#325 closed Bug / Defect (fixed)
Windows: Lacking ASLR and DEP support
Reported by: | Ghamela | Owned by: | Samuli Seppänen |
---|---|---|---|
Priority: | major | Milestone: | release 2.4 |
Component: | Building / Compiling | Version: | OpenVPN git master branch (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | windows volunteer |
Cc: | steffan@… |
Description
All exe's and dll's from OpenVPN Windows client 2.3.2 64 bit lack ASLR and DEP support, I haven't checked other versions.
Change History (16)
comment:1 Changed 11 years ago by
comment:2 Changed 11 years ago by
Component: | Generic / unclassified → Building / Compiling |
---|---|
Milestone: | → release 2.4 |
Owner: | set to Samuli Seppänen |
Status: | new → assigned |
Version: | 2.3.2 → git master branch |
There is no ASLR/DEP support in the Windows binaries yet. It seems that mingw_w64 does have the support, so adding it should be fairly straightforward. I will look into this before the 2.4 release (which is still some months away).
comment:3 Changed 10 years ago by
Keywords: | windows added |
---|---|
Summary: | Lacking ASLR and DEP support → Windows: Lacking ASLR and DEP support |
comment:4 Changed 10 years ago by
It seems that this ticket should be split into two, one for aslr and one for dep.
Anecdotal evidence suggests that the aslr support in mingw_w64 is a bit buggy, but this has not been verified. As for dep there is a strong chance that openvpn will require some modifications to work with it enabled.
comment:5 Changed 10 years ago by
Some useful links:
- https://developer.pidgin.im/ticket/15290
- http://stackoverflow.com/questions/24283918/how-can-i-enable-aslr-dep-and-safeseh-on-an-exe-in-codeblocks-using-mingw
- http://security.stackexchange.com/questions/24444/what-is-the-most-hardened-set-of-options-for-gcc-compiling-c-c
- http://stackoverflow.com/questions/9398046/useful-gcc-flags-to-improve-security-of-your-programs
- https://trac.torproject.org/projects/tor/ticket/10065
comment:6 Changed 10 years ago by
Keywords: | volunteer added |
---|
My plate is full enough even without this task. If somebody knows mingw_w64 / cross-compiling well, we could definitely use some help with creating a proof of concept.
comment:7 Changed 10 years ago by
Owner: | Samuli Seppänen deleted |
---|
comment:8 Changed 9 years ago by
Owner: | set to Samuli Seppänen |
---|---|
Status: | assigned → accepted |
Steffan knew the incantations for enabling ASLR/DEP:
Just for reference: those are supported by mingw/gcc too: -fstack-protector for canaries, -Wl,--nxcompat for DEP, -Wl,--dynamicbase for ASLR.
I will try these and see what happens.
comment:9 Changed 8 years ago by
Cc: | steffan@… added |
---|
Where should the flags be added exactly? By aping this pull request I tried modifying generic/build in openvpn-build:
if [ -n "${BUILD_FOR_WINDOWS}" ]; then CONFIGOPTS=" \ ${CONFIGOPTS} \ --sbindir=/bin \ " export LDFLAGS="$LDFLAGS -Wl,--dynamicbase -Wl,--nxcompat" export PKG_CONFIG="true" fi
This did change did not seem to have the desired effect. Is this basically the correct approach? Or should the linker flags be added to OpenVPN's Makefile?
comment:10 Changed 8 years ago by
I have CFLAGS="${CFLAGS} -Wl,--dynamicbase,--nxcompat"
in my build wrappers. That seems to work.
comment:12 Changed 8 years ago by
And finally here is a test installer with ASLR/DEP support. It was a trivial change:
--- a/generic/build.vars +++ b/generic/build.vars @@ -41,4 +41,6 @@ EXTRA_OPENSSL_CONFIG="${EXTRA_OPENSSL_CONFIG:--static-libgcc}" # uncomment if op #EXTRA_PKCS11_HELPER_CONFIG #EXTRA_OPENVPN_CONFIG +EXTRA_TARGET_CFLAGS="-Wl,--dynamicbase,--nxcompat" +
comment:13 Changed 8 years ago by
According to PEStudio all the executables and libraries bundled in the above installer have ASLR and DEP enabled. The official 2.4.0-I601 installer lack those features, so the build flags actually seem to work.
comment:15 Changed 4 years ago by
Resolution: | → fixed |
---|---|
Status: | accepted → closed |
Since /79 is merged to openvpn-build, it seems this one can be closed, no?
Update: In addition to the files in Program Files\OpenVPN, neither do the files including the TAP driver in Program Files\TAP-Windows