No interest :) ?
On Sat, Sep 18, 2021, 3:05 PM Илья Шипицин <[email protected]> wrote:
> Hello,
>
> I checked how looks binary shipped in several popular distributions
> (ppa:vbernat/haproxy-2.4, docker haproxytech/haproxy-ubuntu, docker
> haproxy).
>
> are we aware of those security features ? shall we move them to Makefile ?
> or is it up to distribution ?
>
>
> ppa:vbernat/haproxy-2.4
>
> [root@fedora haproxy-bionic]# ~ilia/checksec.sh/checksec --file=haproxy
> RELRO STACK CANARY NX PIE RPATH
> RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
> Full RELRO Canary found NX enabled PIE enabled No RPATH
> No RUNPATH No Symbols Yes 12 26 haproxy
>
> BinSkim:
> Analyzing 'haproxy'...
> Analysis completed successfully.
>
>
> docker haproxytech/haproxy-ubuntu
>
> [fedora haproxy-docker]# ~ilia/checksec.sh/checksec --file=haproxy-tech
> RELRO STACK CANARY NX PIE RPATH
> RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
> Full RELRO Canary found NX enabled PIE enabled No RPATH
> No RUNPATH 5664) Symbols Yes 12 26 haproxy-tech
>
> BinSkim
> Analyzing 'haproxy-tech'...
> /home/ilia/haproxy-docker/haproxy-tech: error BA3004: 'haproxy-tech' is
> using debugging dwarf version '4'. The dwarf version 5 contains more
> information and should be used. To enable the debugging version 5 use
> '-gdwarf-5'.
> Analysis completed successfully.
>
> docker haproxy
>
> [ilia@fedora checksec.sh]$ ./checksec
> --file=/home/ilia/haproxy-docker/haproxy
> RELRO STACK CANARY NX PIE RPATH
> RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
> Partial RELRO No canary found NX enabled PIE enabled No RPATH
> No RUNPATH 5926) Symbols Yes 0 20 /home/ilia/haproxy-docker/haproxy
>
> BinSkim
>
> /home/ilia/haproxy-docker/haproxy: error BA3003: The stack protector was
> not found in 'haproxy'. This may be because '--stack-protector-strong' was
> not used, or because it was explicitly disabled by '-fno-stack-protectors'.
> Modules did not meet the criteria: slz.c, ev_poll.c, ev_epoll.c, cpuset.c,
> ssl_sample.c, ssl_sock.c, ssl_crtlist.c, ssl_ckch.c, ssl_utils.c,
> cfgparse-ssl.c, hlua.c, hlua_fcn.c, service-prometheus.c, namespace.c,
> mux_h2.c, mux_fcgi.c, http_ana.c, mux_h1.c, stream.c, tcpcheck.c, stats.c,
> flt_spoe.c, server.c, tools.c, sample.c, log.c, backend.c, stick_table.c,
> cfgparse.c, peers.c, cli.c, pattern.c, resolvers.c, proxy.c, http_htx.c,
> check.c, cache.c, cfgparse-listen.c, haproxy.c, http_act.c,
> stream_interface.c, http_fetch.c, listener.c, dns.c, connection.c,
> tcp_rules.c, debug.c, sink.c, payload.c, mux_pt.c, filters.c, fcgi-app.c,
> server_state.c, vars.c, map.c, cfgparse-global.c, task.c, flt_http_comp.c,
> session.c, sock.c, cfgcond.c, flt_trace.c, acl.c, trace.c, http_rules.c,
> queue.c, mjson.c, h2.c, h1.c, mworker.c, lb_chash.c, ring.c, activity.c,
> tcp_sample.c, proto_tcp.c, htx.c, h1_htx.c, extcheck.c, channel.c,
> proto_sockpair.c, fd.c, compression.c, mqtt.c, tcp_act.c, raw_sock.c,
> frontend.c, http_conv.c, xprt_handshake.c, pool.c, applet.c, mailers.c,
> lb_fwrr.c, lb_fwlc.c, lb_fas.c, proto_uxst.c, http.c, action.c, protocol.c,
> thread.c, sock_unix.c, proto_udp.c, lb_map.c, sock_inet.c, lru.c,
> cfgparse-tcp.c, cfgdiag.c, proto_uxdg.c, ev_select.c, cfgparse-unix.c,
> uri_normalizer.c, ebmbtree.c, sha1.c, time.c, signal.c, mworker-prog.c,
> hpack-dec.c, fix.c, arg.c, eb64tree.c, chunk.c, shctx.c, regex.c, fcgi.c,
> eb32tree.c, eb32sctree.c, dynbuf.c, uri_auth.c, hpack-tbl.c, ebimtree.c,
> auth.c, ebsttree.c, ebistree.c, base64.c, wdt.c, pipe.c, http_acl.c,
> hpack-enc.c, dict.c, dgram.c, init.c, hpack-huff.c, freq_ctr.c, ebtree.c,
> hash.c, version.c, errors.c, http_client.c
> /home/ilia/haproxy-docer/haproxy: error BA3004: 'haproxy' is using
> debugging dwarf version '4'. The dwarf version 5 contains more information
> and should be used. To enable the debugging version 5 use '-gdwarf-5'.
> /home/ilia/haproxy-docer/haproxy: error BA3005: The Stack Clash Protection
> is missing from this binary, so the stack from 'haproxy' can clash/colide
> with another memory region. Ensure you are compiling with the compiler
> flags '-fstack-clash-protection' to address this.
> Modules did not meet the criteria: slz.c, ev_poll.c, ev_epoll.c, cpuset.c,
> ssl_sample.c, ssl_sock.c, ssl_crtlist.c, ssl_ckch.c, ssl_utils.c,
> cfgparse-ssl.c, hlua.c, hlua_fcn.c, service-prometheus.c, namespace.c,
> mux_h2.c, mux_fcgi.c, http_ana.c, mux_h1.c, stream.c, tcpcheck.c, stats.c,
> flt_spoe.c, server.c, tools.c, sample.c, log.c, backend.c, stick_table.c,
> cfgparse.c, peers.c, cli.c, pattern.c, resolvers.c, proxy.c, http_htx.c,
> check.c, cache.c, cfgparse-listen.c, haproxy.c, http_act.c,
> stream_interface.c, http_fetch.c, listener.c, dns.c, connection.c,
> tcp_rules.c, debug.c, sink.c, payload.c, mux_pt.c, filters.c, fcgi-app.c,
> server_state.c, vars.c, map.c, cfgparse-global.c, task.c, flt_http_comp.c,
> session.c, sock.c, cfgcond.c, flt_trace.c, acl.c, trace.c, http_rules.c,
> queue.c, mjson.c, h2.c, h1.c, mworker.c, lb_chash.c, ring.c, activity.c,
> tcp_sample.c, proto_tcp.c, htx.c, h1_htx.c, extcheck.c, channel.c,
> proto_sockpair.c, fd.c, compression.c, mqtt.c, tcp_act.c, raw_sock.c,
> frontend.c, http_conv.c, xprt_handshake.c, pool.c, applet.c, mailers.c,
> lb_fwrr.c, lb_fwlc.c, lb_fas.c, proto_uxst.c, http.c, action.c, protocol.c,
> thread.c, sock_unix.c, proto_udp.c, lb_map.c, sock_inet.c, lru.c,
> cfgparse-tcp.c, cfgdiag.c, proto_uxdg.c, ev_select.c, cfgparse-unix.c,
> uri_normalizer.c, ebmbtree.c, sha1.c, time.c, signal.c, mworker-prog.c,
> hpack-dec.c, fix.c, arg.c, eb64tree.c, chunk.c, shctx.c, regex.c, fcgi.c,
> eb32tree.c, eb32sctree.c, dynbuf.c, uri_auth.c, hpack-tbl.c, ebimtree.c,
> auth.c, ebsttree.c, ebistree.c, base64.c, wdt.c, pipe.c, http_acl.c,
> hpack-enc.c, dict.c, dgram.c, init.c, hpack-huff.c, freq_ctr.c, ebtree.c,
> hash.c, version.c, errors.c, http_client.c
> /home/ilia/haproxy-docer/haproxy: error BA3011: The BIND_NOW flag is
> missing from this binary, so relocation sections in 'haproxy' will not be
> marked as read only after the binary is loaded. An attacker can overwrite
> these to redirect control flow. Ensure you are compiling with the compiler
> flags '-Wl,z,now' to address this.
> /home/ilia/haproxy-docer/haproxy: error BA3030: No checked functions are
> present/used when compiling 'haproxy', and it was compiled with GCC--and it
> uses functions that can be checked. The Fortify Source flag replaces some
> unsafe functions with checked versions when a static length can be
> determined, and can be enabled by passing '-D_FORTIFY_SOURCE=2' when
> optimization level 2 ('-O2') is enabled. It is possible that the flag was
> passed, but that the compiler could not statically determine the length of
> any buffers/strings.
> Analysis completed successfully.
>
>
>
>
>
