Secure Programming with GCC and GLibc - CanSecWest
Secure Programming with GCC and GLibc - CanSecWest
Secure Programming with GCC and GLibc - CanSecWest
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Secure</strong> <strong>Programming</strong><strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong>Marcel Holtmann<strong>CanSecWest</strong> 2008, Vancouver
Introduction●●Working for the Open Source TechnologyCenter at IntelUsed to work for the Red Hat SecurityResponse Team● Have been to <strong>CanSecWest</strong> once or twice ;)<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 2
Agenda●●●<strong>Secure</strong> programming in generalWelcome to 21stcenturyTips <strong>and</strong> tricks<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 3
<strong>Secure</strong> programming●●●●●Underst<strong>and</strong> the limits <strong>and</strong> flaws of yourprogramming languageUnderst<strong>and</strong> your own codeExpect the unexpectedDo code reviewsListen to your compiler<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 4
<strong>Programming</strong> languages●●●C <strong>and</strong> C++ are not secure languagesGo for Java, C# or similar languagesBut ask yourself which language has been usedto write JVM for example●There is always a weakest link<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 5
Something to keep in mind●●You have to know what you are doing<strong>Programming</strong> is art●●Nothing I gonna tell you in the next 30 minutesis going to change thisHowever it might make your life easier<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 6
The threats●●●●●●Format string attacksBuffer overflowsHeap overflows <strong>and</strong> double freeStack overwritesELF section overwritesFixed address space layout<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 7
The protection●●●The Linux kernel (if you use Linux)<strong>GCC</strong> compile time options<strong>GLibc</strong> runtime options●And of course the developer<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 8
Linux kernel options●Address space layout r<strong>and</strong>omization (ASLR)● mmap, Stack, vDSO as of 2.6.18● Heap/executable as of 2.6.24●●●Requirement for pieExecShield●NX emulation (Red Hat <strong>and</strong> Fedora only)Stack Protector<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 9
<strong>GCC</strong> options●●●gcc fstackprotectorld z relrold pie / gcc fPIE● gcc D_FORTIFY_SOURCE=2 O2●gcc Wformat Wformatsecurity<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 10
<strong>GLibc</strong> options●●●Heap protectionDouble free checkingPointer encryption●Enabled by default<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 11
Distributions●●●●Every major Linux distribution will try to enablemost of these “security” featuresSome patch the default options of <strong>GCC</strong>Normally they never contribute back to theupstream projectHave options for these features <strong>and</strong> make thedistributions use them<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 12
Format strings●●●Wformat●●Check format types <strong>and</strong> conversationsSafe to use <strong>and</strong> part of WallWformatsecurity●●Check potential security risks <strong>with</strong>in printf <strong>and</strong> scanfNon string literals or missing format argumentsListen to compiler warnings<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 13
Buffer checks● D_FORTIFY_SOURCE=2 O2●●During compilation most buffer length are knownInclude compile time checks <strong>and</strong> also runtime checks● The source must be compiled <strong>with</strong> O2●●●Format strings in writable memory <strong>with</strong> %n are blockedNo negative impact has been reportedUsage in upstream projects is almost zero<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 14
Heap protection●●<strong>GLibc</strong> includes heap protectionDouble free attempts will be detected●●Always enabled when using <strong>GLibc</strong>No negative impact known<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 15
Stack protection●●●Mainline <strong>GCC</strong> featureAlso known as stack smashing protection orstack canariesMissing support for ia64 <strong>and</strong> alpha systems● Helps to reduce stack overflows, but a 100%protection can not be expected<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 16
R<strong>and</strong>omization●●●●Position Independent Executable (PIE)Requires ASLR support in the kernel<strong>GCC</strong> <strong>and</strong> linker option (fPIE <strong>and</strong> pie)Doesn't work on hppa <strong>and</strong> m68k systems●R<strong>and</strong>omization is limited <strong>and</strong> only good forprotecting against remote vulnerabilities<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 17
Pointer encryption●●●●Protection of pointer in writable memoryIt is hard, but in theory the r<strong>and</strong>omization canbe overcomeStore only mangled function pointer <strong>and</strong> XOR<strong>with</strong> a r<strong>and</strong>om numberEncryption is considered faster than canaries<strong>and</strong> as secure<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 18
ELF protection●●●●Linker option (z relro)Mark various ELF memory sections readonlybefore h<strong>and</strong>ing over the program executionAlso known as ELF hardening or protectionagainst GOT overwrite attacksNo problem reported so far<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 19
Red Hat <strong>and</strong> Fedora security<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 20
Debian <strong>and</strong> Ubuntu security●●Install the Hardening wrapper●aptget install hardeningwrapperSet an environment variable to activate it●●export DEB_BUILD_HARDENING=1export DEB_BUILD_HARDENING_[feature]=0●Ubuntu has stack protector by default<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 21
A trivial example#include #include #include #include #include #include #include int main(int argc, char *argv[]){char buf[16];if (argc > 1) {strcpy(buf, argv[1]);printf("Your first argument was: ");printf(buf);printf("\n");} else {fprintf(stderr, "Usage: %s ARG\n", argv[0]);exit(1);}}return 0;<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 22
Using the wrapper# DEB_BUILD_HARDENING=1 make trivialcc trivial.c o trivialtrivial.c: In function ‘main’:trivial.c:16: warning: format not a string literal <strong>and</strong> no format arguments# ./trivial $(perl e 'print "A"x100')Your first argument was:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA*** stack smashing detected ***: ./trivial terminatedSegmentation fault (core dumped)<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 23
Other useful tools●●●Statical analysisThe Linux kernel sparse●●User/kernel pointer checksEndian conversion checksThe memory checker valgrind●Listen to its warnings<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 24
Conclusion●●Use the security features that are available <strong>and</strong>make them m<strong>and</strong>atoryListen to your compiler <strong>and</strong> underst<strong>and</strong> thewarnings – fix the cause, not the warning●You still have to write good <strong>and</strong> secure code,but listen to your tools when they try to tell yousomething ...<strong>Secure</strong> <strong>Programming</strong> <strong>with</strong> <strong>GCC</strong> <strong>and</strong> <strong>GLibc</strong> 25
Thanks for your attentionmarcel@holtmann.org