Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OTE-01-005 WP1: Linux Binary Hardening Recommendations #618

Open
mx-psi opened this issue Jul 31, 2024 · 5 comments · Fixed by #708
Open

OTE-01-005 WP1: Linux Binary Hardening Recommendations #618

mx-psi opened this issue Jul 31, 2024 · 5 comments · Fixed by #708
Labels
area:security Security and integrity issues

Comments

@mx-psi
Copy link
Member

mx-psi commented Jul 31, 2024

From the security audit:

Testing confirmed that the OpenTelemetry Collector Linux binaries do not leverage a number of compiler flags to mitigate potential memory corruption vulnerabilities, which is a common issue of all Golang-compiled binaries. As a result, the application remains unnecessarily prone to the associated risks.
Linux binaries fail to leverage the following memory corruption prevention flags:

  • Stack canaries: This defense mechanism is used to detect and prevent exploits from overwriting the return address.
  • RELRO: This leaves the GOT section writable. Without the RELRO flag, buffer overflows on a global variable can overwrite GOT entries.
  • PIE: The Position Independent Executable (PIE) flag is a security mechanism that enables Address Space Layout Randomization (ASLR), which randomizes the location where system executables are loaded into memory.

Since we do not use CGO, I think this should be as easy as adding -buildmode=pie.

Note

2024 OpenTelemetry security audit finding reference:
OTE-01-005 WP1: Linux Binary Hardening Recommendations
@dosubot dosubot bot added the area:security Security and integrity issues label Jul 31, 2024
@jpkrohling jpkrohling mentioned this issue Aug 13, 2024
Open
@DanTulovsky DanTulovsky mentioned this issue Oct 12, 2024
Closed
@jackgopack4 jackgopack4 mentioned this issue Oct 25, 2024
Merged
@jackgopack4
Copy link
Contributor

seems like buildmode=pie doesn't necessarily do anything if CGO is disabled

@mx-psi
Copy link
Member Author

mx-psi commented Oct 28, 2024

@jackgopack4 I believe some platforms do support it and others do not (at least that's what I get from this comment: golang/go#64875 (comment) ). We could pass the option only in those platforms

@jackgopack4
Copy link
Contributor

@mx-psi you're right; the error message is exactly the same and only happens on unsupported platforms. will add conditional logic and test again.

This was referenced Oct 29, 2024
Open
Draft
@mx-psi
Copy link
Member Author

mx-psi commented Nov 7, 2024

I think the actual PR that fixes this is #726, reopening until we merge that one

@mx-psi mx-psi reopened this Nov 7, 2024
@jackgopack4
Copy link
Contributor

apologies for the confusion

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:security Security and integrity issues
Projects
None yet
Milestone
No milestone
2 participants
@mx-psi @jackgopack4