Hello,
I checked how looks binary shipped in several popular distributions
(ppa:vbernat/haproxy-2.4, docker haproxytech/haproxy-ubuntu, docker
haproxy).
are we aware of those security features ? shall we move them to Makefile ?
or is it up to distribution ?
ppa:vbernat/haproxy-2.4
[root@fedora haproxy-bionic]# ~ilia/checksec.sh/checksec --file=haproxy
RELRO STACK CANARY NX PIE RPATH
RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH
No RUNPATH No Symbols Yes 12 26 haproxy
BinSkim:
Analyzing 'haproxy'...
Analysis completed successfully.
docker haproxytech/haproxy-ubuntu
[fedora haproxy-docker]# ~ilia/checksec.sh/checksec --file=haproxy-tech
RELRO STACK CANARY NX PIE RPATH
RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH
No RUNPATH 5664) Symbols Yes 12 26 haproxy-tech
BinSkim
Analyzing 'haproxy-tech'...
/home/ilia/haproxy-docker/haproxy-tech: error BA3004: 'haproxy-tech' is
using debugging dwarf version '4'. The dwarf version 5 contains more
information and should be used. To enable the debugging version 5 use
'-gdwarf-5'.
Analysis completed successfully.
docker haproxy
[ilia@fedora checksec.sh]$ ./checksec
--file=/home/ilia/haproxy-docker/haproxy
RELRO STACK CANARY NX PIE RPATH
RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled PIE enabled No RPATH
No RUNPATH 5926) Symbols Yes 0 20 /home/ilia/haproxy-docker/haproxy
BinSkim
/home/ilia/haproxy-docker/haproxy: error BA3003: The stack protector was
not found in 'haproxy'. This may be because '--stack-protector-strong' was
not used, or because it was explicitly disabled by '-fno-stack-protectors'.
Modules did not meet the criteria: slz.c, ev_poll.c, ev_epoll.c, cpuset.c,
ssl_sample.c, ssl_sock.c, ssl_crtlist.c, ssl_ckch.c, ssl_utils.c,
cfgparse-ssl.c, hlua.c, hlua_fcn.c, service-prometheus.c, namespace.c,
mux_h2.c, mux_fcgi.c, http_ana.c, mux_h1.c, stream.c, tcpcheck.c, stats.c,
flt_spoe.c, server.c, tools.c, sample.c, log.c, backend.c, stick_table.c,
cfgparse.c, peers.c, cli.c, pattern.c, resolvers.c, proxy.c, http_htx.c,
check.c, cache.c, cfgparse-listen.c, haproxy.c, http_act.c,
stream_interface.c, http_fetch.c, listener.c, dns.c, connection.c,
tcp_rules.c, debug.c, sink.c, payload.c, mux_pt.c, filters.c, fcgi-app.c,
server_state.c, vars.c, map.c, cfgparse-global.c, task.c, flt_http_comp.c,
session.c, sock.c, cfgcond.c, flt_trace.c, acl.c, trace.c, http_rules.c,
queue.c, mjson.c, h2.c, h1.c, mworker.c, lb_chash.c, ring.c, activity.c,
tcp_sample.c, proto_tcp.c, htx.c, h1_htx.c, extcheck.c, channel.c,
proto_sockpair.c, fd.c, compression.c, mqtt.c, tcp_act.c, raw_sock.c,
frontend.c, http_conv.c, xprt_handshake.c, pool.c, applet.c, mailers.c,
lb_fwrr.c, lb_fwlc.c, lb_fas.c, proto_uxst.c, http.c, action.c, protocol.c,
thread.c, sock_unix.c, proto_udp.c, lb_map.c, sock_inet.c, lru.c,
cfgparse-tcp.c, cfgdiag.c, proto_uxdg.c, ev_select.c, cfgparse-unix.c,
uri_normalizer.c, ebmbtree.c, sha1.c, time.c, signal.c, mworker-prog.c,
hpack-dec.c, fix.c, arg.c, eb64tree.c, chunk.c, shctx.c, regex.c, fcgi.c,
eb32tree.c, eb32sctree.c, dynbuf.c, uri_auth.c, hpack-tbl.c, ebimtree.c,
auth.c, ebsttree.c, ebistree.c, base64.c, wdt.c, pipe.c, http_acl.c,
hpack-enc.c, dict.c, dgram.c, init.c, hpack-huff.c, freq_ctr.c, ebtree.c,
hash.c, version.c, errors.c, http_client.c
/home/ilia/haproxy-docer/haproxy: error BA3004: 'haproxy' is using
debugging dwarf version '4'. The dwarf version 5 contains more information
and should be used. To enable the debugging version 5 use '-gdwarf-5'.
