Re: RELRO security in Snort-2.9.x

[Joshua Kinard <kumba () gentoo org>]

RELRO and related commands are common on "hardened" toolchains.  Gentoo's got a
pretty extensive overview of how our hardened toolchain works, as well as a
hardened FAQ:
https://wiki.gentoo.org/wiki/Hardened/Toolchain
https://wiki.gentoo.org/wiki/Hardened/FAQ

Some of it is distro-specific to us, but some of the information there is
applicable to other distros.

One of my boxes runs a full hardened profile + toolchain, and I recently tested
Snort-2.9.8.2 on it and didn't notice any issues scanning some large PCAP files
against portions of the ET ruleset.  checksec.sh had this to say about that binary:

./checksec.sh --file /usr/bin/snort
RELRO           STACK CANARY      NX            PIE             RPATH
RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No
RUNPATH   /usr/bin/snort

So it looks like RELRO and other hardened bits JustWork() on Snort.

--J



On 04/02/2016 06:52, Shawn wrote:
> Hi Victor,
>
> On Wed, Mar 16, 2016 at 4:32 AM, Victor Roemer <viroemer () cisco com> wrote:
> > Bill,
> >
> > I dont know of these options; care to point us at some literature?
> Take a look:
> http://tk-blog.blogspot.com/2009/02/relro-not-so-well-known-memory.html
>
> Beside RELRO, Snort running as an important component of networking
> system should take care of other major GCC mitigation like
> NX/PIE/ASLR/CANARY:
> http://hardenedlinux.org/system-security/2015/06/09/debian-security-chklist.html
> https://raw.githubusercontent.com/citypw/security-regression-testing-for-suse/master/other/vulns_hardening_assessment.log
>
> > Does this stuff prevent someone from calling mprotect and just making the
> > memory writable?
> No, RELRO is nothing to do with MPROTECT, which u might think it is a
> feature from PaX/Grsecurity.
>
> > On 3/15/16 16:22, Bill Parker wrote:
> >
> > Hi All,
> >
> >    Does anyone have a take on this:
> >
> > -Wl,-z,relro,-z,now
> > RELRO (read-only relocation). The options relro & now specified together are
> > known as "Full RELRO". You can specify "Partial RELRO" by omitting the now
> > flag. RELRO marks various ELF memory sections read­only (E.g. the GOT)
> >
> > This is an option to gcc, when I run a checksec.sh script against the snort
> > binary, it comes back with Partial RELRO, rather than FULL.
> >
> > Bill

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!