Executable missing platform security integrations
|Reported by:||Jeffrey Walton||Owned by:|
|Keywords:||compiler linker hardening||Cc:|
|uname -a:||Linux debian-q500 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux|
$ ./objs/nginx -V
nginx version: nginx/1.5.9
TLS SNI support enabled
configure arguments: --with-debug --with-http_ssl_module --without-http_split_clients_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-cc-opt=-I/usr/local/ssl/include -ldl'
Modern Linux and Unix platfroms provide a number of platform security measures to remediate unanticipated threats. It appear nginx is not using any of them.
$ checksec.sh --file ./objs/nginx RELRO STACK CANARY NX PIE RPATH RUNPATH FILE No RELRO No canary found NX enabled No PIE No RPATH No RUNPATH ./objs/nginx
RELRO can be achieved with linker options -z,relro and -z,now. Unfortunately, the configure system fails when trying to pass them through --with-ld-opt.
Stack canaries can be achieved with -fstack-protector or -fstack-protector-all. -fstack-protector-all is probably most appropriate since nginx is a high risk application. Its high risk because it accepts input from the internet.
PIE consists of compiler option -fPIE and linker option -pie. Unfortunately, the configure system fails when trying to pass them through --with-ld-opt.
No RPATH and No RUNPATH are OK as is. Some folks may have to use RPATH to avoid using some system supplied libraries.
NX enabled are no-exec stacks and heaps. I'm not sure where they are comping from on this Debian machine because its not in gcc's spec file or in nginx's Makefile. It might be a good idea to test for the features during configuration and explicitly set the options if available. The options of interest are -z,noexecstack and -z,noexecheap. -z,noexecheap is available on PaX enabled kernels like Gentoo.
Checksec is quick-and-dirty audit script by Tobias Klein and can be downloaded from http://www.trapkit.de/tools./checksec.html.