From Fedora Project Wiki
This change is on hold indefinitely because the relevant standard body did not approve the required ELF changes.

Build non-RELRO ELF binaries with .got.plt isolation

Summary

Fedora 23 enabled hardening for all packages. However, some ELF binaries still use lazy binding. This change proposes additional hardening for them.

Owner

Current status

Detailed Description

With the RELRO and BIND_NOW dynamic linker features, it is possible to make the array of function pointers which is used to implement dynamic linking (the GOT) read-only at run time. This makes it harder for exploit writers to overwrite these function pointers and redirect execution.

However, some ELF binaries are still built and linked without these hardening features. Sometimes, this is due to package maintainer preferences. Sometimes, there are technical reasons which preclude the use of BIND_NOW because the way the application is written, it relies on lazy binding.

This change proposes to link ELF binaries in such a way that the .got.plt section is loaded as a separated page at run time. As a result, it is possible to use a kernel feature called memory protection keys to make the GOT with its function pointer array read-only most of the time. When the dynamic linker needs to perform a function symbol binding, it can make the GOT temporarily writable, for the current thread only.

Memory protection keys are currently available with the POWER architecture (starting with POWER7), and on select Intel server CPUs. At this time, only a subset of Fedora systems will benefit from this hardening, so the recommendation to link with RELRO/BIND_NOW remains.

Benefit to Fedora

This change brings additional security hardening to Fedora, covering binaries which are not yet fully hardened.

Scope

  • Proposal owners:
    • We will work with the binutils maintainer to implement this change in the linker, and enable it by default. (RELRO/BIND_NOW will automatically disable it because it is not needed there.)
    • The glibc dynamic linker will be updated to use this new feature. This feature will likely arrive after the glibc 2.28 upstream release, but it can be backported to Fedora because there is no ABI impact.
  • Other developers: In the unlikely case that an application relies on GOT patching, it will have to specify a linker flag to disable this security hardening.
  • Policies and guidelines: The packaging guidelines regarding build flags will not be updated. RELRO/BIND_NOW remains the recommended approach.
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

On CPUs which lack the necessary support, the feature is automatically disabled.

Memory usage will increase by half a page per executable/DSO on average (unless that executable or DSO uses BIND_NOW/RELRO and thus does not need this feature).

How To Test

Run Fedora on an Intel or POWER system with the required CPU features. It is expected that binaries such as gcc and the X server will not be build with BIND_NOW, so these are good testing candidates.

User Experience

No user-visible impact is expected.

Dependencies

We are still working on kernel fixes. POWER is starting to look very good. Memory protection keys on Intel need a kernel extension which exists as a patch (which still needs to be ported to POWER, though—due to semantic differences, POWER will work without this patch).

Contingency Plan

  • Contingency mechanism: We can revert the binutils change, or not enable the dynamic linker hardening in glibc.
  • Contingency deadline: final mass rebuild (binutils change), RC (glibc dynamic linker change)
  • Blocks release? no
  • Blocks product? no

Documentation

This is an internal implementation detail, so no documentation beyond a gABI and the source code is planned.

Release Notes

  • Release Notes tracking: #189

Proposed text:

  • On IBM POWER CPUs starting with POWER7 and select Intel server CPUs, Fedora now runs more ELF binaries with a read-only GOT. This makes it more difficult to write code execution exploits for them.