/home/ilia/haproxy-docer/haproxy: error BA3005: The Stack Clash Protection
is missing from this binary, so the stack from 'haproxy' can clash/colide
with another memory region. Ensure you are compiling with the compiler
flags '-fstack-clash-protection' to address this.
Modules did not meet the criteria: slz.c, ev_poll.c, ev_epoll.c, cpuset.c,
ssl_sample.c, ssl_sock.c, ssl_crtlist.c, ssl_ckch.c, ssl_utils.c,
cfgparse-ssl.c, hlua.c, hlua_fcn.c, service-prometheus.c, namespace.c,
mux_h2.c, mux_fcgi.c, http_ana.c, mux_h1.c, stream.c, tcpcheck.c, stats.c,
flt_spoe.c, server.c, tools.c, sample.c, log.c, backend.c, stick_table.c,
cfgparse.c, peers.c, cli.c, pattern.c, resolvers.c, proxy.c, http_htx.c,
check.c, cache.c, cfgparse-listen.c, haproxy.c, http_act.c,
stream_interface.c, http_fetch.c, listener.c, dns.c, connection.c,
tcp_rules.c, debug.c, sink.c, payload.c, mux_pt.c, filters.c, fcgi-app.c,
server_state.c, vars.c, map.c, cfgparse-global.c, task.c, flt_http_comp.c,
session.c, sock.c, cfgcond.c, flt_trace.c, acl.c, trace.c, http_rules.c,
queue.c, mjson.c, h2.c, h1.c, mworker.c, lb_chash.c, ring.c, activity.c,
tcp_sample.c, proto_tcp.c, htx.c, h1_htx.c, extcheck.c, channel.c,
proto_sockpair.c, fd.c, compression.c, mqtt.c, tcp_act.c, raw_sock.c,
frontend.c, http_conv.c, xprt_handshake.c, pool.c, applet.c, mailers.c,
lb_fwrr.c, lb_fwlc.c, lb_fas.c, proto_uxst.c, http.c, action.c, protocol.c,
thread.c, sock_unix.c, proto_udp.c, lb_map.c, sock_inet.c, lru.c,
cfgparse-tcp.c, cfgdiag.c, proto_uxdg.c, ev_select.c, cfgparse-unix.c,
uri_normalizer.c, ebmbtree.c, sha1.c, time.c, signal.c, mworker-prog.c,
hpack-dec.c, fix.c, arg.c, eb64tree.c, chunk.c, shctx.c, regex.c, fcgi.c,
eb32tree.c, eb32sctree.c, dynbuf.c, uri_auth.c, hpack-tbl.c, ebimtree.c,
auth.c, ebsttree.c, ebistree.c, base64.c, wdt.c, pipe.c, http_acl.c,
hpack-enc.c, dict.c, dgram.c, init.c, hpack-huff.c, freq_ctr.c, ebtree.c,
hash.c, version.c, errors.c, http_client.c
/home/ilia/haproxy-docer/haproxy: error BA3011: The BIND_NOW flag is
missing from this binary, so relocation sections in 'haproxy' will not be
marked as read only after the binary is loaded. An attacker can overwrite
these to redirect control flow. Ensure you are compiling with the compiler
flags '-Wl,z,now' to address this.
/home/ilia/haproxy-docer/haproxy: error BA3030: No checked functions are
present/used when compiling 'haproxy', and it was compiled with GCC--and it
uses functions that can be checked. The Fortify Source flag replaces some
unsafe functions with checked versions when a static length can be
determined, and can be enabled by passing '-D_FORTIFY_SOURCE=2' when
optimization level 2 ('-O2') is enabled. It is possible that the flag was
passed, but that the compiler could not statically determine the length of
any buffers/strings.
Analysis completed successfully.
