Re: [tor-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them

2019-09-02 Thread Tor Bug Tracker & Wiki 
#21448: Identify what build flags we should be using for security, and use them
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security, tbb-rbm |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by gk):

 * keywords:  tbb-security => tbb-security, tbb-rbm


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them

2019-09-03 Thread Tor Bug Tracker & Wiki 
#21448: Identify what build flags we should be using for security, and use them
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security, tbb-rbm |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by tom):

 no-plt - my understanding is that with full relro this is unnecessary
 https://bugzilla.mozilla.org/show_bug.cgi?id=1359912

 noexecstack - done https://bugzilla.mozilla.org/show_bug.cgi?id=671426

 stack-protector - open issue
 https://bugzilla.mozilla.org/show_bug.cgi?id=1511073

 safestack - open issue
 https://bugzilla.mozilla.org/show_bug.cgi?id=1374344

 ftrapv / fwrapv - open issue
 https://bugzilla.mozilla.org/show_bug.cgi?id=1031653

 -Wl,-z,now - open issue
 https://bugzilla.mozilla.org/show_bug.cgi?id=1359918

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them

2017-02-13 Thread Tor Bug Tracker & Wiki 
#21448: Identify what build flags we should be using for security, and use them
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by arthuredelstein):

 Using about:buildconfig, the browser reports compiler flags and configure
 arguments for our tor-browser.git builds. Are these a complete list of the
 compiler flags actually used? I don't know. In any case, here are the
 current reports:

 Linux TBB 6.5:
 {{{
 target
 x86_64-unknown-linux-gnu

 Build tools
 CompilerVersion Compiler flags
 gcc 5.1.0   -Wall -Wempty-body -Wpointer-to-int-cast -Wsign-compare
 -Wtype-limits -Wno-unused -Wcast-align -frandom-seed=tor -std=gnu99
 -fgnu89-inline -fno-strict-aliasing -fno-math-errno -pthread -pipe
 c++ 5.1.0   -Wall -Wempty-body -Woverloaded-virtual -Wsign-compare
 -Wwrite-strings -Wno-invalid-offsetof -Wcast-align -frandom-seed=tor -fno-
 exceptions -fno-strict-aliasing -fno-rtti -fno-exceptions -fno-math-errno
 -std=gnu++0x -pthread -pipe -DNDEBUG -DTRIMMED -g -freorder-blocks -Os
 -fomit-frame-pointer

 Configure arguments
 --enable-application=browser --enable-optimize --enable-official-branding
 --enable-tor-browser-update --enable-update-packaging --enable-signmar
 --enable-verify-mar --disable-strip --disable-install-strip --disable-
 tests --disable-debug --disable-maintenance-service --disable-
 crashreporter --disable-webrtc --disable-eme --disable-loop --with-tor-
 browser-version=6.5 --enable-update-channel=release --enable-bundled-fonts
 }}}

 Windows TBB 6.5:
 {{{
 target
 i686-w64-mingw32

 Build tools
 CompilerVersion Compiler flags
 i686-w64-mingw32-gcc -mwindows  5.1.0   -Wall -Wempty-body -Wpointer-to-
 int-cast -Wsign-compare -Wtype-limits -Wno-unused -Wcast-align -Wno-format
 -std=gnu99 -fgnu89-inline -fno-strict-aliasing -mms-bitfields
 -mstackrealign -fno-keep-inline-dllexport -fno-math-errno -pipe
 i686-w64-mingw32-g++ -mwindows  5.1.0   -Wall -Wempty-body -Woverloaded-
 virtual -Wsign-compare -Wwrite-strings -Wno-invalid-offsetof -Wcast-align
 -Wno-format -fno-exceptions -fno-strict-aliasing -mms-bitfields
 -mstackrealign -fno-keep-inline-dllexport -fno-rtti -fno-exceptions -fno-
 math-errno -std=gnu++0x -pipe -DNDEBUG -DTRIMMED -g -O -fomit-frame-
 pointer

 Configure arguments
 --enable-application=browser --target=i686-w64-mingw32 --enable-default-
 toolkit=cairo-windows --disable-debug --enable-optimize --enable-strip
 --enable-official-branding --enable-tor-browser-update --enable-update-
 packaging --enable-signmar --enable-verify-mar --disable-sandbox
 --disable-eme --disable-crashreporter --disable-maintenance-service
 --disable-webrtc --disable-tests --disable-loop --with-tor-browser-
 version=6.5 --enable-update-channel=release --enable-bundled-fonts
 }}}

 Mac TBB 6.5:
 {{{
 target
 x86_64-apple-darwin

 Build tools
 CompilerVersion Compiler flags
 /home/debian/build/tor-browser/clang/bin/clang -target x86_64-apple-
 darwin10 -mlinker-version=136 -B /home/debian/build/tor-
 browser/cctools/bin -isysroot /home/debian/build/tor-
 browser/MacOSX10.7.sdk 3.8.0   -Qunused-arguments -Wall -Wempty-body
 -Wpointer-to-int-cast -Wsign-compare -Wtype-limits -Wno-unused -std=gnu99
 -fno-strict-aliasing -fno-math-errno -pthread -DNO_X11 -pipe
 /home/debian/build/tor-browser/clang/bin/clang++ -target x86_64-apple-
 darwin10 -mlinker-version=136 -B /home/debian/build/tor-
 browser/cctools/bin -isysroot /home/debian/build/tor-
 browser/MacOSX10.7.sdk   3.8.0   -Qunused-arguments -Qunused-arguments
 -Wno-unused-local-typedef -Wall -Wempty-body -Woverloaded-virtual -Wsign-
 compare -Wwrite-strings -Wno-invalid-offsetof -Wno-inline-new-delete -Wno-
 unused-local-typedef -Wno-c++0x-extensions -Wno-extended-offsetof -Wno-
 unknown-warning-option -Wno-return-type-c-linkage -fno-exceptions -fno-
 strict-aliasing -fno-rtti -fno-exceptions -fno-math-errno -std=gnu++0x
 -pthread -DNO_X11 -pipe -DNDEBUG -DTRIMMED -g -O3 -fomit-frame-pointer

 Configure arguments
 --target=x86_64-apple-darwin --with-macos-private-
 frameworks=/home/debian/build/tor-
 browser/MacOSX10.7.sdk/System/Library/PrivateFrameworks --enable-
 application=browser --enable-strip --enable-official-branding --enable-
 optimize --disable-debug --enable-tor-browser-data-outside-app-dir
 --enable-tor-browser-update --enable-update-packaging --enable-signmar
 --enable-verify-mar --disable-crashreporter --disable-maintenance-service
 --disable-webrtc --

Re: [tor-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them

2017-02-13 Thread Tor Bug Tracker & Wiki 
#21448: Identify what build flags we should be using for security, and use them
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by arthuredelstein):

 For comparison, here are the current Firefox release build flags:

 Linux Firefox 51.01

 {{{
 target
 x86_64-pc-linux-gnu
 Build tools
 CompilerVersion Compiler flags
 /builds/slave/m-rel-l64-/build/src/gcc/bin/gcc
 -std=gnu99   4.8.5   -Wall -Wempty-body -Wignored-qualifiers -Wpointer-
 arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wno-error=maybe-
 uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds
 -Wno-error=coverage-mismatch -Wno-error=free-nonheap-object -fno-strict-
 aliasing -ffunction-sections -fdata-sections -fno-math-errno -pthread
 -pipe
 /builds/slave/m-rel-l64-/build/src/gcc/bin/g++
 -std=gnu++11 4.8.5   -Wall -Wc++11-compat -Wempty-body -Wignored-
 qualifiers -Woverloaded-virtual -Wpointer-arith -Wsign-compare -Wtype-
 limits -Wunreachable-code -Wwrite-strings -Wno-invalid-offsetof -Wno-error
 =maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-
 bounds -Wno-error=coverage-mismatch -Wno-error=free-nonheap-object -fno-
 exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-
 sections -fno-exceptions -fno-math-errno -pthread
 -D_GLIBCXX_USE_CXX11_ABI=0 -pipe -g -fprofile-use -fprofile-correction
 -Wcoverage-mismatch -O3 -fomit-frame-pointer -Werror
 Configure options

 MOZ_AUTOMATION=1 --enable-update-channel=release
 
PKG_CONFIG=/builds/slave/m-rel-l64-/build/src/gtk3/usr/local/bin
 /pkg-config --enable-js-shell --enable-default-toolkit=cairo-gtk3 --with-
 mozilla-api-keyfile=/builds/mozilla-desktop-geoloc-api.key --with-google-
 api-keyfile=/builds/gapi.data MOZ_PGO=1
 CC=/builds/slave/m-rel-l64-/build/src/gcc/bin/gcc
 CXX=/builds/slave/m-rel-l64-/build/src/gcc/bin/g++
 --enable-rust
 RUSTC=/builds/slave/m-rel-l64-/build/src/rustc/bin/rustc
 CARGO=/builds/slave/m-rel-l64-/build/src/cargo/bin/cargo
 MAKE=/usr/bin/gmake --enable-crashreporter --enable-elf-hack --enable-
 official-branding --enable-release --enable-stdcxx-compat --enable-verify-
 mar
 }}}

 Windows Firefox 51.01:
 {{{
 target
 i686-pc-mingw32

 Build tools
 CompilerVersion Compiler flags
 
c:/builds/moz2_slave/m-rel-w32-/build/src/vs2015u3/VC/bin/amd64_x86/cl.EXE
 19.00.24213 -TC -nologo -wd4091 -D_HAS_EXCEPTIONS=0 -W3 -Gy -Zc:inline
 -arch:SSE2 -FS -wd4244 -wd4267 -wd4819 -we4553
 
c:/builds/moz2_slave/m-rel-w32-/build/src/vs2015u3/VC/bin/amd64_x86/cl.EXE
 19.00.24213 -TP -nologo -wd5026 -wd5027 -Zc:sizedDealloc-
 -Zc:threadSafeInit- -wd4091 -wd4577 -D_HAS_EXCEPTIONS=0 -W3 -Gy -Zc:inline
 -arch:SSE2 -FS -wd4251 -wd4244 -wd4267 -wd4345 -wd4351 -wd4800 -wd4819
 -wd4595 -we4553 -GR- -Zi -GL -wd4624 -wd4952 -O1 -Oi -Oy

 Configure options
 MOZ_AUTOMATION=1 'MOZILLABUILD=C:\mozilla-build' --enable-update-
 channel=release --enable-js-shell --enable-eme=+adobe --with-mozilla-api-
 keyfile=c:/builds/mozilla-desktop-geoloc-api.key --with-google-api-
 keyfile=c:/builds/gapi.data MOZ_PGO=1
 
WINDOWSSDKDIR=c:/builds/moz2_slave/m-rel-w32-/build/src/vs2015u3/SDK
 --enable-rust
 
RUSTC=c:/builds/moz2_slave/m-rel-w32-/build/src/rustc/bin/rustc
 
CARGO=c:/builds/moz2_slave/m-rel-w32-/build/src/cargo/bin/cargo
 --enable-jemalloc
 MAKE=c:/builds/moz2_slave/m-rel-w32-/build/src/mozmake.EXE
 --enable-crashreporter --enable-official-branding --enable-release
 --enable-require-all-d3dc-versions --enable-verify-mar
 }}}

 Mac Firefox 51.01:
 {{{
 target
 x86_64-apple-darwin11.2.0

 Build tools
 CompilerVersion Compiler flags
 /usr/local/bin/ccache
 /builds/slave/m-rel-m64-/build/src/clang/bin/clang
 -arch x86_64 -std=gnu993.8.0   -Qunused-arguments -Wall -Wempty-body
 -Wignored-qualifiers -Wpointer-arith -Wsign-compare -Wtype-limits
 -Wunreachable-code -Wclass-varargs -Wloop-analysis -Werror=non-literal-
 null-conversion -Wstring-conversion -Wthread-safety -Wno-error=deprecated-
 declarations -Wno-error=array-bounds -isysroot
 /Developer/SDKs/MacOSX10.7.sdk -fno-strict-aliasing -ffunction-sections
 -fdata-sections -fno-math-errno -pthread -pipe
 /usr/loca

Re: [tor-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them

2017-02-13 Thread Tor Bug Tracker & Wiki 
#21448: Identify what build flags we should be using for security, and use them
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by arthuredelstein):

 * keywords:   => tbb-security


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them

2017-02-14 Thread Tor Bug Tracker & Wiki 
#21448: Identify what build flags we should be using for security, and use them
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by tom):

 Relevant Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=620058

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them

2017-02-14 Thread Tor Bug Tracker & Wiki 
#21448: Identify what build flags we should be using for security, and use them
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Description changed by arthuredelstein:

Old description:

> I think we are probably forgetting some configure/compiler/linker flags
> in Tor Browser that can improve security. Let's figure out what those are
> and add them. I would suggest child tickets for each new flag, so we can
> do this step by step.

