F29 System Wide Change: Build non-RELRO ELF binaries with .plt.got isolation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



= Proposed System Wide Change: Build non-RELRO ELF binaries with
.plt.got isolation =
https://fedoraproject.org/wiki/Changes/.plt.got_Isolation


Owner(s):
  * Florian Weimer <fweimer at redhat dot com>


Fedora 23 enabled  hardening for all packages. However, some ELF
binaries still use lazy binding. This change proposes additional
hardening for them.



== Detailed description ==
With the RELRO and BIND_NOW dynamic linker features, it is possible to
make the array of function pointers which is used to implement dynamic
linking (the GOT) read-only at run time. This makes it harder for
exploit writers to overwrite these function pointers and redirect
execution.
However, some ELF binaries are still built and linked without these
hardening features. Sometimes, this is due to package maintainer
preferences. Sometimes, there are technical reasons which preclude the
use of BIND_NOW because the way the application is written, it relies
on lazy binding.
This change proposes to link ELF binaries in such a way that the
<code>.plt.got</code> section is loaded as a separated page at run
time. As a result, it is possible to use a kernel feature called
[http://man7.org/linux/man-pages/man7/pkeys.7.html memory protection
keys] to make the GOT with its function pointer array read-only most
of the time. When the dynamic linker needs to perform a function
symbol binding, it can make the GOT temporarily writable, for the
current thread only.
Memory protection keys are currently available with the POWER
architecture (starting with POWER7), and on select Intel server CPUs.
At this time, only a subset of Fedora systems will benefit from this
hardening, so the recommendation to link with RELRO/BIND_NOW remains.

== Scope ==
* Proposal owners:
** We will work with the binutils maintainer to implement this change
in the linker, and enable it by default. (RELRO/BIND_NOW will
automatically disable it because it is not needed there.)
** The glibc dynamic linker will be updated to use this new feature.
This feature will likely arrive after the glibc 2.28 upstream release,
but it can be backported to Fedora because there is no ABI impact.

* Other developers:
In the unlikely case that an application relies on GOT patching, it
will have to specify a linker flag to disable this security hardening.

* Release engineering:
https://pagure.io/releng/issue/7575 #7575
(no release engineering impact is expected)

** List of deliverables:
N/A (not a System Wide Change)

* Policies and guidelines:
The packaging guidelines regarding build flags will not be updated.
RELRO/BIND_NOW remains the recommended approach.

* Trademark approval:
N/A (not needed for this Change)
--
Jan Kuřík
JBoss EAP Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/T2MQGAMHWEMYTN6JHCAD3YTXB5S4ZVJM/




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux