Re: SafeStack in base
Hi Conrad, 2016-07-28 2:02 GMT+02:00 Conrad Meyer: > The problem appears to be an upstream limitation of > -fsanitize=safe-stack: "Most programs, static libraries, or individual > files can be compiled with SafeStack as is. … Linking a DSO with > SafeStack is not currently supported." [0] I'm not sure, but I thought the reason for this is due to the fact that SafeStack uses some kind of additional library to wrap around pthread_create() to create threads that have SafeStack properly set up. If we were to actually integrate this functionality into our C runtime/pthread library to create threads with two stacks by default, then I couldn't think of a reason why it shouldn't work with DSOs. SafeStack merely depends on an additional TLS variable -- nothing else. -- Ed Schouten Nuxi, 's-Hertogenbosch, the Netherlands KvK-nr.: 62051717 ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: SafeStack in base
On 27 Jul 2016, at 23:55, Shawn Webbwrote: > > I'm interested in getting SafeStack working in FreeBSD base. Below is a > link to a simplistic (maybe too simplistic?) patch to enable SafeStack. > The patch applies against HardenedBSD's hardened/current/master branch. > Given how simple the patch is, it'd be extremely easy to port over to > FreeBSD (just line numbers would change). We’ve worked with the authors of the SafeStack work. There are some changes to libc and a few other support libraries needed for it to work, which are in the GitHub repository. They’ve also done some work to address issues of things like Firefox and v8 that need to be able to walk the stack, allocate their own stacks for userspace threads, and so on. It was not enabled for FreeBSD 11 because SafeStack imposes a lot of long-term ABI constraints that it’s not clear we want to support indefinitely given the ‘Missing the point(er)’ Oakland paper last year. It does increase the work factor for attackers, so has some security benefit, but if bypassing it is something that’s going to be added to exploit toolkits then it’s little practical benefit. One middle-ground that we’ve considered is only supporting it for statically linked binaries. This absolves us of the need to support the ABI indefinitely, and still provides a lot of the benefit. David smime.p7s Description: S/MIME cryptographic signature
Re: SafeStack in base
On Wed, Jul 27, 2016 at 5:05 PM, Shawn Webbwrote: > On Wed, Jul 27, 2016 at 05:02:07PM -0700, Conrad Meyer wrote: >> The problem appears to be an upstream limitation of >> -fsanitize=safe-stack: "Most programs, static libraries, or individual >> files can be compiled with SafeStack as is. ??? Linking a DSO with >> SafeStack is not currently supported." [0] >> >> That probably needs to be addressed upstream before it can be enabled >> globally. > > Gotcha. If I'm reading correctly, then, SafeStack can only be enabled in > bsd.prog.mk (and _not_ bsd.lib.mk). Is that correct? That is my reading of the page. I'll admit my total experience with -fsanitize=safe-stack is limited to glancing at the web page 5 minutes ago, so don't consider my take authoritative. Best, Conrad ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: SafeStack in base
On Wed, Jul 27, 2016 at 05:11:12PM -0700, Conrad Meyer wrote: > On Wed, Jul 27, 2016 at 5:05 PM, Shawn Webb> wrote: > > On Wed, Jul 27, 2016 at 05:02:07PM -0700, Conrad Meyer wrote: > >> The problem appears to be an upstream limitation of > >> -fsanitize=safe-stack: "Most programs, static libraries, or individual > >> files can be compiled with SafeStack as is. ??? Linking a DSO with > >> SafeStack is not currently supported." [0] > >> > >> That probably needs to be addressed upstream before it can be enabled > >> globally. > > > > Gotcha. If I'm reading correctly, then, SafeStack can only be enabled in > > bsd.prog.mk (and _not_ bsd.lib.mk). Is that correct? > > That is my reading of the page. I'll admit my total experience with > -fsanitize=safe-stack is limited to glancing at the web page 5 minutes > ago, so don't consider my take authoritative. Doing a test build right now with SafeStack enabled only in bsd.prog.mk. I'll report back with results tonight or tomorrow. Thanks again, -- Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE signature.asc Description: PGP signature
Re: SafeStack in base