New description:

 I think we may be able to add some configure/compiler/linker flags in Tor
 Browser that can improve security without many downsides. Let's figure out
 what those are and add them. I would suggest child tickets for each new
 flag, so we can do this step by step.

--

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them

2017-02-19 Thread Tor Bug Tracker & Wiki 
#21448: Identify what build flags we should be using for security, and use them
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Old description:

> I think we may be able to add some configure/compiler/linker flags in Tor
> Browser that can improve security without many downsides. Let's figure
> out what those are and add them. I would suggest child tickets for each
> new flag, so we can do this step by step.

New description:

 I think we may be able to add some configure/compiler/linker flags in Tor
 Browser that can improve security without many downsides. Let's figure out
 what those are and add them.

--

Comment (by arthuredelstein):

 Here are my thoughts for flags we can add to the gcc-based builds (Linux
 and mingw). (I think we should be able to add similar flags to the clang
 based builds -- I will look into that after we settle on flags to add to
 gcc.)
 {{{
 -Werror=format
 -Werror=format-security
 -fstack-protector-strong
 --param ssp-buffer-size=4
 -pie -fPIE
 -D_FORTIFY_SOURCE=2 -O1
 -Wl,-z,relro,-z,now
 -ftrapv
 }}}

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them

2017-02-20 Thread Tor Bug Tracker & Wiki 
#21448: Identify what build flags we should be using for security, and use them
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by gk):

 Replying to [comment:6 arthuredelstein]:
 > Here are some security flags I think we can add to the gcc-based builds
 (Linux and mingw). There is heavy overlap with the proposed flags in
 https://bugzilla.mozilla.org/show_bug.cgi?id=620058. (I think we should be
 able to add similar flags to the clang based builds -- I will look into
 that after we settle on flags to add to gcc.)
 > {{{
 > -Werror=format
 > -Werror=format-security
 > -fstack-protector-strong
 > --param ssp-buffer-size=4
 > -pie -fPIE
 > -D_FORTIFY_SOURCE=2 -O1
 > -Wl,-z,relro,-z,now
 > -ftrapv
 > }}}

 Uhm. We are doing already most of those things. Have you looked at our
 gitian build scripts? And I am not so sure we should build with `ftrapv`
 see comment:1:ticket:18310.

 > Note I am leaving out more advanced mitigations like -fvtable-verify=std
 for this iteration because getting these to work is likely to be complex.

 That is broken and not working due to Mozilla internals, see:
 https://bugzilla.mozilla.org/show_bug.cgi?id=1046600

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them

2017-02-20 Thread Tor Bug Tracker & Wiki 
#21448: Identify what build flags we should be using for security, and use them
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by arthuredelstein):

 Replying to [comment:7 gk]:
 > Replying to [comment:6 arthuredelstein]:
 > > Here are some security flags I think we can add to the gcc-based
 builds (Linux and mingw). There is heavy overlap with the proposed flags
 in https://bugzilla.mozilla.org/show_bug.cgi?id=620058. (I think we should
 be able to add similar flags to the clang based builds -- I will look into
 that after we settle on flags to add to gcc.)
 > > {{{
 > > -Werror=format
 > > -Werror=format-security
 > > -fstack-protector-strong
 > > --param ssp-buffer-size=4
 > > -pie -fPIE
 > > -D_FORTIFY_SOURCE=2 -O1
 > > -Wl,-z,relro,-z,now
 > > -ftrapv
 > > }}}
 >
 > Uhm. We are doing already most of those things. Have you looked at our
 gitian build scripts?

 Sorry I hadn't found the existing build flags before posting this ticket.
 I discussed with gk what is already in our build scripts.

