Bug#812783: dpkg: Please use ASAN, UBSAN and bindnow on hardened1-linux-amd64

2016-11-06 Thread Bálint Réczey 
Hi,

2016-11-04 4:42 GMT+01:00 Guillem Jover :
> Hi!
>
> On Mon, 2016-05-23 at 11:45:46 +0100, Steven Chamberlain wrote:
>> This may be a silly / obvious question to ask, but:
>> do any of the proposed hardening options _really_ change the ABI?
>
> I don't think it's silly at all! I've actually wondered this myself
> and asked Bálint in person and at least in #812782, perhaps somewhere
> else.

GCC's ASAN needs __asan_init_v1 (and friends) [1] in shared libraries
which I consider to be part of the ABI between shared libraries and
executables. If we accept that reasinging, the ABI is different a little.
If we don't, then the ABI is the same.

If we accept that the ABI is different, there still is a problem, namely
that the ABI is not stable and this practically prevents making the port
an official one in Debian.

>
>> I think LLVM/Clang's ASan implementation does (for Feature: "symbol size
>> changing for global variables" on
>> https://github.com/google/sanitizers/wiki/AddressSanitizerClangVsGCC)
>> but couldn't confirm if that is the case with GCC (which seems to not
>> implement that particular feature, at least).
>
> I think the problem Bálint described with ASAN was something else,
> but TBH I cannot remember what was it. In any case I've found the
> documentation about the various *SAN very lacking. :( And this specific
> part was not covered at all when I looked at the time.
>
>> If there's no ABI change, creation of a new arch and gnuhardened*-*-*
>> triplet wouldn't be needed;  hardened packages would be co-installable
>> with official ones without using multi-arch;  and perhaps all that is
>> needed is a separate archive suite, to achieve what was suggested on
>> http://balintreczey.hu/blog/proposing-amd64-hardened-architecture-for-debian/
>>
>> (Or, packages in the main archive could enable those hardening options?).
>
> Exactly my thoughts, and what I also told Bálint at the time.

ASAN executable would crash with non-ASAN shared lib with only a
separate archive.
Multiarch would take care of installing the right libs for ASAN executables.

Cheers,
Balint

>
> Thanks,
> Guillem


[1] http://tsdgeos.blogspot.hu/2014/03/asan-and-libraries.html

Bug#812783: dpkg: Please use ASAN, UBSAN and bindnow on hardened1-linux-amd64

2016-11-03 Thread Guillem Jover 
Hi!

On Mon, 2016-05-23 at 11:45:46 +0100, Steven Chamberlain wrote:
> This may be a silly / obvious question to ask, but:
> do any of the proposed hardening options _really_ change the ABI?

I don't think it's silly at all! I've actually wondered this myself
and asked Bálint in person and at least in #812782, perhaps somewhere
else.

> I think LLVM/Clang's ASan implementation does (for Feature: "symbol size
> changing for global variables" on
> https://github.com/google/sanitizers/wiki/AddressSanitizerClangVsGCC)
> but couldn't confirm if that is the case with GCC (which seems to not
> implement that particular feature, at least).

I think the problem Bálint described with ASAN was something else,
but TBH I cannot remember what was it. In any case I've found the
documentation about the various *SAN very lacking. :( And this specific
part was not covered at all when I looked at the time.

> If there's no ABI change, creation of a new arch and gnuhardened*-*-*
> triplet wouldn't be needed;  hardened packages would be co-installable
> with official ones without using multi-arch;  and perhaps all that is
> needed is a separate archive suite, to achieve what was suggested on
> http://balintreczey.hu/blog/proposing-amd64-hardened-architecture-for-debian/
> 
> (Or, packages in the main archive could enable those hardening options?).

Exactly my thoughts, and what I also told Bálint at the time.

Thanks,
Guillem

Bug#812783: dpkg: Please use ASAN, UBSAN and bindnow on hardened1-linux-amd64

2016-11-03 Thread Guillem Jover 
Control: forcemerge 812782 -1

Hi!

