Skip to content
Snippets Groups Projects
New look
Closed (moved) build hardening for TBB
  • View options

    • build hardening for TBB

  • View options
    • Closed (moved) Issue created by Jacob Appelbaum

    I was looking at the latest 64bit stable tbb and ran scanelf on it:

    ~/tor-browser_en-US % find .| xargs -n 1 scanelf -a -v
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./Lib/libevent_extra-2.0.so.5 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./Lib/libpng15.so.15 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./Lib/libpng15.so.15.13.0 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./Lib/libevent_core-2.0.so.5 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -    /srv/build-trees/build-alpha/x86_64/built/lib LAZY ./Lib/libQtGui.so.4 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -    /srv/build-trees/build-alpha/x86_64/built/lib LAZY ./Lib/libQtCore.so.4 
ET_DYN PeMRxS 0644 LE RW- --- RW-    -      -   LAZY ./Lib/libcrypto.so.1.0.0 
ET_DYN PeMRxS 0644 LE RW- --- RW-    -      -   LAZY ./Lib/libssl.so.1.0.0 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./Lib/libevent-2.0.so.5 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -    /srv/build-trees/build-alpha/x86_64/built/lib LAZY ./Lib/libQtNetwork.so.4 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -    /srv/build-trees/build-alpha/x86_64/built/lib LAZY ./Lib/libQtXml.so.4 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./Lib/libevent_extra-2.0.so.5 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./Lib/libpng15.so.15 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./Lib/libz/libz.so.1 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./Lib/libz/libz.so.1 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./Lib/libpng15.so.15.13.0 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./Lib/libevent_core-2.0.so.5 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -    /srv/build-trees/build-alpha/x86_64/built/lib LAZY ./Lib/libQtGui.so.4 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -    /srv/build-trees/build-alpha/x86_64/built/lib LAZY ./Lib/libQtCore.so.4 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0644 LE RW- --- RW-    -      -   LAZY ./Lib/libcrypto.so.1.0.0 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0644 LE RW- --- RW-    -      -   LAZY ./Lib/libssl.so.1.0.0 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./Lib/libevent-2.0.so.5 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -    /srv/build-trees/build-alpha/x86_64/built/lib LAZY ./Lib/libQtNetwork.so.4 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -    /srv/build-trees/build-alpha/x86_64/built/lib LAZY ./Lib/libQtXml.so.4 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_EXEC PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/vidalia 
ET_EXEC PeMRxS 0755 LE RW- R-- RW-    -    /srv/build-trees/build-alpha/x86_64/built/lib NOW ./App/tor 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_EXEC PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/vidalia 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_EXEC PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/firefox-bin 
ET_EXEC PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/webapprt-stub 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libmozalloc.so 
ET_EXEC PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/firefox 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libsoftokn3.so 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libxpcom.so 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libnssdbm3.so 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libplc4.so 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libxul.so 
ET_EXEC PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/mozilla-xremote-client 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libnssckbi.so 
ET_EXEC PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/plugin-container 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libnss3.so 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libmozsqlite3.so 
ET_EXEC PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/updater 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libssl3.so 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libplds4.so 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libfreebl3.so 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libnssutil3.so 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libnspr4.so 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libsmime3.so 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_EXEC PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/firefox-bin 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_EXEC PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/webapprt-stub 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libmozalloc.so 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_EXEC PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/firefox 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libsoftokn3.so 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libxpcom.so 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libnssdbm3.so 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/components/libdbusservice.so 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/components/libbrowsercomps.so 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/components/libdbusservice.so 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/components/libbrowsercomps.so 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libplc4.so 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libxul.so 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_EXEC PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/mozilla-xremote-client 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libnssckbi.so 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_EXEC PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/plugin-container 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libnss3.so 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libmozsqlite3.so 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_EXEC PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/updater 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libssl3.so 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libplds4.so 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libfreebl3.so 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libnssutil3.so 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libnspr4.so 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- --- RW-    -      -   LAZY ./App/Firefox/libsmime3.so 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_EXEC PeMRxS 0755 LE RW- R-- RW-    -    /srv/build-trees/build-alpha/x86_64/built/lib NOW ./App/tor

    The output is explained on the pax-utils documentation website.

    A few things come to mind - one is that all our binaries should be set to BIND 'NOW' at run time. There are likely other things we could/should improve about these builds.

    Linked items ... 0

    • Activity

    • All activity
    • Comments only
    • History only
    • Newest first
    • Oldest first
    Loading Loading Loading Loading Loading Loading Loading Loading Loading Loading