Re: SafeStack in base

2016-07-28 Thread Ed Schouten 
Hi Conrad,

2016-07-28 2:02 GMT+02:00 Conrad Meyer :
> The problem appears to be an upstream limitation of
> -fsanitize=safe-stack: "Most programs, static libraries, or individual
> files can be compiled with SafeStack as is. … Linking a DSO with
> SafeStack is not currently supported." [0]

I'm not sure, but I thought the reason for this is due to the fact
that SafeStack uses some kind of additional library to wrap around
pthread_create() to create threads that have SafeStack properly set
up.

If we were to actually integrate this functionality into our C
runtime/pthread library to create threads with two stacks by default,
then I couldn't think of a reason why it shouldn't work with DSOs.
SafeStack merely depends on an additional TLS variable -- nothing
else.

-- 
Ed Schouten 
Nuxi, 's-Hertogenbosch, the Netherlands
KvK-nr.: 62051717
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: SafeStack in base

2016-07-28 Thread David Chisnall 
On 27 Jul 2016, at 23:55, Shawn Webb  wrote:
> 
> I'm interested in getting SafeStack working in FreeBSD base. Below is a
> link to a simplistic (maybe too simplistic?) patch to enable SafeStack.
> The patch applies against HardenedBSD's hardened/current/master branch.
> Given how simple the patch is, it'd be extremely easy to port over to
> FreeBSD (just line numbers would change).

We’ve worked with the authors of the SafeStack work.  There are some changes to 
libc and a few other support libraries needed for it to work, which are in the 
GitHub repository.  They’ve also done some work to address issues of things 
like Firefox and v8 that need to be able to walk the stack, allocate their own 
stacks for userspace threads, and so on.

It was not enabled for FreeBSD 11 because SafeStack imposes a lot of long-term 
ABI constraints that it’s not clear we want to support indefinitely given the 
‘Missing the point(er)’ Oakland paper last year.  It does increase the work 
factor for attackers, so has some security benefit, but if bypassing it is 
something that’s going to be added to exploit toolkits then it’s little 
practical benefit.

One middle-ground that we’ve considered is only supporting it for statically 
linked binaries.  This absolves us of the need to support the ABI indefinitely, 
and still provides a lot of the benefit.

David



smime.p7s
Description: S/MIME cryptographic signature

Re: SafeStack in base

2016-07-27 Thread Conrad Meyer 
On Wed, Jul 27, 2016 at 5:05 PM, Shawn Webb  wrote:
> On Wed, Jul 27, 2016 at 05:02:07PM -0700, Conrad Meyer wrote:
>> The problem appears to be an upstream limitation of
>> -fsanitize=safe-stack: "Most programs, static libraries, or individual
>> files can be compiled with SafeStack as is. ??? Linking a DSO with
>> SafeStack is not currently supported." [0]
>>
>> That probably needs to be addressed upstream before it can be enabled 
>> globally.
>
> Gotcha. If I'm reading correctly, then, SafeStack can only be enabled in
> bsd.prog.mk (and _not_ bsd.lib.mk). Is that correct?

That is my reading of the page.  I'll admit my total experience with
-fsanitize=safe-stack is limited to glancing at the web page 5 minutes
ago, so don't consider my take authoritative.

Best,
Conrad
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: SafeStack in base

2016-07-27 Thread Shawn Webb 
On Wed, Jul 27, 2016 at 05:11:12PM -0700, Conrad Meyer wrote:
> On Wed, Jul 27, 2016 at 5:05 PM, Shawn Webb  
> wrote:
> > On Wed, Jul 27, 2016 at 05:02:07PM -0700, Conrad Meyer wrote:
> >> The problem appears to be an upstream limitation of
> >> -fsanitize=safe-stack: "Most programs, static libraries, or individual
> >> files can be compiled with SafeStack as is. ??? Linking a DSO with
> >> SafeStack is not currently supported." [0]
> >>
> >> That probably needs to be addressed upstream before it can be enabled 
> >> globally.
> >
> > Gotcha. If I'm reading correctly, then, SafeStack can only be enabled in
> > bsd.prog.mk (and _not_ bsd.lib.mk). Is that correct?
> 
> That is my reading of the page.  I'll admit my total experience with
> -fsanitize=safe-stack is limited to glancing at the web page 5 minutes
> ago, so don't consider my take authoritative.

Doing a test build right now with SafeStack enabled only in bsd.prog.mk.
I'll report back with results tonight or tomorrow.

