[OpenWrt-Devel] [PATCH] build: Activate ASLR PIE by default

Hauke Mehrtens hauke at hauke-m.de
Sat Feb 23 10:46:36 EST 2019


On 2/23/19 4:36 PM, Dave Taht wrote:
> Hauke Mehrtens <hauke at hauke-m.de> writes:
> 
>> On 2/13/19 11:51 PM, Felix Fietkau wrote:
>>> On 2019-02-13 23:15, Hauke Mehrtens wrote:
>>>> This will build all executable as Position Independent Executables (PIE)
>>>> by default. PIE executable can make full use of Address Space Layout
>>>> Randomization (ASLR) because all sections can be placed at random
>>>> offsets of the executed program. This makes it harder to exploit bugs
>>>> in our binaries.
>>>>
>>>> This will increase the size of executable, libraries are already build
>>>> position independent and their size will not change.
>>>>
>>>> This increases the size of the resulting images by about 3% on MIPS BE.
>>>> I tested this with the default configuration for the lantiq xrx200
>>>> target.
>>>>
>>>> The size of the initramfs binaries increased by 2.88%:
>>>> Without PIE:
>>>> 5.303.716 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin
>>>> With PIE:
>>>> 5.456.339 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin
>>>>
>>>> With PIE activated the executable are getting bigger, here are some
>>>> examples from the lantiq mips_24kc target:
>>>>
>>>> Without PIE:
>>>> 112.309 /bin/opkg
>>>> 299.061 /bin/busybox
>>>> 456.549 /usr/sbin/wpad
>>>>
>>>> With PIE:
>>>> 142.496 /bin/opkg       (26.87% increase)
>>>> 388.404 /bin/busybox    (29.87% increase)
>>>> 580.128 /usr/sbin/wpad  (27.06% increase)
>>>>
>>>> With PIE activated the sections of the binaries are loaded to
>>>> different offsets for each program instance like shown here:
>>>>
>>>> root at OpenWrt:/# cat /proc/self/maps
>>>> 555c4000-55622000 r-xp 00000000 00:02 1030       /bin/busybox
>>>> 55631000-55632000 r-xp 0005d000 00:02 1030       /bin/busybox
>>>> 55632000-55633000 rwxp 0005e000 00:02 1030       /bin/busybox
>>>> 55633000-55634000 rwxp 00000000 00:00 0
>>>> 77ee2000-77f04000 r-xp 00000000 00:02 331        /lib/libgcc_s.so.1
>>>> 77f04000-77f05000 r-xp 00012000 00:02 331        /lib/libgcc_s.so.1
>>>> 77f05000-77f06000 rwxp 00013000 00:02 331        /lib/libgcc_s.so.1
>>>> 77f06000-77f9a000 r-xp 00000000 00:02 329        /lib/libc.so
>>>> 77fa9000-77fab000 rwxp 00093000 00:02 329        /lib/libc.so
>>>> 77fab000-77fad000 rwxp 00000000 00:00 0
>>>> 7fb26000-7fb47000 rw-p 00000000 00:00 0          [stack]
>>>> 7fefb000-7fefc000 r-xp 00000000 00:00 0
>>>> 7ff0a000-7ff0b000 r--p 00000000 00:00 0          [vvar]
>>>> 7ff0b000-7ff0c000 r-xp 00000000 00:00 0          [vdso]
>>>> root at OpenWrt:/# cat /proc/self/maps
>>>> 5561d000-5567b000 r-xp 00000000 00:02 1030       /bin/busybox
>>>> 5568a000-5568b000 r-xp 0005d000 00:02 1030       /bin/busybox
>>>> 5568b000-5568c000 rwxp 0005e000 00:02 1030       /bin/busybox
>>>> 5568c000-5568d000 rwxp 00000000 00:00 0
>>>> 77e8e000-77eb0000 r-xp 00000000 00:02 331        /lib/libgcc_s.so.1
>>>> 77eb0000-77eb1000 r-xp 00012000 00:02 331        /lib/libgcc_s.so.1
>>>> 77eb1000-77eb2000 rwxp 00013000 00:02 331        /lib/libgcc_s.so.1
>>>> 77eb2000-77f46000 r-xp 00000000 00:02 329        /lib/libc.so
>>>> 77f55000-77f57000 rwxp 00093000 00:02 329        /lib/libc.so
>>>> 77f57000-77f59000 rwxp 00000000 00:00 0
>>>> 7fd1c000-7fd3d000 rw-p 00000000 00:00 0          [stack]
>>>> 7fefb000-7fefc000 r-xp 00000000 00:00 0
>>>> 7ff60000-7ff61000 r--p 00000000 00:00 0          [vvar]
>>>> 7ff61000-7ff62000 r-xp 00000000 00:00 0          [vdso]
>>>> root at OpenWrt:/#
>>>>
>>>> Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
>>>> ---
>>>>
>>>> I would like to get some comments if we should activate PIE by default.
>>>> The advantage is that it will be harder to exploit OpenWrt, but on the 
>>>> other hand the binaries are getting bigger. We could also restrict this 
>>>> to some CPU types, but as targets share the binaries it is not really 
>>>> possible to do this based on the target.
>>>>
>>>> I am not sure if this should go into the next release or wait for later.
>>>>
>>>> This could also break some packages, as it is possible to activate PIE 
>>>> by default for some time many bugs are already fixed, but probably not 
>>>> all of them.
>>> I think this is a lot of extra bloat. Maybe we can add a restricted PIE
>>> mode where packages can opt-in individually?
>>
>> So we should probably make it a chose with 3 options:
>> 1. No PIE
>> 2. Use PIE for exposed binaries
>> 3. Use PIE for all binaries
> 
> I hate that we have to make choices like this for space reasons. Option
> 2 will help but means attackers will try to go after something else.

We could also make this depended n the architecture, I think device with
ARM64 or x86 CPU normally also have much RAM and flash, while many MIPS
based devices are constrained.

> By exposed, you mean "on the network", I guess? 

Yes with exposed applications I meant exposed from the network like
dnsmasq, dropbear and so on.

>> Then we need something in addition to the existing PKG_ASLR_PIE we
>> already have to deactivate it.
>>
>> Do we want a generic name like this:
>> PKG_CRITICAL
>> or something specific to PIE:
>> PKG_ASLR_PIE_PREFERED
>>
>> Hauke

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list