 * On linux, we have in [https://gitweb.torproject.org/builders/tor-
 browser-bundle.git/tree/gitian/descriptors/linux/gitian-firefox.yml#n50
 gitian/descriptors/linux/gitian-firefox.yml]:
   {{{
   export DEB_BUILD_HARDENING=1
   export DEB_BUILD_HARDENING_STACKPROTECTOR=1
   export DEB_BUILD_HARDENING_FORTIFY=1
   export DEB_BUILD_HARDENING_FORMAT=1
   export DEB_BUILD_HARDENING_PIE=1
 }}}

   Indeed this covers most of the flags I mentioned. I'm not sure about
 `-Wl,-z,relro,-z,now`. gk, do you know how these are covered? boklm
 pointed me to [https://gitweb.torproject.org/boklm/tor-browser-bundle-
 testsuite.git/tree/TBBTestSuite/TestSuite/BrowserBundleTests.pm#n45 a part
 of the Tor Browser test suite] that seems to indicate that full relro is
 applied. Is that correct?

   I think it would be useful also to somehow confirm that we are now using
 -fstack-protector-strong and not -fstack-protector; I will try to
 investigate that.

 * On Windows, we have in [https://gitweb.torproject.org/builders/tor-
 browser-bundle.git/tree/gitian/build-helpers/i686-w64-mingw32-g++ gitian
 /build-helpers/i686-w64-mingw32-g++]:
 {{{
 /home/ubuntu/install/mingw-w64/bin/i686-w64-mingw32-g++ -Wl,--dynamicbase
 -Wl,--nxcompat -Wl,--enable-reloc-section -fstack-protector --param ssp-
 buffer-size=4 -fno-strict-overflow "$@"
 }}}
   I'm not familiar with Windows/mingw build flags, but it looks like we
 could possibly switch to -fstack-protector-strong. Also I wonder if
 -D_FORTIFY_SOURCE=2 and the relro flags make sense.

 * On Mac, we are adding -fPIE to the clang flags in
 [https://gitweb.torproject.org/builders/tor-browser-
 bundle.git/tree/gitian/descriptors/mac/gitian-firefox.yml#n43
 gitian/descriptors/mac/gitian-firefox.yml]. clang largely supports gcc's
 build flags so I think we could probably add most or all of the flags from
 comment:6 to the build. (I tried all of those flags with clang++ while
 building a "hello world" c++ program and confirmed that clang++ at least
 did not complain that any of the flags were unknown.)

 > And I am not so sure we should build with `ftrapv` see
 comment:1:ticket:18310.

 That's interesting. I'm not sure what the right answer is. RCE seems a lot
 worse than DOS, though.

 > > Note I am leaving out more advanced mitigations like -fvtable-
 verify=std for this iteration because getting these to work is likely to
 be complex.
 >
 > That is broken and not working due to Mozilla internals, see:
 https://bugzilla.mozilla.org/show_bug.cgi?id=1046600

 I read in
 [https://www.usenix.org/system/files/conference/usenixsecurity14/sec14
 -paper-tice.pdf Tice et al 2014] that there is a mechanism in the VTV code
 to "whitelist" some parts of the code that would otherwise fail
 verification. I wonder if that feature is deployed in the gcc VTV
 implementation and could be used to get around the problematic vtable
 hacking Nathan Froyd
 [https://bugzilla.mozilla.org/show_bug.cgi?id=1046600#c2 mentions in the
 Mozilla bug]. Similarly, clang's -fsanitize has an option
 to[https://clang.llvm.org/docs/ControlFlowIntegrity.html#forward-edge-cfi-
 for-virtual-calls "blacklist"] certain functions so that they also don't
 fail verification.

 Something else that occurs to me is it would be nice to document our
 hardening flags for each build (hardened, alpha, release) in the Tor
 Browser design document.

--
Ticket URL:

Re: [tor-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them

2017-02-27 Thread Tor Bug Tracker & Wiki 
#21448: Identify what build flags we should be using for security, and use them
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by gk):

