Re: [gentoo-dev] Hardening a default profile
On Sat, 17 Jun 2017 14:43:24 +0300 Andrew Savchenkowrote: > On Thu, 15 Jun 2017 19:52:07 -0500 Matthias Maier wrote: > > > there should be a way of turning these off systematically. the > > > advantage of the current hardened gcc specs is that one can switch > > > between them using gcc-config. if these are forced on for the > > > default profile then there will be no easy way to systematically > > > turn them off. > > > > No - there won't be an easy way for systematically turning off > > SSP and PIE in 17.0 profiles [1,2]. > > > > The hardened toolchain with its different gcc profiles came from a > > time where SSP and PIE were relatively new security features and a > > certain amount of fine-grained control was needed. Further, at that > > time we were talking about external patches against gcc. Nowadays > > everything is upstreamed and (almost) no patches to gcc for > > hardened profiles are applied any more. > > > > Given the fact that all major linux distributions are following the > > path of improved default hardening features (see for example [1]) > > and that we have been using ssp/pie in hardened profiles for years > > now the purpose of fine-grained control over ssp/pie is also highly > > questionable. > > > > The consensus at the moment is that PIE and SSP (as well as stricter > > linker flags) will soon be standard (or, actually *are* already > > standard) compilation options. A per-package override (if > > absoluetely needed) is fine - and, in fact, already in place > > everywhere where needed. > > Gentoo is all about choice, remember? :) > > It is really good to have them by default, it is bad to force them > on everyone. Security is not always of paramount importance > comparing to other factors, sometimes performance matters more, > e.g. in isolated and restricted non-public HPC environment. > > PIE, SSP may lead up to 8% of performance loss[1]. The > stack-protector (especially stack-protector-all or -strong) may > cause even more damage. For compute nodes this may be equivalent to > millions USD loss (depends on the system scale of course). This can probably be fixed by a gcc-config target disabling those as it used to be the case on hardened
Re: [gentoo-dev] Hardening a default profile
On Thu, 15 Jun 2017 19:52:07 -0500 Matthias Maier wrote: > > there should be a way of turning these off systematically. the > > advantage of the current hardened gcc specs is that one can switch > > between them using gcc-config. if these are forced on for the default > > profile then there will be no easy way to systematically turn them off. > > No - there won't be an easy way for systematically turning off > SSP and PIE in 17.0 profiles [1,2]. > > The hardened toolchain with its different gcc profiles came from a time > where SSP and PIE were relatively new security features and a certain > amount of fine-grained control was needed. Further, at that time we were > talking about external patches against gcc. Nowadays everything is > upstreamed and (almost) no patches to gcc for hardened profiles are > applied any more. > > Given the fact that all major linux distributions are following the path > of improved default hardening features (see for example [1]) and that we > have been using ssp/pie in hardened profiles for years now the purpose > of fine-grained control over ssp/pie is also highly questionable. > > The consensus at the moment is that PIE and SSP (as well as stricter > linker flags) will soon be standard (or, actually *are* already > standard) compilation options. A per-package override (if absoluetely > needed) is fine - and, in fact, already in place everywhere where > needed. Gentoo is all about choice, remember? :) It is really good to have them by default, it is bad to force them on everyone. Security is not always of paramount importance comparing to other factors, sometimes performance matters more, e.g. in isolated and restricted non-public HPC environment. PIE, SSP may lead up to 8% of performance loss[1]. The stack-protector (especially stack-protector-all or -strong) may cause even more damage. For compute nodes this may be equivalent to millions USD loss (depends on the system scale of course). [1] https://bugs.archlinux.org/task/18864 Best regards, Andrew Savchenko pgpmrLyPiaNJH.pgp Description: PGP signature
Re: [gentoo-dev] Hardening a default profile
> there should be a way of turning these off systematically. the > advantage of the current hardened gcc specs is that one can switch > between them using gcc-config. if these are forced on for the default > profile then there will be no easy way to systematically turn them off. No - there won't be an easy way for systematically turning off SSP and PIE in 17.0 profiles [1,2]. The hardened toolchain with its different gcc profiles came from a time where SSP and PIE were relatively new security features and a certain amount of fine-grained control was needed. Further, at that time we were talking about external patches against gcc. Nowadays everything is upstreamed and (almost) no patches to gcc for hardened profiles are applied any more. Given the fact that all major linux distributions are following the path of improved default hardening features (see for example [1]) and that we have been using ssp/pie in hardened profiles for years now the purpose of fine-grained control over ssp/pie is also highly questionable. The consensus at the moment is that PIE and SSP (as well as stricter linker flags) will soon be standard (or, actually *are* already standard) compilation options. A per-package override (if absoluetely needed) is fine - and, in fact, already in place everywhere where needed. Thus, we should go with the time and simply force these well tested hardening features on platforms that support it. Best, Matthias [1] for amd64/x86 and well supported profiles [2] there is always the possibility to override forced use flags [1] https://wiki.debian.org/Hardening/PIEByDefaultTransition signature.asc Description: PGP signature