On Tue, 2016-01-26 at 15:33:40 +0100, Balint Reczey wrote:
> Package: dpkg
> Version: 1.18.4
> Severity: wishlist
> Tags: patch
> User: bal...@balintreczey.hu
> Usertags: hardened1-linux-amd64

> This is the second patch enabling extra flags in dpkg in case the
> hardened1-linux-amd64 port is accepted in #812782.

I'm merging these two bugs, because they are really the same request,
and the defining trait of this new arch (if it ever materializes) are
the haredening settings, which should be enabled (or not) at the time
the port is defined and added to dpkg.

Thanks,
Guillem

Bug#812783: dpkg: Please use ASAN, UBSAN and bindnow on hardened1-linux-amd64

2016-05-23 Thread Steven Chamberlain 
Hi,

This may be a silly / obvious question to ask, but:
do any of the proposed hardening options _really_ change the ABI?

I think LLVM/Clang's ASan implementation does (for Feature: "symbol size
changing for global variables" on
https://github.com/google/sanitizers/wiki/AddressSanitizerClangVsGCC)
but couldn't confirm if that is the case with GCC (which seems to not
implement that particular feature, at least).

If there's no ABI change, creation of a new arch and gnuhardened*-*-*
triplet wouldn't be needed;  hardened packages would be co-installable
with official ones without using multi-arch;  and perhaps all that is
needed is a separate archive suite, to achieve what was suggested on
http://balintreczey.hu/blog/proposing-amd64-hardened-architecture-for-debian/

(Or, packages in the main archive could enable those hardening options?).

Thanks,
Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


signature.asc
Description: Digital signature

Bug#812783: dpkg: Please use ASAN, UBSAN and bindnow on hardened1-linux-amd64

2016-03-16 Thread Guillem Jover 
On Wed, 2016-03-09 at 14:07:22 +0100, Bálint Réczey wrote:
> 2016-03-09 12:09 GMT+01:00 Guillem Jover :
> > On Tue, 2016-03-08 at 11:29:04 +0100, Bálint Réczey wrote:
> >> 2016-03-08 1:52 GMT+01:00 Guillem Jover :
> >> > Actually setting bindnow and PIE would be fine as part of the default
> >> > build flags from dpkg, because those do not change the ABI in
> >> > principle. And those are the only ones I'd accept from this bug
> >> > report, but certainly not the ABI changing ones.
> >
> >> Do you mean you would be open to setting PIE and maybe bindnow as default
> >> flags for a potential new architecture or even for existing ones like 
> >> amd64?
> >> In the latter case would you like to discuss that on debian-devel?
> >> I would support such changes and I think we are in time for enabling
> >> PIE for Stretch
> >> and bindnow for Stretch+1 (maybe Stretch).
> >
> > Setting PIE and bindnow for the proposed new arch seems fine to me, as
> > its main raison d'etre is precisely to be hardened. I don't think
> > anything has changed significantly to globally enable these by default
> > everywhere though (i.e. performance and potential for breakage, at least).

> I think there were significant changes in the open source landscape.
> Fedora 23 came out with PIE and bindnow by default:
> https://fedoraproject.org/wiki/Changes/Harden_All_Packages#Detailed_Harden_Flags_Description

Actually you are right, as I also noticed a lintian commit adding a
reference to:

  


So the overhead might not be a problem anymore (at least on i386).

> GCC 6 will add the --enable-default-pie configure option, doko already
> pack-ported it to 5.x in unstable and it is already enabled for Ubuntu 390x:
> http://anonscm.debian.org/viewvc/gcccvs/branches/sid/gcc-5/debian/rules.defs?view=markup#l1204
> 
> I think it would be reasonable to follow Fedora and making both PIE
> and bindnow opt-in after fixing
> most packages which don't build based an archive-wide rebuild test in advance.