 Replying to [comment:8 arthuredelstein]:
 > Replying to [comment:7 gk]:
 > > Replying to [comment:6 arthuredelstein]:
 > > > Here are some security flags I think we can add to the gcc-based
 builds (Linux and mingw). There is heavy overlap with the proposed flags
 in https://bugzilla.mozilla.org/show_bug.cgi?id=620058. (I think we should
 be able to add similar flags to the clang based builds -- I will look into
 that after we settle on flags to add to gcc.)
 > > > {{{
 > > > -Werror=format
 > > > -Werror=format-security
 > > > -fstack-protector-strong
 > > > --param ssp-buffer-size=4
 > > > -pie -fPIE
 > > > -D_FORTIFY_SOURCE=2 -O1
 > > > -Wl,-z,relro,-z,now
 > > > -ftrapv
 > > > }}}
 > >
 > > Uhm. We are doing already most of those things. Have you looked at our
 gitian build scripts?
 >
 > Sorry I hadn't found the existing build flags before posting this
 ticket. I discussed with gk what is already in our build scripts.
 >
 > * On linux, we have in [https://gitweb.torproject.org/builders/tor-
 browser-bundle.git/tree/gitian/descriptors/linux/gitian-firefox.yml#n50
 gitian/descriptors/linux/gitian-firefox.yml]:
 >   {{{
 >   export DEB_BUILD_HARDENING=1
 >   export DEB_BUILD_HARDENING_STACKPROTECTOR=1
 >   export DEB_BUILD_HARDENING_FORTIFY=1
 >   export DEB_BUILD_HARDENING_FORMAT=1
 >   export DEB_BUILD_HARDENING_PIE=1
 > }}}
 >
 >   Indeed this covers most of the flags I mentioned. I'm not sure about
 `-Wl,-z,relro,-z,now`. gk, do you know how these are covered? boklm
 pointed me to [https://gitweb.torproject.org/boklm/tor-browser-bundle-
 testsuite.git/tree/TBBTestSuite/TestSuite/BrowserBundleTests.pm#n45 a part
 of the Tor Browser test suite] that seems to indicate that full relro is
 applied. Is that correct?

 Yes, full relro is applied. I think we get the flags you mentioned by
 `export DEB_BUILD_HARDENING=1`. The other *HARDENING flags should not be
 needed. I opened #21565 for the clean-up.

 [snip]

 > > And I am not so sure we should build with `ftrapv` see
 comment:1:ticket:18310.
 >
 > That's interesting. I'm not sure what the right answer is. RCE seems a
 lot worse than DOS, though.

 `-ftrapv` is not the only means we apply to Tor Browser. A useful exercise
 would be to understand for which cases `-ftrapv` would be needed given all
 our other hardening flags.

 [snip]

 > Something else that occurs to me is it would be nice to document our
 hardening flags for each build (hardened, alpha, release) in the Tor
 Browser design document.

 True. I've opened #21566.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them

2017-03-01 Thread Tor Bug Tracker & Wiki 
#21448: Identify what build flags we should be using for security, and use them
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by cypherpunks):

 > hardening-wrapper is obsolete and has been removed from unstable. Please
 use dpkg-buildflags as explained above.
 https://wiki.debian.org/Hardening#hardening-wrapper
 > hardening-check can only check the resulting binaries and thus might not
 catch missing hardening flags if they are only missing in a few places.
 blhc is a small parser written in Perl which checks the build logs for
 missing hardening flags. It can be used on build logs created by dpkg-
 buildpackage or buildd.
 http://ruderich.org/simon/blhc/

 > For comparison, here are the current Firefox release build flags:
 For comparison we need ESR52 build options, both 32-bit and 64-bit for
 every OS. What about official MinGW builds?

 > I'm not familiar with Windows/mingw build flags, but it looks like we
 could possibly switch to -fstack-protector-strong.
 All occurrences of {{{-fstack-protector --param ssp-buffer-size=4}}}
 should be replaced with at least {{{-fstack-protector=strong}}}.
 http://www.outflux.net/blog/archives/2014/01/27/fstack-protector-strong/
 > For those who want to protect all the functions then -fstack-protector-
 all is recommended.
 
https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_STACKPROTECTOR_.28gcc.2Fg.2B-.2B-_
 -fstack-protector-strong.29
 > Also I wonder if -D_FORTIFY_SOURCE=2 and the relro flags make sense.
 {{{-D_FORTIFY_SOURCE=2 -O1}}} is a
 > Compile-time protection against static sized buffer overflows. No known
 regressions or performance loss. This should be enabled system-wide.
 https://wiki.debian.org/Hardening#gcc_-D_FORTIFY_SOURCE.3D2_-O1

 Some info about using {{{-Os}}}:
 https://stackoverflow.com/questions/19470873/why-does-gcc-generate-15-20
 -faster-code-if-i-optimize-for-size-instead-of-speed?rq=1

 About integer overflow checking, {{{-ftrapv}}} in particular:
 Research: https://people.csail.mit.edu/nickolai/papers/wang-stack-tocs.pdf
 {{{-ftrapv}}} is not the best option:
 https://stackoverflow.com/questions/20851061/how-to-make-gcc-ftrapv-
 work#20851708
 Practical usage: https://danluu.com/integer-overflow/

