Bug#653191: iceweasel: Please enable hardening options
Florent Daigniere
nextgens at freenetproject.org
Wed Oct 9 09:30:07 UTC 2013
On Wed, 2013-10-09 at 10:54 +0200, intrigeri wrote:
> Summing up previous discussion so that we don't have to rehash it:
>
> * Mike Hommey wrote: "I'm really not a big fan of -Wl,-z,relro
> and -Wl,-z,now. For instance, I'm not sure -z relro buys anything
> worth, while it may have a significant startup performance impact
> on big applications. (and if I'm not mistaken, -z relro actually
> makes things not work with selinux, seeing how selinux already
> breaks the mprotect that removes the write bit on code sections
> after text relocations)."
>
> * Moritz replied that he had doubts about the relro part, and that
> "Support for selinux in Debian is marginal at best, anyway".
>
Am I reading correctly - there is no objection to enabling PIE (ASLR)
here?
Is it a done deal? :)
> Regarding relro and bindnow, could anyone with the relevant skills
> please sum up what kind of attacks this protects against, what are the
> limitations in terms of security, and what is the performance cost in
> the context of something like Iceweasel? Cc'ing Jake in case he feels
> like giving a hand :)
>
About what it protects against:
https://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf section
"6.1.1 GOT Overwrite" sums it up nicely (the document is from 2001,
there's obviously prior art... but the technique hasn't changed)
About the performance cost:
Very likely to be irrelevant compared to enabling PIE. All the linker
hardening options will slow the program start-up down... whereas PIE
will slow runtime down.
About each individual option:
http://tk-blog.blogspot.com/2009/02/relro-not-so-well-known-memory.html
-> The conclusion is that security-wise you want both. From the link
above:
"Interim conclusion: In case of a bss or data overflow bug partial and
full RELRO protect the ELF internal data sections from being overwritten
(as the ELF sections are reordered). Only full RELRO mitigates the well
known technique of modifying a GOT entry to get control over the program
execution flow"
Regards,
Florent
More information about the pkg-mozilla-maintainers
mailing list