Out-out I guess, as they are already opt-in :). In any case if you want
to pursue this, please take a look at:

  


:)

Thanks,
Guillem

Bug#812783: dpkg: Please use ASAN, UBSAN and bindnow on hardened1-linux-amd64

2016-03-09 Thread Bálint Réczey 
Hi Guillem,

2016-03-09 12:09 GMT+01:00 Guillem Jover :
> Hi!
>
> On Tue, 2016-03-08 at 11:29:04 +0100, Bálint Réczey wrote:
>> 2016-03-08 1:52 GMT+01:00 Guillem Jover :
>> > Actually setting bindnow and PIE would be fine as part of the default
>> > build flags from dpkg, because those do not change the ABI in
>> > principle. And those are the only ones I'd accept from this bug
>> > report, but certainly not the ABI changing ones.
>
>> Do you mean you would be open to setting PIE and maybe bindnow as default
>> flags for a potential new architecture or even for existing ones like amd64?
>> In the latter case would you like to discuss that on debian-devel?
>> I would support such changes and I think we are in time for enabling
>> PIE for Stretch
>> and bindnow for Stretch+1 (maybe Stretch).
>
> Setting PIE and bindnow for the proposed new arch seems fine to me, as
> its main raison d'etre is precisely to be hardened. I don't think
> anything has changed significantly to globally enable these by default
> everywhere though (i.e. performance and potential for breakage, at least).
I think there were significant changes in the open source landscape.
Fedora 23 came out with PIE and bindnow by default:
https://fedoraproject.org/wiki/Changes/Harden_All_Packages#Detailed_Harden_Flags_Description

Lunar also suggested changing pie to opt-out rather than keeping it opt-in:
https://people.debian.org/~lunar/blog/posts/aslr_now/

GCC 6 will add the --enable-default-pie configure option, doko already
pack-ported it to 5.x in unstable and it is already enabled for Ubuntu 390x:
http://anonscm.debian.org/viewvc/gcccvs/branches/sid/gcc-5/debian/rules.defs?view=markup#l1204

I think it would be reasonable to follow Fedora and making both PIE
and bindnow opt-in after fixing
most packages which don't build based an archive-wide rebuild test in advance.

Cheers,
Balint

Bug#812783: dpkg: Please use ASAN, UBSAN and bindnow on hardened1-linux-amd64

2016-03-09 Thread Guillem Jover 
Hi!

On Tue, 2016-03-08 at 11:29:04 +0100, Bálint Réczey wrote:
> 2016-03-08 1:52 GMT+01:00 Guillem Jover :
> > Actually setting bindnow and PIE would be fine as part of the default
> > build flags from dpkg, because those do not change the ABI in
> > principle. And those are the only ones I'd accept from this bug
> > report, but certainly not the ABI changing ones.

> Do you mean you would be open to setting PIE and maybe bindnow as default
> flags for a potential new architecture or even for existing ones like amd64?
> In the latter case would you like to discuss that on debian-devel?
> I would support such changes and I think we are in time for enabling
> PIE for Stretch
> and bindnow for Stretch+1 (maybe Stretch).

Setting PIE and bindnow for the proposed new arch seems fine to me, as
its main raison d'etre is precisely to be hardened. I don't think
anything has changed significantly to globally enable these by default
everywhere though (i.e. performance and potential for breakage, at least).

