[OpenWrt-Devel] [PATCH] [packages] Support for building a hardened OpenWRT with ASLR PIE support

Yongkui Han (yonhan) yonhan at cisco.com
Mon Jun 12 09:26:34 EDT 2017 

From: Yongkui Han <yonhan at cisco.com>

Introduce a configuration option to build a "hardened" OpenWRT with ASLR PIE support.

A new option PKG_ASLR_PIE to enable Address Space Layout Randomization (ASLR)
Position Independent Executables (PIE) support has been introduced.
This new option protects against "return-to-text" attacks.

Tested with GCC 4.4.7, uClibc and a subset of the available packages.

Signed-off-by: Yongkui Han <yonhan at cisco.com>
---
config/Config-build.in    |   15 +++++++++++++++
include/hardened-build-ld |    2 ++
include/hardening.mk      |    7 +++++++
3 files changed, 24 insertions(+)

diff --git a/config/Config-build.in b/config/Config-build.in
index 23cf83b..fa7ecfb 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -221,6 +221,21 @@ menu "Global build settings"
                     this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
                     Makefile.
+        config PKG_ASLR_PIE
+                  bool
+                  prompt "User space ASLR PIE compilation"
+                  default n
+                  help
+                    Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
+                    This enables package build as Position Independent Executables (PIE)
+                    to protect against "return-to-text" attacks. This belongs to the
+                    feature of Address Space Layout Randomisation (ASLR), which is
+                    implemented by the kernel and the ELF loader by randomising the
+                    location of memory allocations. This makes memory addresses harder
+                    to predict when an attacker is attempting a memory-corruption exploit.
+                    You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
+                    Makefile.
+
         choice
                   prompt "User space Stack-Smashing Protection"
                   depends on USE_MUSL
diff --git a/include/hardening.mk b/include/hardening.mk
index c277081..7b09c3e 100644
--- a/include/hardening.mk
+++ b/include/hardening.mk
@@ -6,6 +6,7 @@
#
 PKG_CHECK_FORMAT_SECURITY ?= 1
+PKG_ASLR_PIE ?= 1
PKG_SSP ?= 1
PKG_FORTIFY_SOURCE ?= 1
PKG_RELRO ?= 1
@@ -15,6 +16,12 @@ ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
     TARGET_CFLAGS += -Wformat -Werror=format-security
   endif
endif
+ifdef CONFIG_PKG_ASLR_PIE
+  ifeq ($(strip $(PKG_ASLR_PIE)),1)
+    TARGET_CFLAGS += -fPIC
+    TARGET_LDFLAGS += -specs=$(INCLUDE_DIR)/hardened-build-ld
+  endif
+endif
ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
   ifeq ($(strip $(PKG_SSP)),1)
     TARGET_CFLAGS += -fstack-protector
diff --git a/include/hardened-build-ld b/include/hardened-build-ld
new file mode 100644
index 0000000..97dbd92
--- /dev/null
+++ b/include/hardened-build-ld
@@ -0,0 +1,2 @@
+*self_spec:
++ %{!static:%{!shared:-pie}}

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20170612/f748c461/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list