Merge pull request #513 from cjdelisle/feature-hardening

Hardening
13 years ago · 5df25e78db
parent 17e2c24645 3f94dfa25f
commit 5df25e78db
2 changed files with 71 additions and 1 deletions
--- a/doc/build-unix.txt
+++ b/doc/build-unix.txt
@ -106,3 +106,45 @@ If you need to build Boost yourself:
 sudo su
 ./bootstrap.sh
 ./bjam install
+
+
+Security
+--------
+To help make your bitcoin installation more secure by making certain attacks impossible to
+exploit even if a vulnerability is found, you can take the following measures:
+
+* Position Independent Executable
+    Build position independent code to take advantage of Address Space Layout Randomization
+    offered by some kernels. An attacker who is able to cause execution of code at an arbitrary
+    memory location is thwarted if he doesn't know where anything useful is located.
+    The stack and heap are randomly located by default but this allows the code section to be
+    randomly located as well.
+
+    On an Amd64 processor where a library was not compiled with -fPIC, this will cause an error
+    such as: "relocation R_X86_64_32 against `......' can not be used when making a shared object;"
+
+    To build with PIE, use:
+    make -f makefile.unix ... -e PIE=1
+
+    To test that you have built PIE executable, install scanelf, part of paxutils, and use:
+    scanelf -e ./bitcoin
+
+    The output should contain:
+     TYPE
+    ET_DYN
+
+* Non-executable Stack
+    If the stack is executable then trivial stack based buffer overflow exploits are possible if
+    vulnerable buffers are found. By default, bitcoin should be built with a non-executable stack
+    but if one of the libraries it uses asks for an executable stack or someone makes a mistake
+    and uses a compiler extension which requires an executable stack, it will silently build an
+    executable without the non-executable stack protection.
+
+    To verify that the stack is non-executable after compiling use:
+    scanelf -e ./bitcoin
+
+    the output should contain:
+    STK/REL/PTL
+    RW- R-- RW-
+
+    The STK RW- means that the stack is readable and writeable but not executable.
--- a/src/makefile.unix
+++ b/src/makefile.unix
@ -36,8 +36,36 @@ LIBS+= \
   -l pthread


+# Hardening
+# Make some classes of vulnerabilities unexploitable in case one is discovered.
+#
+    # Stack Canaries
+    # Put numbers at the beginning of each stack frame and check that they are the same.
+    # If a stack buffer if overflowed, it writes over the canary number and then on return
+    # when that number is checked, it won't be the same and the program will exit with
+    # a "Stack smashing detected" error instead of being exploited.
+    HARDENING=-fstack-protector-all -Wstack-protector
+
+    # Make some important things such as the global offset table read only as soon as
+    # the dynamic linker is finished building it. This will prevent overwriting of addresses
+    # which would later be jumped to.
+    HARDENING+=-Wl,-z,relro -Wl,-z,now
+
+    # Build position independent code to take advantage of Address Space Layout Randomization
+    # offered by some kernels.
+    # see doc/build-unix.txt for more information.
+    ifdef PIE
+        HARDENING+=-fPIE -pie
+    endif
+
+    # -D_FORTIFY_SOURCE=2 does some checking for potentially exploitable code patterns in
+    # the source such overflowing a statically defined buffer.
+    HARDENING+=-D_FORTIFY_SOURCE=2
+#
+
+
 DEBUGFLAGS=-g -D__WXDEBUG__
-CXXFLAGS=-O2 -Wno-invalid-offsetof -Wformat $(DEBUGFLAGS) $(DEFS)
+CXXFLAGS=-O2 -Wno-invalid-offsetof -Wformat $(DEBUGFLAGS) $(DEFS) $(HARDENING)
 HEADERS = \
    base58.h \
    bignum.h \