Thanks again,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

GPG Key ID:  0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE


signature.asc
Description: PGP signature

Re: SafeStack in base

2016-07-27 Thread Shawn Webb 
On Wed, Jul 27, 2016 at 05:02:07PM -0700, Conrad Meyer wrote:
> On Wed, Jul 27, 2016 at 3:55 PM, Shawn Webb  
> wrote:
> > Hey All,
> >
> > I'm interested in getting SafeStack working in FreeBSD base. Below is a
> > link to a simplistic (maybe too simplistic?) patch to enable SafeStack.
> > The patch applies against HardenedBSD's hardened/current/master branch.
> > Given how simple the patch is, it'd be extremely easy to port over to
> > FreeBSD (just line numbers would change).
> >
> > I am running into a bit of a problem, though. When linking
> > lib/libcom_err, I get the following error:
> >
> > com_err.So: In function `com_err':
> > /usr/src/lib/libcom_err/../../contrib/com_err/com_err.c:100: undefined 
> > reference to `__safestack_unsafe_stack_ptr'
> > cc: error: linker command failed with exit code 1 (use -v to see invocation)
> > *** [libcom_err.so.5.full] Error code 1
> >
> > llvm's documentation says that SafeStack has been tested on FreeBSD.
> > When and how was it tested? Apparently someone has done some work to
> > enable it on FreeBSD, but I can't find any relevant FreeBSD-specific
> > documentation.
> >
> > If someone could point me in the right direction, I'd love to help get
> > SafeStack working (and commited?) in FreeBSD.
> >
> > Link to simplistic patch: http://ix.io/186A
> > Link to build log: 
> > https://gist.github.com/lattera/5d94f44a5f3e10a28425cd59104dd169
> 
> Hey Shawn,
> 
> The relevant link line is:
> 
> > -- libcom_err.so.5.full ---
> > building shared library libcom_err.so.5
> > cc -target x86_64-unknown-freebsd12.0 --sysroot=/usr/obj/usr/src/tmp 
> > -B/usr/obj/usr/src/tmp/usr/bin -Wl,--no-undefined -Wl,-z,relro -Wl,-z,now 
> > -fsanitize=safe-stack 
> > -Wl,--version-script=/usr/src/lib/libcom_err/../../contrib/com_err/version-script.map
> >  -fstack-protector-strong -shared -Wl,-x -Wl,--fatal-warnings 
> > -Wl,--warn-shared-textrel  -o libcom_err.so.5.full 
> > -Wl,-soname,libcom_err.so.5  `NM='nm' NMFLAGS='' lorder com_err.So error.So 
> > | tsort -q`
> 
> The problem appears to be an upstream limitation of
> -fsanitize=safe-stack: "Most programs, static libraries, or individual
> files can be compiled with SafeStack as is. ??? Linking a DSO with
> SafeStack is not currently supported." [0]
> 
> That probably needs to be addressed upstream before it can be enabled 
> globally.

Gotcha. If I'm reading correctly, then, SafeStack can only be enabled in
bsd.prog.mk (and _not_ bsd.lib.mk). Is that correct?

Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

GPG Key ID:  0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE


signature.asc
Description: PGP signature

Re: SafeStack in base

2016-07-27 Thread Conrad Meyer 
On Wed, Jul 27, 2016 at 3:55 PM, Shawn Webb  wrote:
> Hey All,
>
> I'm interested in getting SafeStack working in FreeBSD base. Below is a
> link to a simplistic (maybe too simplistic?) patch to enable SafeStack.
> The patch applies against HardenedBSD's hardened/current/master branch.
> Given how simple the patch is, it'd be extremely easy to port over to
> FreeBSD (just line numbers would change).
>
> I am running into a bit of a problem, though. When linking
> lib/libcom_err, I get the following error:
>
> com_err.So: In function `com_err':
> /usr/src/lib/libcom_err/../../contrib/com_err/com_err.c:100: undefined 
> reference to `__safestack_unsafe_stack_ptr'
> cc: error: linker command failed with exit code 1 (use -v to see invocation)
> *** [libcom_err.so.5.full] Error code 1
>
> llvm's documentation says that SafeStack has been tested on FreeBSD.
> When and how was it tested? Apparently someone has done some work to
> enable it on FreeBSD, but I can't find any relevant FreeBSD-specific
> documentation.
>
> If someone could point me in the right direction, I'd love to help get
> SafeStack working (and commited?) in FreeBSD.
>
> Link to simplistic patch: http://ix.io/186A
> Link to build log: 
> https://gist.github.com/lattera/5d94f44a5f3e10a28425cd59104dd169

Hey Shawn,

The relevant link line is:

> -- libcom_err.so.5.full ---
> building shared library libcom_err.so.5
> cc -target x86_64-unknown-freebsd12.0 --sysroot=/usr/obj/usr/src/tmp 
> -B/usr/obj/usr/src/tmp/usr/bin -Wl,--no-undefined -Wl,-z,relro -Wl,-z,now 
> -fsanitize=safe-stack 
> -Wl,--version-script=/usr/src/lib/libcom_err/../../contrib/com_err/version-script.map
>  -fstack-protector-strong -shared -Wl,-x -Wl,--fatal-warnings 
> -Wl,--warn-shared-textrel  -o libcom_err.so.5.full 
> -Wl,-soname,libcom_err.so.5  `NM='nm' NMFLAGS='' lorder com_err.So error.So | 
> tsort -q`

The problem appears to be an upstream limitation of
-fsanitize=safe-stack: "Most programs, static libraries, or individual
files can be compiled with SafeStack as is. … Linking a DSO with
SafeStack is not currently supported." [0]

That probably needs to be addressed upstream before it can be enabled globally.

Best,
Conrad

[0]: http://clang.llvm.org/docs/SafeStack.html
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"