Re: [gentoo-dev] Hardening a default profile
On 6/15/17 11:20 AM, Matthias Maier wrote: > Hi Michael, > > On Sun, Jun 11, 2017, at 16:39 CDT, Michael Brinkman >wrote: > >> So I was just wondering if ~arch is ready for more secure defaults on >> the 17.0 profiles in the linker flags. There are several >> distributions which ship RELRO by default and I am not aware of any >> performance issues regarding this. > > We (i.e. toolchain) are in the process of enabling quite a number of > security hardening features on default profiles. In particular > > - (force) +pie +ssp for gcc-6 onwards in 17.0 profiles > there should be a way of turning these off systematically. the advantage of the current hardened gcc specs is that one can switch between them using gcc-config. if these are forced on for the default profile then there will be no easy way to systematically turn them off. for those who don't used hardened, gcc-config -l on hardened profile gives: [1] x86_64-pc-linux-gnu-5.4.0 * [2] x86_64-pc-linux-gnu-5.4.0-hardenednopie [3] x86_64-pc-linux-gnu-5.4.0-hardenednopiessp [4] x86_64-pc-linux-gnu-5.4.0-hardenednossp [5] x86_64-pc-linux-gnu-5.4.0-vanilla while on the default profiles it gives: [1] x86_64-pc-linux-gnu-5.4.0 * [5] on the hardened profile is equivalent to [1] on the vanilla. maybe we should consider merging the hardened and default profiles? -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail: bluen...@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA
Re: [gentoo-dev] Hardening a default profile
Hi Michael, On Sun, Jun 11, 2017, at 16:39 CDT, Michael Brinkmanwrote: > So I was just wondering if ~arch is ready for more secure defaults on > the 17.0 profiles in the linker flags. There are several > distributions which ship RELRO by default and I am not aware of any > performance issues regarding this. We (i.e. toolchain) are in the process of enabling quite a number of security hardening features on default profiles. In particular - (force) +pie +ssp for gcc-6 onwards in 17.0 profiles - enable additional hardening features for glibc-2.25 and newer (will be merged soon). But, yes. Updated linker flags are a very good point. I have put updated linker flags on the toolchain meeting agenda for next week. The hardened profiles (even used without a hardened kernel) will serve an important difference in the future. While we try to enable as many security features on default profiles as possible, we have to compromise between security features and not introducing regressions. The hardened profiles will thus have more aggressive security features enabled for the foreseeable future (at the cost of more potential breakage). Best, Matthias
Re: [gentoo-dev] Hardening a default profile
Hi Michael Am 11.06.2017 um 23:39 schrieb Michael Brinkman: > Hello, so I've been running Gentoo Hardened for a few years on my > laptop, my desktop, and a server made from an older desktop. > > Because of Grsecurity closing access to its source to non-subscribers, > I decided that I would just try to stick with Gentoo-sources and > harden the default profile and follow the KSSP guidelines to get as > close as possible without losing the testing kernel. Because of this, > I no longer used the PaX features and decided switch to the default > profile and enabling my own flags. The security people probably have more insight, but I personally run by default the hardened profile, also in combination with gentoo-sources if there were too many compatibility issues with the software I had to run on that specific machine. So, from my point of view there is no reason to switch to the default profile just because the grsec-kernel-patchset isn't open source anymore. Best regards, Tiziano
[gentoo-dev] Hardening a default profile
Hello, so I've been running Gentoo Hardened for a few years on my laptop, my desktop, and a server made from an older desktop. Because of Grsecurity closing access to its source to non-subscribers, I decided that I would just try to stick with Gentoo-sources and harden the default profile and follow the KSSP guidelines to get as close as possible without losing the testing kernel. Because of this, I no longer used the PaX features and decided switch to the default profile and enabling my own flags. I enabled pie, ssp, and appended my CFLAGS with -fstack-protector-all and LDFLAGS with full RELRO support (and --sort-common). I saw that GCC still uses the FORTIFY patch so I didn't need to add that. So far I've had absolutely no issues with this setup but I was trying to see if there's anything else I could do to bridge it closer to where it was and noticed that there are several warnings against this as it could break packages (including glibc). I've had no breakages myself that are visable at least and no build failures. So I was just wondering if ~arch is ready for more secure defaults on the 17.0 profiles in the linker flags. There are several distributions which ship RELRO by default and I am not aware of any performance issues regarding this. At least to me it shouldn't be warned against unless there are lots of build failures these days. Of course though, I'm not a dev and would like to see your perspective on this. Thank you, Michael Brinkman