Thanks,
Guillem

Bug#812783: dpkg: Please use ASAN, UBSAN and bindnow on hardened1-linux-amd64

2016-03-08 Thread Bálint Réczey 
Hi Guillem,

2016-03-08 1:52 GMT+01:00 Guillem Jover :
> Control: block -1 by 812782
>
> On Fri, 2016-01-29 at 12:55:42 +0100, Bálint Réczey wrote:
>> 2016-01-29 0:46 GMT+01:00 Guillem Jover :
>> > On Tue, 2016-01-26 at 15:33:40 +0100, Balint Reczey wrote:
>> >> Package: dpkg
>> >> Version: 1.18.4
>> >> Severity: wishlist
>> >> Tags: patch
>> >> User: bal...@balintreczey.hu
>> >> Usertags: hardened1-linux-amd64
>> >
>> >> This is the second patch enabling extra flags in dpkg in case the
>> >> hardened1-linux-amd64 port is accepted in #812782.
>> >
>> >> diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm
>> >> index db40b2c..2f39d82 100644
>> >> --- a/scripts/Dpkg/Vendor/Debian.pm
>> >> +++ b/scripts/Dpkg/Vendor/Debian.pm
>> >> @@ -177,6 +177,14 @@ sub _add_reproducible_flags {
>> >
>> >> +if ($abi =~ /^(?:gnuhardened1)$/) {
>> >> + # Enable bindnow on hardened ports
>> >> + $use_feature{bindnow} = 1;
>> >> +}
>> >> +
>>
>> > Unfortunately I don't think this is a good idea. Due to at least two
>> > reasons. First not all packages are using dpkg-buildflags, which means
>> > that many will simply fail to build if one of the libraries they use
>> > is using ASAN but the program is not (AFAIUI). And because this is
>
>> I plan providing patches for those packages, but I see your point.
>>
>> > part of the ABI so it should really be a default in the compiler. This
>> > is part of the architecure definition. So this to me seems like the
>> > wrong place to set these.
>
>> I'm working towards to adding those as default GCC flags. I have already 
>> added
>> PIE which I previously set in dpkg: #812889 .
>
> Actually setting bindnow and PIE would be fine as part of the default
> build flags from dpkg, because those do not change the ABI in
> principle. And those are the only ones I'd accept from this bug
> report, but certainly not the ABI changing ones.
Do you mean you would be open to setting PIE and maybe bindnow as default
flags for a potential new architecture or even for existing ones like amd64?
In the latter case would you like to discuss that on debian-devel?
I would support such changes and I think we are in time for enabling
PIE for Stretch
and bindnow for Stretch+1 (maybe Stretch).

>
>> Setting the flags in dpkg makes it possible to create the port before the GCC
>> patches are stable. My thinking was that I could migrate to changing GCC 
>> later
>> without breaking the ABI.
>
> Not an option really. Having a stable ABI is a prerequisite for any new
> dpkg architecture, until that has happened I'm not planning on considering
> such additions.
OK, I agree.

Cheers,
Balint

Bug#812783: dpkg: Please use ASAN, UBSAN and bindnow on hardened1-linux-amd64

2016-03-07 Thread Guillem Jover 
Control: block -1 by 812782

On Fri, 2016-01-29 at 12:55:42 +0100, Bálint Réczey wrote:
> 2016-01-29 0:46 GMT+01:00 Guillem Jover :
> > On Tue, 2016-01-26 at 15:33:40 +0100, Balint Reczey wrote:
> >> Package: dpkg
> >> Version: 1.18.4
> >> Severity: wishlist
> >> Tags: patch
> >> User: bal...@balintreczey.hu
> >> Usertags: hardened1-linux-amd64
> >
> >> This is the second patch enabling extra flags in dpkg in case the
> >> hardened1-linux-amd64 port is accepted in #812782.
> >
> >> diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm
> >> index db40b2c..2f39d82 100644
> >> --- a/scripts/Dpkg/Vendor/Debian.pm
> >> +++ b/scripts/Dpkg/Vendor/Debian.pm
> >> @@ -177,6 +177,14 @@ sub _add_reproducible_flags {
> >
> >> +if ($abi =~ /^(?:gnuhardened1)$/) {
> >> + # Enable bindnow on hardened ports
> >> + $use_feature{bindnow} = 1;
> >> +}
> >> +
> 
> > Unfortunately I don't think this is a good idea. Due to at least two
> > reasons. First not all packages are using dpkg-buildflags, which means
> > that many will simply fail to build if one of the libraries they use
> > is using ASAN but the program is not (AFAIUI). And because this is

> I plan providing patches for those packages, but I see your point.
> 
> > part of the ABI so it should really be a default in the compiler. This
> > is part of the architecure definition. So this to me seems like the
> > wrong place to set these.

