From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/9307 Path: news.gmane.org!not-for-mail From: Szabolcs Nagy Newsgroups: gmane.linux.lib.musl.general Subject: Re: list of security features in musl Date: Thu, 11 Feb 2016 20:11:19 +0100 Message-ID: <20160211191119.GO9915@port70.net> References: <20160211085613.2e58f751@ncopa-desktop.alpinelinux.org> <20160211084105.GL9349@brightrain.aerifal.cx> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1455217904 6321 80.91.229.3 (11 Feb 2016 19:11:44 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 11 Feb 2016 19:11:44 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-9320-gllmg-musl=m.gmane.org@lists.openwall.com Thu Feb 11 20:11:36 2016 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1aTweN-0008Me-Oa for gllmg-musl@m.gmane.org; Thu, 11 Feb 2016 20:11:35 +0100 Original-Received: (qmail 9742 invoked by uid 550); 11 Feb 2016 19:11:31 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Original-Received: (qmail 9723 invoked from network); 11 Feb 2016 19:11:31 -0000 Mail-Followup-To: musl@lists.openwall.com Content-Disposition: inline In-Reply-To: <20160211084105.GL9349@brightrain.aerifal.cx> User-Agent: Mutt/1.5.24 (2015-08-30) Xref: news.gmane.org gmane.linux.lib.musl.general:9307 Archived-At: * Rich Felker [2016-02-11 03:41:05 -0500]: > On Thu, Feb 11, 2016 at 08:56:13AM +0100, Natanael Copa wrote: > > Hi, > > > > Once in a while I get question about what security features there are > > in musl. Are there such list some where? > > Some are briefly mentioned in the libc comparison: > > http://www.etalabs.net/compare_libcs.html > > but it's not very complete in this area. The things I would really > call security _features_ in musl are: > > - Stack protector, with failure handling that rapidly terminates the > process rather than continuing along error-reporting code paths > which can themselves provide an attack surface. > > - Double-free protection (to the extent possible), with the same rapid > termination. > > - Moderate level heap overflow protection - checking for clobbered > heap chunk footers on realloc and free, also with rapid termination. > > - Ability to build libc itself with stack protector enabled, to catch > libc-internal stack smashing. > > - Password hashing with bcrypt. > > - Ability to use PIE together with static linking (load static-linked > program at randomized address). > > - Blocking all LD_* for suid/sgid binaries, not just partially > restricting what they can do. > > - Translatable text in libc is purely literal strings, no format > strings, so buggy or malicious translations are not a format string > attack vector. > > In addition, the following design concepts/practices contribute to > security: > > - Simplicity/reviewability of code ("The main security feature is that > you can read the code" - nsz). > + public git repo with detailed commit messages and pgp signed releases. > - Non-use of arbitrary-size VLA/alloca, minimal dynamic allocation. > > - Attention to subtle race condition and async-signal safety issues, > as demonstrated by the extensive list of such bugs found in glibc by > musl developers. > i would also add that the tc3 update of the posix-2008 standard is due in april, it will fix 190 reported issues in the system interfaces and base definitions categories, 30 of which were reported by dalias or me. some of those are safety related issues. (in case you wonder: redhat reported 23, openbsd 16 out of the 190.) > - Aim to avoid/remove all undefined behavior even when it's not yet > dangerous with current compiler technology. > > - Safe, fully-standards-conforming handling of UTF-8. > > - Producing consistent results even under transient errors (failure to > obtain a file/resource does not cause silent fallback to defaults > that may be wrong). > > - No late/lazy allocation that would require aborting the program if > it fails. > > There are probably more interesting points for security, but I think I > covered the most important ones. If I missed any, reply with > additions. > - (mostly) iso c code (so all static and dynamic analyzer tools can be easily applied as well as hardening or debugging instrumentation like asan, cfi, etc. doing that with other c runtimes is harder). - more consistent behaviour across archs (minimal asm). - minimal global state manipulation across translation units (cf. glibc dynamic linker code) - safe atomic update (easy to deploy libc security updates). - safer dynamic linking: always relro, no lazy binding (and no madness like https://github.com/bx/elf-bf-tools ) - no dynamically loaded extensions (like glibc nss modules, gconv modules, unwind library, etc) that can crash the runtime, break api behaviour and limit static linking. - internals are not exposed via underspecified apis that can break the semantics of standard apis. (examples from glibc: gnu indirect function, callback apis like fopencookie or printf.h, malloc hooks and interposition for internal allocations.) - tcb shadow (allows nosuid passwd tools) - about 'security feature lists': the fedora project lists 'sha256 based passwd hash' in glibc as a security feature[0], that implementation is - a denial of service attack vector (computation depends on key length more than the admin controlled round count). - arch dependent(!), one can craft a passwd entry such that only 32bit machines can log in. - unbounded alloca(!) use was fixed in 2012, long after fedora added support for it (the reference implementation in the spec still has the problem, among other issues[1]). - uses arbitrary sized realloc for the global crypt state even though 100 bytes would be enough (checks salt len after reallocation). - not standard conform c code: aligned attribute, alloca, section attribute, undefined behaviour: (tmp - (char *) 0). - meant to be used outside the libc, but secrets are cleared with memset which can be optimized away. (i think there are other issues in this sha256-crypt.c, but the point is: implementation details matter so security check lists should be taken with a grain of salt.) [0]: https://fedoraproject.org/wiki/Security_Features#Glibc_Enhancements [1]: http://www.openwall.com/lists/musl/2012/08/19/9 > Rich