Главная Обзор Помощь
Регистрация Вход
OpenWrt
/
openwrt
зеркало из https://github.com/openwrt/openwrt.git
2
0
Ответвить 0
Файлы Задачи 0 Вики
Просмотр исходного кода

build: add hardened builds with PIE (ASLR) support

Introduce a configuration option to build a "hardened" OpenWrt with
ASLR PIE support.

Add new option PKG_ASLR_PIE to enable Address Space Layout Randomization (ASLR)
by building Position Independent Executables (PIE). This new option protects
against "return-to-text" attacks.

Busybox need a special care, link is done with ld, not gcc, leading to
unknown flags. Set BUSYBOX_DEFAULT_PIE instead and disable PKG_ASLR_PIE.

If other failing packages were found, PKG_ASLR_PIE:=0 should be added to
their Makefiles.

Original Work by: Yongkui Han <[email protected]>
Signed-off-by: Julien Dusser <[email protected]>
Julien Dusser 8 лет назад
Родитель
ca7e8627db
Сommit
df0bd42fde
4 измененных файлов с 28 добавлено и 0 удалено
Разделённый вид Показать статистику Diff
  1. 16 0
      config/Config-build.in
  2. 2 0
      include/hardened-ld-pie.specs
  3. 7 0
      include/hardening.mk
  4. 3 0
      package/utils/busybox/Makefile

+ 16 - 0
config/Config-build.in
Просмотреть файл 

@@ -184,6 +184,22 @@ menu "Global build settings"
 
 		  this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
 
 		  Makefile.
 
 
+	config PKG_ASLR_PIE
 
+		bool
 
+		prompt "User space ASLR PIE compilation"
 
+		select BUSYBOX_DEFAULT_PIE
 
+		default n
 
+		help
 
+		  Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
 
+		  This enables package build as Position Independent Executables (PIE)
 
+		  to protect against "return-to-text" attacks. This belongs to the
 
+		  feature of Address Space Layout Randomisation (ASLR), which is
 
+		  implemented by the kernel and the ELF loader by randomising the
 
+		  location of memory allocations. This makes memory addresses harder
 
+		  to predict when an attacker is attempting a memory-corruption exploit.
 
+		  You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
 
+		  Makefile.
 
+
 
 	choice
 
 		prompt "User space Stack-Smashing Protection"
 
 		depends on USE_MUSL

+ 2 - 0
include/hardened-ld-pie.specs
Просмотреть файл 

@@ -0,0 +1,2 @@
 
+*self_spec:
 
++ %{no-pie|static|r|shared:;:-pie}

+ 7 - 0
include/hardening.mk
Просмотреть файл 

@@ -6,6 +6,7 @@
 
 #
 
 
 PKG_CHECK_FORMAT_SECURITY ?= 1
 
+PKG_ASLR_PIE ?= 1
 
 PKG_SSP ?= 1
 
 PKG_FORTIFY_SOURCE ?= 1
 
 PKG_RELRO ?= 1
 
@@ -15,6 +16,12 @@ ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
 
     TARGET_CFLAGS += -Wformat -Werror=format-security
 
   endif
 
 endif
 
+ifdef CONFIG_PKG_ASLR_PIE
 
+  ifeq ($(strip $(PKG_ASLR_PIE)),1)
 
+    TARGET_CFLAGS += -fPIC
 
+    TARGET_LDFLAGS += -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
 
+  endif
 
+endif
 
 ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
 
   ifeq ($(strip $(PKG_SSP)),1)
 
     TARGET_CFLAGS += -fstack-protector

+ 3 - 0
package/utils/busybox/Makefile
Просмотреть файл 

@@ -22,6 +22,9 @@ PKG_BUILD_PARALLEL:=1
 
 PKG_CHECK_FORMAT_SECURITY:=0
 
 PKG_INSTALL:=1
 
 
+#Busybox use it's own PIE config flag and LDFLAGS are used with ld, not gcc.
 
+PKG_ASLR_PIE:=0
 
+
 
 PKG_LICENSE:=GPL-2.0
 
 PKG_LICENSE_FILES:=LICENSE archival/libarchive/bz/LICENSE
 
 PKG_CPE_ID:=cpe:/a:busybox:busybox