> I'm working towards to adding those as default GCC flags. I have already added
> PIE which I previously set in dpkg: #812889 .

Actually setting bindnow and PIE would be fine as part of the default
build flags from dpkg, because those do not change the ABI in
principle. And those are the only ones I'd accept from this bug
report, but certainly not the ABI changing ones.

> Setting the flags in dpkg makes it possible to create the port before the GCC
> patches are stable. My thinking was that I could migrate to changing GCC later
> without breaking the ABI.

Not an option really. Having a stable ABI is a prerequisite for any new
dpkg architecture, until that has happened I'm not planning on considering
such additions.

Thanks,
Guillem

Bug#812783: dpkg: Please use ASAN, UBSAN and bindnow on hardened1-linux-amd64

2016-01-29 Thread Bálint Réczey 
Hi,

2016-01-29 0:46 GMT+01:00 Guillem Jover :
> Hi!
>
> On Tue, 2016-01-26 at 15:33:40 +0100, Balint Reczey wrote:
>> Package: dpkg
>> Version: 1.18.4
>> Severity: wishlist
>> Tags: patch
>> User: bal...@balintreczey.hu
>> Usertags: hardened1-linux-amd64
>
>> This is the second patch enabling extra flags in dpkg in case the
>> hardened1-linux-amd64 port is accepted in #812782.
>
>> diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm
>> index db40b2c..2f39d82 100644
>> --- a/scripts/Dpkg/Vendor/Debian.pm
>> +++ b/scripts/Dpkg/Vendor/Debian.pm
>> @@ -177,6 +177,14 @@ sub _add_reproducible_flags {
>> +my $arch = get_host_arch();
>> +my ($abi, $os, $cpu) = debarch_to_debtriplet($arch);
>> +
>> +unless (defined $abi and defined $os and defined $cpu) {
>> +warning(g_("unknown host architecture '%s'"), $arch);
>> +($abi, $os, $cpu) = ('', '', '');
>> +}
>> +
>
>> +if ($abi =~ /^(?:gnuhardened1)$/) {
>> + # Enable address and undefined behavior sanitizers for the
>> +# hardened ports
>> + $use_feature{address} = 1;
>> + $use_feature{undefined} = 1;
>> +}
>> +
>
>
>> +if ($abi =~ /^(?:gnuhardened1)$/) {
>> + # Enable bindnow on hardened ports
>> + $use_feature{bindnow} = 1;
>> +}
>> +

>
> Unfortunately I don't think this is a good idea. Due to at least two
> reasons. First not all packages are using dpkg-buildflags, which means
> that many will simply fail to build if one of the libraries they use
> is using ASAN but the program is not (AFAIUI). And because this is
I plan providing patches for those packages, but I see your point.

> part of the ABI so it should really be a default in the compiler. This
> is part of the architecure definition. So this to me seems like the
> wrong place to set these.
I'm working towards to adding those as default GCC flags. I have already added
PIE which I previously set in dpkg: #812889 .
Setting the flags in dpkg makes it possible to create the port before the GCC
patches are stable. My thinking was that I could migrate to changing GCC later
without breaking the ABI.

Cheers,
Balint

Bug#812783: dpkg: Please use ASAN, UBSAN and bindnow on hardened1-linux-amd64

2016-01-28 Thread Guillem Jover 
Hi!

On Tue, 2016-01-26 at 15:33:40 +0100, Balint Reczey wrote:
> Package: dpkg
> Version: 1.18.4
> Severity: wishlist
> Tags: patch
> User: bal...@balintreczey.hu
> Usertags: hardened1-linux-amd64

> This is the second patch enabling extra flags in dpkg in case the
> hardened1-linux-amd64 port is accepted in #812782.

> diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm
> index db40b2c..2f39d82 100644
> --- a/scripts/Dpkg/Vendor/Debian.pm
> +++ b/scripts/Dpkg/Vendor/Debian.pm
> @@ -177,6 +177,14 @@ sub _add_reproducible_flags {
> +my $arch = get_host_arch();
> +my ($abi, $os, $cpu) = debarch_to_debtriplet($arch);
> +
> +unless (defined $abi and defined $os and defined $cpu) {
> +warning(g_("unknown host architecture '%s'"), $arch);
> +($abi, $os, $cpu) = ('', '', '');
> +}
> +

> +if ($abi =~ /^(?:gnuhardened1)$/) {
> + # Enable address and undefined behavior sanitizers for the
> +# hardened ports
> + $use_feature{address} = 1;
> + $use_feature{undefined} = 1;
> +}
> +


> +if ($abi =~ /^(?:gnuhardened1)$/) {
> + # Enable bindnow on hardened ports
> + $use_feature{bindnow} = 1;
> +}
> +

Unfortunately I don't think this is a good idea. Due to at least two
reasons. First not all packages are using dpkg-buildflags, which means
that many will simply fail to build if one of the libraries they use
is using ASAN but the program is not (AFAIUI). And because this is
part of the ABI so it should really be a default in the compiler. This
is part of the architecure definition. So this to me seems like the
wrong place to set these.

Thanks,
Guillem

Bug#812783: dpkg: Please use ASAN, UBSAN and bindnow on hardened1-linux-amd64

2016-01-26 Thread Balint Reczey 
Package: dpkg
Version: 1.18.4
Severity: wishlist
Tags: patch
User: bal...@balintreczey.hu
Usertags: hardened1-linux-amd64

Dear Guillem,

This is the second patch enabling extra flags in dpkg in case the
hardened1-linux-amd64 port is accepted in #812782.

Cheers,
Balint
>From 2f43474201ea50f9b48d2ba80fcdc2ae38cefc84 Mon Sep 17 00:00:00 2001
From: Balint Reczey 
Date: Tue, 26 Jan 2016 13:41:54 +0100
Subject: [PATCH 2/2] Dpkg::Vendor::Debian: Use ASAN, UBSAN and bindnow on
 hardened1-* architectures

---
 scripts/Dpkg/Vendor/Debian.pm | 20 
 1 file changed, 20 insertions(+)

diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm
index db40b2c..2f39d82 100644
--- a/scripts/Dpkg/Vendor/Debian.pm
+++ b/scripts/Dpkg/Vendor/Debian.pm
@@ -177,6 +177,14 @@ sub _add_reproducible_flags {
 sub _add_sanitize_flags {
 my ($self, $flags) = @_;
 
+my $arch = get_host_arch();
+my ($abi, $os, $cpu) = debarch_to_debtriplet($arch);
+
+unless (defined $abi and defined $os and defined $cpu) {
+warning(g_("unknown host architecture '%s'"), $arch);
+($abi, $os, $cpu) = ('', '', '');
+}
+
 # Default feature states.
 my %use_feature = (
 address => 0,
@@ -185,6 +193,13 @@ sub _add_sanitize_flags {
 undefined => 0,
 );
 
+if ($abi =~ /^(?:gnuhardened1)$/) {
+	# Enable address and undefined behavior sanitizers for the
+# hardened ports
+	$use_feature{address} = 1;
+	$use_feature{undefined} = 1;
+}
+
 # Adjust features based on user or maintainer's desires.
 $self->_parse_feature_area('sanitize', \%use_feature);
 
@@ -251,6 +266,11 @@ sub _add_hardening_flags {
 	bindnow => 0,
 );
 
+if ($abi =~ /^(?:gnuhardened1)$/) {
+	# Enable bindnow on hardened ports
+	$use_feature{bindnow} = 1;
+}
+
 # Adjust features based on user or maintainer's desires.
 $self->_parse_feature_area('hardening', \%use_feature);
 
-- 
2.1.4