Windows: Lacking ASLR and DEP support

[Ghamela]

All exe's and dll's from OpenVPN Windows client 2.3.2 64 bit lack ASLR and DEP support, I haven't checked other versions.

[Ghamela]

Update: In addition to the files in Program Files\OpenVPN, neither do the files including the TAP driver in Program Files\TAP-Windows

[Samuli Seppänen]

There is no ASLR/DEP support in the Windows binaries yet. It seems that mingw_w64 does have the support, so adding it should be fairly straightforward. I will look into this before the 2.4 release (which is still some months away).

[Samuli Seppänen]

It seems that this ticket should be split into two, one for aslr and one for dep.

Anecdotal evidence suggests that the aslr support in mingw_w64 is a bit buggy, but this has not been verified. As for dep there is a strong chance that openvpn will require some modifications to work with it enabled.

[Samuli Seppänen]

Some useful links:

• ​https://developer.pidgin.im/ticket/15290
• ​http://stackoverflow.com/questions/24283918/how-can-i-enable-aslr-dep-and-safeseh-on-an-exe-in-codeblocks-using-mingw
• ​http://security.stackexchange.com/questions/24444/what-is-the-most-hardened-set-of-options-for-gcc-compiling-c-c
• ​http://stackoverflow.com/questions/9398046/useful-gcc-flags-to-improve-security-of-your-programs
• ​https://trac.torproject.org/projects/tor/ticket/10065

[Samuli Seppänen]

My plate is full enough even without this task. If somebody knows mingw_w64 / cross-compiling well, we could definitely use some help with creating a proof of concept.

[Samuli Seppänen]

Steffan ​knew the incantations for enabling ASLR/DEP:

Just for reference: those are supported by mingw/gcc too:
-fstack-protector for canaries, -Wl,--nxcompat for DEP,
-Wl,--dynamicbase for ASLR.

I will try these and see what happens.

[Samuli Seppänen]

Where should the flags be added exactly? By aping ​this pull request I tried modifying generic/build in ​openvpn-build:

 if [ -n "${BUILD_FOR_WINDOWS}" ]; then
    CONFIGOPTS=" \
        ${CONFIGOPTS} \ 
        --sbindir=/bin \
    "
    export LDFLAGS="$LDFLAGS -Wl,--dynamicbase -Wl,--nxcompat"
    export PKG_CONFIG="true"
fi

This did change did not seem to have the desired effect. Is this basically the correct approach? Or should the linker flags be added to OpenVPN's Makefile?

[Steffan Karger]

I have CFLAGS="${CFLAGS} -Wl,--dynamicbase,--nxcompat" in my build wrappers. That seems to work.

[Samuli Seppänen]

I'll test that, thanks!

[Samuli Seppänen]

And finally here is a ​test installer with ASLR/DEP support. It was a trivial change:

--- a/generic/build.vars
+++ b/generic/build.vars
@@ -41,4 +41,6 @@ EXTRA_OPENSSL_CONFIG="${EXTRA_OPENSSL_CONFIG:--static-libgcc}" # uncomment if op
 #EXTRA_PKCS11_HELPER_CONFIG
 #EXTRA_OPENVPN_CONFIG

+EXTRA_TARGET_CFLAGS="-Wl,--dynamicbase,--nxcompat"
+

[Samuli Seppänen]

According to ​PEStudio all the executables and libraries bundled in the above installer have ASLR and DEP enabled. The official 2.4.0-I601 installer lack those features, so the build flags actually seem to work.

[Samuli Seppänen]

​https://github.com/OpenVPN/openvpn-build/pull/79

[Gert Döring]

Since /79 is merged to openvpn-build, it seems this one can be closed, no?

[Samuli Seppänen]

I think so, yes, according to the comments.