openresty & compiler hardening options

zxcvbn4038 · 2016-06-01T02:41:44+00:00

Hello! On Fri, May 27, 2016 at 6:42 PM, Jamie Wang wrote: > can we control the access_log directive based on condition like this : > > location...

openresty & compiler hardening options

zxcvbn4038

The Linux distributions like to compile packages with several "hardening" options, I think typical is:

CFLAGS=-O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2

LDFLAGS=-Wl,-z,relro -Wl,--as-needed

I'm interested in doing the same, but I'm worried about interfering with lua's jit and dynamic loading mechanisms (as well as pcre's jit).

Does anyone have good or bad experiences with building openresty with similar flags?

rpaprocki

We've done similar package building and deployment using some (not all) of these flags, and haven't run into any stability or usability problems. We're statically compiling OpenSSL, PCRE(jit), and using luajit, without issue, and running a number of different pure Lua and FFI modules.

On Tue, May 31, 2016 at 11:41 AM, CJ Ess <zxcv...@gmail.com> wrote:

The Linux distributions like to compile packages with several "hardening" options, I think typical is:

CFLAGS=-O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
LDFLAGS=-Wl,-z,relro -Wl,--as-needed

I'm interested in doing the same, but I'm worried about interfering with lua's jit and dynamic loading mechanisms (as well as pcre's jit).

Does anyone have good or bad experiences with building openresty with similar flags?

.

lordnynex

Hello,

There is obviously a number of different things you can add in and it'd be quite difficult to say which options will have unforeseen consequences. I suspect *most* of these are fine, but the true answer is to test. IMHO, you should familiarize yourself with openresty unit tests to ensure passing builds. Further, 'hardening' is a pretty subjective term and I think people have different ideas about what flags are important to them. If you have specific concerns, I think you should speak about those rather than adopting flags directly from other packages. For example, as of last I checked DWARF symbols are not stripped from the binary. These symbols are a pretty critical part of perf analysis and debugging, but some people may chose to strip them. That's ok to do, but it ties your hands if you ever need them.

Again, I think it's important to understand the task you're attempting. If there is a specific concern I really think you should work forwards towards addressing it as opposed to backing into a set of common flags. If security is a strong focus for you, my opinion is that there are two important attack vectors to cover.

1) System/user setup. Since nginx is not traditionally run as root, it's sort of up to the user to ensure the user/group permissions are not overly permissive. I can't speculate about your specific system so you should use your judgement.

2) If you're concerned about the integrity of the binary (despite this being an open source project where anyone can do their own code review before fuzzing), I highly recommend you explore static compilation. The short of it is all the hardening in the world won't help you if things like dynamically linked libraries are compromised. For example, in some systems (particularly older systems like fedora that support kmem... and some newer ones that don't support kmem but we wont get into it), it's possible to locate and subsequently patch (or hijack if you will) these functions. So trivial things like gethostbyname etc, can be 'shimmed' to execute malicious code almost completely external to the binary (in this case nginx) you've just hardened.

Please do not specify -02 yourself because it is added by the configure script and is user configurable. If a user does not specify this option, it will fall back to the default. The best place to understand which flags are supported, or have potentially conflicting defaults is the 'configure' perl script. It lives here https://github.com/openresty/openresty/blob/master/util/configure

- Brandon

On Tue, May 31, 2016 at 11:41 AM, CJ Ess <zxcv...@gmail.com> wrote:

The Linux distributions like to compile packages with several "hardening" options, I think typical is:

CFLAGS=-O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
LDFLAGS=-Wl,-z,relro -Wl,--as-needed

I'm interested in doing the same, but I'm worried about interfering with lua's jit and dynamic loading mechanisms (as well as pcre's jit).

Does anyone have good or bad experiences with building openresty with similar flags?

.

lordnynex

Sorry, just to clarify on this...

These are *MY* opinions, not the communities and not openresty's official stance.

One slight correction, issue #2 I discussed was meant to be in the context of libc, not nginx/openresty internal functions. It was an oversight on my part to not proof read before clicking send.

On Tue, May 31, 2016 at 4:02 PM, Lord Nynex <lord...@gmail.com> wrote:

Hello,

There is obviously a number of different things you can add in and it'd be quite difficult to say which options will have unforeseen consequences. I suspect *most* of these are fine, but the true answer is to test. IMHO, you should familiarize yourself with openresty unit tests to ensure passing builds. Further, 'hardening' is a pretty subjective term and I think people have different ideas about what flags are important to them. If you have specific concerns, I think you should speak about those rather than adopting flags directly from other packages. For example, as of last I checked DWARF symbols are not stripped from the binary. These symbols are a pretty critical part of perf analysis and debugging, but some people may chose to strip them. That's ok to do, but it ties your hands if you ever need them.

Again, I think it's important to understand the task you're attempting. If there is a specific concern I really think you should work forwards towards addressing it as opposed to backing into a set of common flags. If security is a strong focus for you, my opinion is that there are two important attack vectors to cover.

1) System/user setup. Since nginx is not traditionally run as root, it's sort of up to the user to ensure the user/group permissions are not overly permissive. I can't speculate about your specific system so you should use your judgement.
2) If you're concerned about the integrity of the binary (despite this being an open source project where anyone can do their own code review before fuzzing), I highly recommend you explore static compilation. The short of it is all the hardening in the world won't help you if things like dynamically linked libraries are compromised. For example, in some systems (particularly older systems like fedora that support kmem... and some newer ones that don't support kmem but we wont get into it), it's possible to locate and subsequently patch (or hijack if you will) these functions. So trivial things like gethostbyname etc, can be 'shimmed' to execute malicious code almost completely external to the binary (in this case nginx) you've just hardened.

Please do not specify -02 yourself because it is added by the configure script and is user configurable. If a user does not specify this option, it will fall back to the default. The best place to understand which flags are supported, or have potentially conflicting defaults is the 'configure' perl script. It lives here https://github.com/openresty/openresty/blob/master/util/configure

- Brandon

On Tue, May 31, 2016 at 11:41 AM, CJ Ess <zxcv...@gmail.com> wrote:
The Linux distributions like to compile packages with several "hardening" options, I think typical is:

CFLAGS=-O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
LDFLAGS=-Wl,-z,relro -Wl,--as-needed

I'm interested in doing the same, but I'm worried about interfering with lua's jit and dynamic loading mechanisms (as well as pcre's jit).

Does anyone have good or bad experiences with building openresty with similar flags?

.