build: add hardened builds with PIE (ASLR) support
authorJulien Dusser <julien.dusser@free.fr>
Mon, 8 Jan 2018 22:47:06 +0000 (23:47 +0100)
committerHauke Mehrtens <hauke@hauke-m.de>
Sat, 27 Jan 2018 15:46:45 +0000 (16:46 +0100)
Introduce a configuration option to build a "hardened" OpenWrt with
ASLR PIE support.

Add new option PKG_ASLR_PIE to enable Address Space Layout Randomization (ASLR)
by building Position Independent Executables (PIE). This new option protects
against "return-to-text" attacks.

Busybox need a special care, link is done with ld, not gcc, leading to
unknown flags. Set BUSYBOX_DEFAULT_PIE instead and disable PKG_ASLR_PIE.

If other failing packages were found, PKG_ASLR_PIE:=0 should be added to
their Makefiles.

Original Work by: Yongkui Han <yonhan@cisco.com>
Signed-off-by: Julien Dusser <julien.dusser@free.fr>
config/Config-build.in
include/hardened-ld-pie.specs [new file with mode: 0644]
include/hardening.mk
package/utils/busybox/Makefile

index 7ec7653..660da1c 100644 (file)
@@ -184,6 +184,22 @@ menu "Global build settings"
                  this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
                  Makefile.
 
+       config PKG_ASLR_PIE
+               bool
+               prompt "User space ASLR PIE compilation"
+               select BUSYBOX_DEFAULT_PIE
+               default n
+               help
+                 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
+                 This enables package build as Position Independent Executables (PIE)
+                 to protect against "return-to-text" attacks. This belongs to the
+                 feature of Address Space Layout Randomisation (ASLR), which is
+                 implemented by the kernel and the ELF loader by randomising the
+                 location of memory allocations. This makes memory addresses harder
+                 to predict when an attacker is attempting a memory-corruption exploit.
+                 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
+                 Makefile.
+
        choice
                prompt "User space Stack-Smashing Protection"
                depends on USE_MUSL
diff --git a/include/hardened-ld-pie.specs b/include/hardened-ld-pie.specs
new file mode 100644 (file)
index 0000000..7317b19
--- /dev/null
@@ -0,0 +1,2 @@
+*self_spec:
++ %{no-pie|static|r|shared:;:-pie}
index c277081..06a6178 100644 (file)
@@ -6,6 +6,7 @@
 #
 
 PKG_CHECK_FORMAT_SECURITY ?= 1
+PKG_ASLR_PIE ?= 1
 PKG_SSP ?= 1
 PKG_FORTIFY_SOURCE ?= 1
 PKG_RELRO ?= 1
@@ -15,6 +16,12 @@ ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
     TARGET_CFLAGS += -Wformat -Werror=format-security
   endif
 endif
+ifdef CONFIG_PKG_ASLR_PIE
+  ifeq ($(strip $(PKG_ASLR_PIE)),1)
+    TARGET_CFLAGS += -fPIC
+    TARGET_LDFLAGS += -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
+  endif
+endif
 ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
   ifeq ($(strip $(PKG_SSP)),1)
     TARGET_CFLAGS += -fstack-protector
index 8866756..4f85cc9 100644 (file)
@@ -22,6 +22,9 @@ PKG_BUILD_PARALLEL:=1
 PKG_CHECK_FORMAT_SECURITY:=0
 PKG_INSTALL:=1
 
+#Busybox use it's own PIE config flag and LDFLAGS are used with ld, not gcc.
+PKG_ASLR_PIE:=0
+
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=LICENSE archival/libarchive/bz/LICENSE
 PKG_CPE_ID:=cpe:/a:busybox:busybox