure that only ELF executables are compiled
> > with
> > N:    PIE.
> > N:
> > N:    Refer to https://wiki.debian.org/Hardening,
> > N:    https://gcc.gnu.org/gcc-5/changes.html, and
> > N:   
> > https://software.intel.com/en-us/blogs/2014/12/26/new-optimizations-for-x
> > 86-in-upcoming-gcc-50-32bit-pic-mode N:    for details.
> > N:
> > N:    Severity: wishlist, Certainty: certain
> > N:
> > N:    Check: binaries, Type: binary, udeb
> > N:
> > I: fio: hardening-no-pie usr/bin/fio-btrace2fio
> > I: fio: hardening-no-pie usr/bin/fio-dedupe
> > I: fio: hardening-no-pie usr/bin/fio-genzipf
> > 
> > 
> > Another option to harden fio works find and that is:
> > 
> > I: fio: hardening-no-bindnow usr/bin/fio
> > N:
> > N:    This package provides an ELF binary that lacks the "bindnow" linker
> > N:    flag.
> > N:
> > N:    If the ELF binary does not rely on late binding of symbols (e.g.
> > weak
> > N:    symbols), then please consider enabling this feature. Otherwise,
> > please N:    consider overriding the tag (possibly with a comment about
> > why). N:
> > N:    If you use dpkg-buildflags, you may have to add hardening=+bindnow
> > or
> > N:    hardening=+all to DEB_BUILD_MAINT_OPTIONS.
> > N:
> > N:    The relevant compiler flags are set in LDFLAGS.
> > N:
> > N:    Refer to https://wiki.debian.org/Hardening for details.
> > N:
> > N:    Severity: wishlist, Certainty: certain
> > N:
> > N:    Check: binaries, Type: binary, udeb
> > N:
> > I: fio: hardening-no-pie usr/bin/fio-btrace2fio
> > I: fio: hardening-no-bindnow usr/bin/fio-btrace2fio
> > I: fio: hardening-no-pie usr/bin/fio-dedupe
> > I: fio: hardening-no-bindnow usr/bin/fio-dedupe
> > I: fio: hardening-no-pie usr/bin/fio-genzipf
> > I: fio: hardening-no-bindnow usr/bin/fio-genzipf
> > 
> > 
> > Maybe it would be nice to have some of these in upstream build? PIE may
> > not
> > yet be advisable as for GCC 5 requirement.
> 
> What extra compiler/linker flags are being set? I tried with just -fPIE
> here, and it builds and links fine.
> 
> axboe@xps13:/home/axboe/git/fio $ gcc --version
> gcc (Ubuntu 6.1.1-3ubuntu11~14.04.1) 6.1.1 20160511
> 
> I have gcc 5.3 installed as well, works for that too. So I'm guessing
> -fPIE isn't all that's being set?

Hmmm, according to

DEB_BUILD_HARDENING_PIE (gcc/g++ -fPIE -pie)

https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_PIE_.28gcc.2Fg.2B-.2B-_-fPIE_-pie.29

Its not all. It also does "-pie".

Yes, if I try this as in:

diff --git a/Makefile b/Makefile
index 108e6ee..a559971 100644
--- a/Makefile
+++ b/Makefile
@@ -23,7 +23,7 @@ endif
 DEBUGFLAGS = -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -DFIO_INC_DEBUG
 CPPFLAGS= -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DFIO_INTERNAL $(DEBUGFLAGS)
 OPTFLAGS= -g -ffast-math
-CFLAGS = -std=gnu99 -Wwrite-strings -Wall -Wdeclaration-after-statement $(OPTFLAGS) $(EXTFLAGS) $(BUILD_CFLAGS) -I. -I$(SRCDIR)
+CFLAGS = -std=gnu99 -Wwrite-strings -Wall -Wdeclaration-after-statement -fPIE -pie $(OPTFLAGS) $(EXTFLAGS) $(BUILD_CFLAGS) -I. -I$(SRCD
IR)
 LIBS   += -lm $(EXTLIBS)
 PROGS  = fio
 SCRIPTS = $(addprefix $(SRCDIR)/,tools/fio_generate_plots tools/plot/fio2gnuplot tools/genfio tools/fiologparser.py)


I get a working build:

# hardening-check fio
fio:
 Position Independent Executable: yes
 Stack protected: no, not found!
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: no, not found!
 Immediate binding: no, not found!

Well, I wonder about:

You set CFLAGS hard without +=, maybe thats the issue, unless dpkg stuffes
the build flags into BUILD_CFLAGS or so.


Yes, that is it:

A patch as simple as

… pkg-fio> cat debian/patches/makefile-hardening 
--- a/Makefile
+++ b/Makefile
@@ -23,7 +23,7 @@
 DEBUGFLAGS = -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -DFIO_INC_DEBUG
 CPPFLAGS= -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DFIO_INTERNAL $(DEBUGFLAGS)
 OPTFLAGS= -g -ffast-math
-CFLAGS = -std=gnu99 -Wwrite-strings -Wall -Wdeclaration-after-statement $(OPTFLAGS) $(EXTFLAGS) $(BUILD_CFLAGS) -I. -I$(SRCDIR)
+CFLAGS += -std=gnu99 -Wwrite-strings -Wall -Wdeclaration-after-statement $(OPTFLAGS) $(EXTFLAGS) $(BUILD_CFLAGS) -I. -I$(SRCDIR)
 LIBS   += -lm $(EXTLIBS)
 PROGS  = fio
 SCRIPTS = $(addprefix $(SRCDIR)/,tools/fio_generate_plots tools/plot/fio2gnuplot tools/genfio tools/fiologparser.py)


Does the trick. Seems that Debian set some linker flag and the compiler flag
was not set, leading to:

> > /usr/bin/ld: crc/crc16.o: relocation R_X86_64_32S against `crc16_table'
> > can
> > not be used when making a shared object; recompile with -fPIC


Will create a patch to merge for you.

Thanks,

-- 
Martin Steigerwald  | Trainer

teamix GmbH
Südwestpark 43
90449 Nürnberg

Tel.:  +49 911 30999 55 | Fax: +49 911 30999 99
mail: martin.steigerwald@teamix.de | web:  http://www.teamix.de | blog: http://blog.teamix.de

Amtsgericht Nürnberg, HRB 18320 | Geschäftsführer: Oliver Kügow, Richard Müller

teamix Support Hotline: +49 911 30999-112
 
 Flexibilität im Haus – Sicherheit im Kopf, testen Sie jetzt 30 Tage kostenfrei unsere Cloud Backup Lösung FlexVault: www.teamix.de/cloud-backup