On Wed, Jul 27, 2016 at 05:02:07PM -0700, Conrad Meyer wrote: > On Wed, Jul 27, 2016 at 3:55 PM, Shawn Webb> wrote: > > Hey All, > > > > I'm interested in getting SafeStack working in FreeBSD base. Below is a > > link to a simplistic (maybe too simplistic?) patch to enable SafeStack. > > The patch applies against HardenedBSD's hardened/current/master branch. > > Given how simple the patch is, it'd be extremely easy to port over to > > FreeBSD (just line numbers would change). > > > > I am running into a bit of a problem, though. When linking > > lib/libcom_err, I get the following error: > > > > com_err.So: In function `com_err': > > /usr/src/lib/libcom_err/../../contrib/com_err/com_err.c:100: undefined > > reference to `__safestack_unsafe_stack_ptr' > > cc: error: linker command failed with exit code 1 (use -v to see invocation) > > *** [libcom_err.so.5.full] Error code 1 > > > > llvm's documentation says that SafeStack has been tested on FreeBSD. > > When and how was it tested? Apparently someone has done some work to > > enable it on FreeBSD, but I can't find any relevant FreeBSD-specific > > documentation. > > > > If someone could point me in the right direction, I'd love to help get > > SafeStack working (and commited?) in FreeBSD. > > > > Link to simplistic patch: http://ix.io/186A > > Link to build log: > > https://gist.github.com/lattera/5d94f44a5f3e10a28425cd59104dd169 > > Hey Shawn, > > The relevant link line is: > > > -- libcom_err.so.5.full --- > > building shared library libcom_err.so.5 > > cc -target x86_64-unknown-freebsd12.0 --sysroot=/usr/obj/usr/src/tmp > > -B/usr/obj/usr/src/tmp/usr/bin -Wl,--no-undefined -Wl,-z,relro -Wl,-z,now > > -fsanitize=safe-stack > > -Wl,--version-script=/usr/src/lib/libcom_err/../../contrib/com_err/version-script.map > > -fstack-protector-strong -shared -Wl,-x -Wl,--fatal-warnings > > -Wl,--warn-shared-textrel -o libcom_err.so.5.full > > -Wl,-soname,libcom_err.so.5 `NM='nm' NMFLAGS='' lorder com_err.So error.So > > | tsort -q` > > The problem appears to be an upstream limitation of > -fsanitize=safe-stack: "Most programs, static libraries, or individual > files can be compiled with SafeStack as is. ??? Linking a DSO with > SafeStack is not currently supported." [0] > > That probably needs to be addressed upstream before it can be enabled > globally. Gotcha. If I'm reading correctly, then, SafeStack can only be enabled in bsd.prog.mk (and _not_ bsd.lib.mk). Is that correct? Thanks, -- Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE signature.asc Description: PGP signature
Re: SafeStack in base
On Wed, Jul 27, 2016 at 3:55 PM, Shawn Webbwrote: > Hey All, > > I'm interested in getting SafeStack working in FreeBSD base. Below is a > link to a simplistic (maybe too simplistic?) patch to enable SafeStack. > The patch applies against HardenedBSD's hardened/current/master branch. > Given how simple the patch is, it'd be extremely easy to port over to > FreeBSD (just line numbers would change). > > I am running into a bit of a problem, though. When linking > lib/libcom_err, I get the following error: > > com_err.So: In function `com_err': > /usr/src/lib/libcom_err/../../contrib/com_err/com_err.c:100: undefined > reference to `__safestack_unsafe_stack_ptr' > cc: error: linker command failed with exit code 1 (use -v to see invocation) > *** [libcom_err.so.5.full] Error code 1 > > llvm's documentation says that SafeStack has been tested on FreeBSD. > When and how was it tested? Apparently someone has done some work to > enable it on FreeBSD, but I can't find any relevant FreeBSD-specific > documentation. > > If someone could point me in the right direction, I'd love to help get > SafeStack working (and commited?) in FreeBSD. > > Link to simplistic patch: http://ix.io/186A > Link to build log: > https://gist.github.com/lattera/5d94f44a5f3e10a28425cd59104dd169 Hey Shawn, The relevant link line is: > -- libcom_err.so.5.full --- > building shared library libcom_err.so.5 > cc -target x86_64-unknown-freebsd12.0 --sysroot=/usr/obj/usr/src/tmp > -B/usr/obj/usr/src/tmp/usr/bin -Wl,--no-undefined -Wl,-z,relro -Wl,-z,now > -fsanitize=safe-stack > -Wl,--version-script=/usr/src/lib/libcom_err/../../contrib/com_err/version-script.map > -fstack-protector-strong -shared -Wl,-x -Wl,--fatal-warnings > -Wl,--warn-shared-textrel -o libcom_err.so.5.full > -Wl,-soname,libcom_err.so.5 `NM='nm' NMFLAGS='' lorder com_err.So error.So | > tsort -q` The problem appears to be an upstream limitation of -fsanitize=safe-stack: "Most programs, static libraries, or individual files can be compiled with SafeStack as is. … Linking a DSO with SafeStack is not currently supported." [0] That probably needs to be addressed upstream before it can be enabled globally. Best, Conrad [0]: http://clang.llvm.org/docs/SafeStack.html ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"