From Fedora Project Wiki
(.plt.got Isolation proposal)
 
(Setting back to incomplete until such time as the appropriate standards bodies accept the changes)
 
(13 intermediate revisions by 4 users not shown)
Line 1: Line 1:
= Build non-RELRO ELF binaries with .plt.got isolation =
{{admon/note|This change is on hold indefinitely because the relevant standard body did not approve the required ELF changes.}}
 
= Build non-RELRO ELF binaries with .got.plt isolation =


== Summary ==
== Summary ==
Line 5: Line 7:


== Owner ==
== Owner ==
* Name: [[User:fweimer | Florian Weimer]
* Name: [[User:fweimer | Florian Weimer]]
* Email: [mailto:fweimer@redhat.com| fweimer@redhat.com]
* Email: [mailto:fweimer@redhat.com| fweimer@redhat.com]
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> -->
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> -->
Line 13: Line 15:


== Current status ==
== Current status ==
* Targeted release: [[Releases/29 | Fedora 29 ]]  
* Targeted release: [[Releases/31 | Fedora 31 ]]  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1598149 #1598149]
* Release Notes tracking: [https://pagure.io/fedora-docs/release-notes/issue/189 #189]


== Detailed Description ==
== Detailed Description ==
Line 22: Line 25:
However, some ELF binaries are still built and linked without these hardening features. Sometimes, this is due to package maintainer preferences. Sometimes, there are technical reasons which preclude the use of BIND_NOW because the way the application is written, it relies on lazy binding.
However, some ELF binaries are still built and linked without these hardening features. Sometimes, this is due to package maintainer preferences. Sometimes, there are technical reasons which preclude the use of BIND_NOW because the way the application is written, it relies on lazy binding.


This change proposes to link ELF binaries in such a way that the <code>.plt.got</code> section is loaded as a separated page at run time. As a result, it is possible to use a kernel feature called [http://man7.org/linux/man-pages/man7/pkeys.7.html memory protection keys] to make the GOT with its function pointer array read-only most of the time. When the dynamic linker needs to perform a function symbol binding, it can make the GOT temporarily writable, for the current thread only.
This change proposes to link ELF binaries in such a way that the <code>.got.plt</code> section is loaded as a separated page at run time. As a result, it is possible to use a kernel feature called [http://man7.org/linux/man-pages/man7/pkeys.7.html memory protection keys] to make the GOT with its function pointer array read-only most of the time. When the dynamic linker needs to perform a function symbol binding, it can make the GOT temporarily writable, for the current thread only.


Memory protection keys are currently available with the POWER architecture (starting with POWER7), and on select Intel server CPUs. At this time, only a subset of Fedora systems will benefit from this hardening, so the recommendation to link with RELRO/BIND_NOW remains.
Memory protection keys are currently available with the POWER architecture (starting with POWER7), and on select Intel server CPUs. At this time, only a subset of Fedora systems will benefit from this hardening, so the recommendation to link with RELRO/BIND_NOW remains.
Line 36: Line 39:
* Other developers: In the unlikely case that an application relies on GOT patching, it will have to specify a linker flag to disable this security hardening.
* Other developers: In the unlikely case that an application relies on GOT patching, it will have to specify a linker flag to disable this security hardening.


* Release engineering: [https://pagure.io/releng/issues #Releng issue number] (no release engineering impact is expected)
* Release engineering: [https://pagure.io/releng/issue/7575 #7575] (no release engineering impact is expected)
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Please check the list of Fedora release deliverables and list all the differences the feature brings -->
<!-- Please check the list of Fedora release deliverables and list all the differences the feature brings -->
Line 70: Line 73:


== Release Notes ==
== Release Notes ==
* Release Notes tracking: [https://pagure.io/fedora-docs/release-notes/issue/189 #189]
Proposed text:
Proposed text:


* On IBM POWER CPUs starting with POWER7 and select Intel server CPUs, Fedora now runs more ELF binaries with a read-only GOT. This makes it more difficult to write code execution exploits for them.
* On IBM POWER CPUs starting with POWER7 and select Intel server CPUs, Fedora now runs more ELF binaries with a read-only GOT. This makes it more difficult to write code execution exploits for them.


[[Category:ChangeReadyForWrangler]]
[[Category:ChangePageIncomplete]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->

Latest revision as of 16:50, 24 July 2019

Note.png
This change is on hold indefinitely because the relevant standard body did not approve the required ELF changes.

Build non-RELRO ELF binaries with .got.plt isolation

Summary

Fedora 23 enabled hardening for all packages. However, some ELF binaries still use lazy binding. This change proposes additional hardening for them.

Owner

Current status

Detailed Description

With the RELRO and BIND_NOW dynamic linker features, it is possible to make the array of function pointers which is used to implement dynamic linking (the GOT) read-only at run time. This makes it harder for exploit writers to overwrite these function pointers and redirect execution.

However, some ELF binaries are still built and linked without these hardening features. Sometimes, this is due to package maintainer preferences. Sometimes, there are technical reasons which preclude the use of BIND_NOW because the way the application is written, it relies on lazy binding.

This change proposes to link ELF binaries in such a way that the .got.plt section is loaded as a separated page at run time. As a result, it is possible to use a kernel feature called memory protection keys to make the GOT with its function pointer array read-only most of the time. When the dynamic linker needs to perform a function symbol binding, it can make the GOT temporarily writable, for the current thread only.

Memory protection keys are currently available with the POWER architecture (starting with POWER7), and on select Intel server CPUs. At this time, only a subset of Fedora systems will benefit from this hardening, so the recommendation to link with RELRO/BIND_NOW remains.

Benefit to Fedora

This change brings additional security hardening to Fedora, covering binaries which are not yet fully hardened.

Scope

  • Proposal owners:
    • We will work with the binutils maintainer to implement this change in the linker, and enable it by default. (RELRO/BIND_NOW will automatically disable it because it is not needed there.)
    • The glibc dynamic linker will be updated to use this new feature. This feature will likely arrive after the glibc 2.28 upstream release, but it can be backported to Fedora because there is no ABI impact.
  • Other developers: In the unlikely case that an application relies on GOT patching, it will have to specify a linker flag to disable this security hardening.
  • Policies and guidelines: The packaging guidelines regarding build flags will not be updated. RELRO/BIND_NOW remains the recommended approach.
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

On CPUs which lack the necessary support, the feature is automatically disabled.

Memory usage will increase by half a page per executable/DSO on average (unless that executable or DSO uses BIND_NOW/RELRO and thus does not need this feature).

How To Test

Run Fedora on an Intel or POWER system with the required CPU features. It is expected that binaries such as gcc and the X server will not be build with BIND_NOW, so these are good testing candidates.

User Experience

No user-visible impact is expected.

Dependencies

We are still working on kernel fixes. POWER is starting to look very good. Memory protection keys on Intel need a kernel extension which exists as a patch (which still needs to be ported to POWER, though—due to semantic differences, POWER will work without this patch).

Contingency Plan

  • Contingency mechanism: We can revert the binutils change, or not enable the dynamic linker hardening in glibc.
  • Contingency deadline: final mass rebuild (binutils change), RC (glibc dynamic linker change)
  • Blocks release? no
  • Blocks product? no

Documentation

This is an internal implementation detail, so no documentation beyond a gABI and the source code is planned.

Release Notes

  • Release Notes tracking: #189

Proposed text:

  • On IBM POWER CPUs starting with POWER7 and select Intel server CPUs, Fedora now runs more ELF binaries with a read-only GOT. This makes it more difficult to write code execution exploits for them.