Enable ASLR & DEP #123
Enable ASLR & DEP #123
Conversation
|
Not sure if this was a coincidence: OpenVPN/openvpn-build#79 With that change OpenVPN GUI also gets ASLR/DEP, but only when built using openvpn-build, which is not the only option. So this PR also makes sense I think. |
Sometimes happens ;) I was hoping the CI could check my PR, because I'm not sure "Use high entropy ASLR" will work on older mingw version, mine is |
|
Now I see the CI check failed, should I remove the |
|
the best would be "modify configure.ac to check whether that option is supported..." there's also "building openvpn" guide on https://community.openvpn.net/openvpn/wiki/BuildingOpenVPN-GUI if you want to add some option which is not widely supported, it should be written there |
|
or you can make another PR to update CI settings/repo/mingw :-) |
|
Alright, I added a test to see if the linker supports |
| @@ -57,7 +57,7 @@ case "$host" in | |||
| *-mingw*) | |||
| CPPFLAGS="${CPPFLAGS} -DWIN32_LEAN_AND_MEAN" | |||
| CPPFLAGS="${CPPFLAGS} -D_WIN32_WINNT=NTDDI_WINXP" | |||
| LDFLAGS="${LDFLAGS} -Wl,--nxcompat" | |||
| LDFLAGS="${LDFLAGS} -Wl,--nxcompat,--dynamicbase,--export-all-symbols" | |||
There was a problem hiding this comment.
Is this hack of adding --export-all-symbols still needed in mingw? There has to be a better solution than exporting all symbols
There was a problem hiding this comment.
Sadly yes, I checked in vmmap & procexp.
I also notice the shipped openssl dll doesn't enable aslr.
Another thought, why this project doesn't support building in MSVC? It support all these security features flawlessly.
|
Hi,
On Wed, Jan 18, 2017 at 11:37:11AM -0800, Mike Tzou wrote:
Another thought, why this project doesn't support building in MSVC?
We don't regularily build with MSVC because it's much too cumbersome for
automated snapshot building - and since none of the core developers use
it, we tend to commit C code that breaks MSVC due to stupid restrictions
on their side. We do try to fix this when we're told, though...
It supports all these security features flawlessly.
It would be nice if it just supported C99 properly...
gert
…--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany [email protected]
fax: +49-89-35655025 [email protected]
|
|
|
|
Oops -- pressed the wrong button! We are not MSVC compliant right now -- I had spent some time with R Morris and we did get it compile with a few tweaks except for the resource file which required a lot of edits so we ported only one language file. MS resource compiler is rather primitive in handling line continuation using "\" that we use extensively, preprocessor macros in stringtable etc. Nothing too complicated to change, but not enough motivation to do so.. |
|
I did some tests on enabling ASLR using mingw. As pointed out by @Chocobo1, using only -dynamicbase is not enough. In fact it has no effect except that the ASLR flag gets set in the executable[1]. But --export-all-symbols is not required, just exporting one symbol is enough. Until mingw/binutils fixes this for good[2], we could add a dummy global like Notes: |
Workaround provided by Selva Nair.
I adopted the workaround and gave credit to you in commit msg.
|
|
I think setting this property in VS is the dumbed-down way of saying pass /dynamicbase to the linker. See item 5 in the msdn docs for /dynamicbase (https://msdn.microsoft.com/en-us/library/bb384887.aspx) EDIT: I do not use VS so just guessing.. |
|
Yes you're right. |
|
DEP appears enabled by default for 64bit programs (tested Win7, Win10), yet the flag -nxcompat may help other platforms. |
|
Thanks to everyone involved. |
Some related infos: