[OpenWrt-Devel] [PATCH] build: Activate ASLR PIE by default

Dave Taht dave at taht.net
Sat Feb 23 10:36:29 EST 2019


Hauke Mehrtens <hauke at hauke-m.de> writes:

> On 2/13/19 11:51 PM, Felix Fietkau wrote:
>> On 2019-02-13 23:15, Hauke Mehrtens wrote:
>>> This will build all executable as Position Independent Executables (PIE)
>>> by default. PIE executable can make full use of Address Space Layout
>>> Randomization (ASLR) because all sections can be placed at random
>>> offsets of the executed program. This makes it harder to exploit bugs
>>> in our binaries.
>>>
>>> This will increase the size of executable, libraries are already build
>>> position independent and their size will not change.
>>>
>>> This increases the size of the resulting images by about 3% on MIPS BE.
>>> I tested this with the default configuration for the lantiq xrx200
>>> target.
>>>
>>> The size of the initramfs binaries increased by 2.88%:
>>> Without PIE:
>>> 5.303.716 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin
>>> With PIE:
>>> 5.456.339 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin
>>>
>>> With PIE activated the executable are getting bigger, here are some
>>> examples from the lantiq mips_24kc target:
>>>
>>> Without PIE:
>>> 112.309 /bin/opkg
>>> 299.061 /bin/busybox
>>> 456.549 /usr/sbin/wpad
>>>
>>> With PIE:
>>> 142.496 /bin/opkg       (26.87% increase)
>>> 388.404 /bin/busybox    (29.87% increase)
>>> 580.128 /usr/sbin/wpad  (27.06% increase)
>>>
>>> With PIE activated the sections of the binaries are loaded to
>>> different offsets for each program instance like shown here:
>>>
>>> root at OpenWrt:/# cat /proc/self/maps
>>> 555c4000-55622000 r-xp 00000000 00:02 1030       /bin/busybox
>>> 55631000-55632000 r-xp 0005d000 00:02 1030       /bin/busybox
>>> 55632000-55633000 rwxp 0005e000 00:02 1030       /bin/busybox
>>> 55633000-55634000 rwxp 00000000 00:00 0
>>> 77ee2000-77f04000 r-xp 00000000 00:02 331        /lib/libgcc_s.so.1
>>> 77f04000-77f05000 r-xp 00012000 00:02 331        /lib/libgcc_s.so.1
>>> 77f05000-77f06000 rwxp 00013000 00:02 331        /lib/libgcc_s.so.1
>>> 77f06000-77f9a000 r-xp 00000000 00:02 329        /lib/libc.so
>>> 77fa9000-77fab000 rwxp 00093000 00:02 329        /lib/libc.so
>>> 77fab000-77fad000 rwxp 00000000 00:00 0
>>> 7fb26000-7fb47000 rw-p 00000000 00:00 0          [stack]
>>> 7fefb000-7fefc000 r-xp 00000000 00:00 0
>>> 7ff0a000-7ff0b000 r--p 00000000 00:00 0          [vvar]
>>> 7ff0b000-7ff0c000 r-xp 00000000 00:00 0          [vdso]
>>> root at OpenWrt:/# cat /proc/self/maps
>>> 5561d000-5567b000 r-xp 00000000 00:02 1030       /bin/busybox
>>> 5568a000-5568b000 r-xp 0005d000 00:02 1030       /bin/busybox
>>> 5568b000-5568c000 rwxp 0005e000 00:02 1030       /bin/busybox
>>> 5568c000-5568d000 rwxp 00000000 00:00 0
>>> 77e8e000-77eb0000 r-xp 00000000 00:02 331        /lib/libgcc_s.so.1
>>> 77eb0000-77eb1000 r-xp 00012000 00:02 331        /lib/libgcc_s.so.1
>>> 77eb1000-77eb2000 rwxp 00013000 00:02 331        /lib/libgcc_s.so.1
>>> 77eb2000-77f46000 r-xp 00000000 00:02 329        /lib/libc.so
>>> 77f55000-77f57000 rwxp 00093000 00:02 329        /lib/libc.so
>>> 77f57000-77f59000 rwxp 00000000 00:00 0
>>> 7fd1c000-7fd3d000 rw-p 00000000 00:00 0          [stack]
>>> 7fefb000-7fefc000 r-xp 00000000 00:00 0
>>> 7ff60000-7ff61000 r--p 00000000 00:00 0          [vvar]
>>> 7ff61000-7ff62000 r-xp 00000000 00:00 0          [vdso]
>>> root at OpenWrt:/#
>>>
>>> Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
>>> ---
>>>
>>> I would like to get some comments if we should activate PIE by default.
>>> The advantage is that it will be harder to exploit OpenWrt, but on the 
>>> other hand the binaries are getting bigger. We could also restrict this 
>>> to some CPU types, but as targets share the binaries it is not really 
>>> possible to do this based on the target.
>>>
>>> I am not sure if this should go into the next release or wait for later.
>>>
>>> This could also break some packages, as it is possible to activate PIE 
>>> by default for some time many bugs are already fixed, but probably not 
>>> all of them.
>> I think this is a lot of extra bloat. Maybe we can add a restricted PIE
>> mode where packages can opt-in individually?
>
> So we should probably make it a chose with 3 options:
> 1. No PIE
> 2. Use PIE for exposed binaries
> 3. Use PIE for all binaries

I hate that we have to make choices like this for space reasons. Option
2 will help but means attackers will try to go after something else.
By exposed, you mean "on the network", I guess? 


>
> Then we need something in addition to the existing PKG_ASLR_PIE we
> already have to deactivate it.
>
> Do we want a generic name like this:
> PKG_CRITICAL
> or something specific to PIE:
> PKG_ASLR_PIE_PREFERED
>
> Hauke
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list