Merge pull request #513 from cjdelisle/feature-hardening

Hardening
This commit is contained in:
Gavin Andresen 2011-09-26 06:12:59 -07:00
commit 5df25e78db
2 changed files with 71 additions and 1 deletions

View file

@ -106,3 +106,45 @@ If you need to build Boost yourself:
sudo su
./bootstrap.sh
./bjam install
Security
--------
To help make your bitcoin installation more secure by making certain attacks impossible to
exploit even if a vulnerability is found, you can take the following measures:
* Position Independent Executable
Build position independent code to take advantage of Address Space Layout Randomization
offered by some kernels. An attacker who is able to cause execution of code at an arbitrary
memory location is thwarted if he doesn't know where anything useful is located.
The stack and heap are randomly located by default but this allows the code section to be
randomly located as well.
On an Amd64 processor where a library was not compiled with -fPIC, this will cause an error
such as: "relocation R_X86_64_32 against `......' can not be used when making a shared object;"
To build with PIE, use:
make -f makefile.unix ... -e PIE=1
To test that you have built PIE executable, install scanelf, part of paxutils, and use:
scanelf -e ./bitcoin
The output should contain:
TYPE
ET_DYN
* Non-executable Stack
If the stack is executable then trivial stack based buffer overflow exploits are possible if
vulnerable buffers are found. By default, bitcoin should be built with a non-executable stack
but if one of the libraries it uses asks for an executable stack or someone makes a mistake
and uses a compiler extension which requires an executable stack, it will silently build an
executable without the non-executable stack protection.
To verify that the stack is non-executable after compiling use:
scanelf -e ./bitcoin
the output should contain:
STK/REL/PTL
RW- R-- RW-
The STK RW- means that the stack is readable and writeable but not executable.

View file

@ -36,8 +36,36 @@ LIBS+= \
-l pthread
# Hardening
# Make some classes of vulnerabilities unexploitable in case one is discovered.
#
# Stack Canaries
# Put numbers at the beginning of each stack frame and check that they are the same.
# If a stack buffer if overflowed, it writes over the canary number and then on return
# when that number is checked, it won't be the same and the program will exit with
# a "Stack smashing detected" error instead of being exploited.
HARDENING=-fstack-protector-all -Wstack-protector
# Make some important things such as the global offset table read only as soon as
# the dynamic linker is finished building it. This will prevent overwriting of addresses
# which would later be jumped to.
HARDENING+=-Wl,-z,relro -Wl,-z,now
# Build position independent code to take advantage of Address Space Layout Randomization
# offered by some kernels.
# see doc/build-unix.txt for more information.
ifdef PIE
HARDENING+=-fPIE -pie
endif
# -D_FORTIFY_SOURCE=2 does some checking for potentially exploitable code patterns in
# the source such overflowing a statically defined buffer.
HARDENING+=-D_FORTIFY_SOURCE=2
#
DEBUGFLAGS=-g -D__WXDEBUG__
CXXFLAGS=-O2 -Wno-invalid-offsetof -Wformat $(DEBUGFLAGS) $(DEFS)
CXXFLAGS=-O2 -Wno-invalid-offsetof -Wformat $(DEBUGFLAGS) $(DEFS) $(HARDENING)
HEADERS = \
base58.h \
bignum.h \