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them

2017-03-04 Thread Tor Bug Tracker & Wiki 
#21448: Identify what build flags we should be using for security, and use them
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by cypherpunks):

 #8491 seems to be a dupe.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them

2017-03-06 Thread Tor Bug Tracker & Wiki 
#21448: Identify what build flags we should be using for security, and use them
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by gk):

 A comment from #8491 noted:
 {{{
 UBSan for the libraries that need it would also be valuable, especially
 image and TLS libraries.
 }}}
 Closing #8491 as duplicate as this one has a more detailed discussion.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them

2017-07-24 Thread Tor Bug Tracker & Wiki 
#21448: Identify what build flags we should be using for security, and use them
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by arthuredelstein):

 After a lot of experimentation, I opened #23024 and #23025 to add some
 extra hardening flags for Windows and Mac respectively. In the meantime I
 also found several promising flags didn't work after all:

 Windows (mingw cross-compile):
  * `-z,relro,-z,now` fails (is there an equivalent flag for Windows
 binaries?)
  * `Werror=format` throws errors (around uses of `%lld`)
  * `-fstack-protector-strong`
 [https://sourceforge.net/p/mingw-w64/discussion/723798/thread/de524c41/
 didn't build]; in #23024 I propose trying `-fstack-protector-all` instead.

 macOS (clang-based cross compile):
  * `-z,relro,-z,now` fails (is there an equivalent flag for Mac binaries?)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them

2017-07-31 Thread Tor Bug Tracker & Wiki 
#21448: Identify what build flags we should be using for security, and use them
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by cypherpunks):

 Replying to [comment:13 arthuredelstein]:
 During your investigations Mozilla suddenly started to harden Firefox :0.
 So this looks like the third part of Tor Patch Uplifting project (next to
 FPI and fingerprinting). (Mark their tickets accordingly ;)
 >  * `-z,relro,-z,now` fails (is there an equivalent flag for Windows
 binaries?)
 This is how it works on Windows by default, no equivalents required.
 `-Wl,-z,relro,-z,now` when "Options passed to the compiler when linking
 executables or shared objects" or `-z relro -z now` "if the linker is
 called directly".
 `relro` - "Create an ELF PT_GNU_RELRO segment header in the object." (i.e.
 Linux only)
 This is https://bugzilla.mozilla.org/show_bug.cgi?id=1359912 (and
 dependencies!)
 `now` - Don't use Linux-only lazy binding
 This is https://bugzilla.mozilla.org/show_bug.cgi?id=1359918
 >  * `Werror=format` throws errors (around uses of `%lld`)
 Mozilla uses `-Wno-format`, because "# We use mix of both POSIX and Win32
 printf format across the tree, so format warnings are useless on mingw."
 But, suddenly, https://bugzilla.mozilla.org/show_bug.cgi?id=1359915
 >  * `-fstack-protector-strong`
 [https://sourceforge.net/p/mingw-w64/discussion/723798/thread/de524c41/
 didn't build]; in #23024 I propose trying `-fstack-protector-all` instead.
 This is https://bugzilla.mozilla.org/show_bug.cgi?id=620058, but have you
 noticed https://bugzilla.mozilla.org/show_bug.cgi?id=1359905?
 `-fstack-protector-all` is better for security.

 Also see https://gitweb.torproject.org/builders/tor-browser-
 bundle.git/tree/gitian/descriptors/windows/gitian-utils.yml#n129 and
 below...

 Some thoughts about comment:10?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them

2017-07-31 Thread Tor Bug Tracker & Wiki 
#21448: Identify what build flags we should be using for security, and use them
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by cypherpunks):

 Tor Team is doing something similar in #22660.
 This is https://bugzilla.mozilla.org/show_bug.cgi?id=1374345
 But `-z noexecstack` needs checking whether stupid linker emits execstack
 by default? But `-Wa,--noexecstack` for assembler parts makes sense.
 This is https://bugzilla.mozilla.org/show_bug.cgi?id=671426

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them

2017-09-11 Thread Tor Bug Tracker & Wiki 
#21448: Identify what build flags we should be using for security, and use them
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by cypherpunks):

 Try to use `-fno-plt` on all platforms and check the difference.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs