No DEP/ASLR or other security mitigations for GpgEX/GpgOL
Open, NormalPublic

Description

This issue is a duplicate of #2171 but I can't seem to comment on it and wanted to add some extra information.

I consider this issue to be very high priority as in this day and age loading non-DEP/ASLR aware modules into applications that
process untrusted input is a huge liability. This is particularly problematic for extension DLLs like GpgOL and probably GpgEX.
Given this is cryptographic software, security of the binaries should be of utmost importance. At a minimum, DEP & ASLR should
be enabled, but there are some additional helpful options that could be enabled for further hardening of the emitted binaries.

A summary of the major relevant compiler options per feature:

  • DEP (essential) /NXCOMPAT (on by default since VS2010)
  • ASLR (essential) /DYNAMICBASE (on by default since VS2010)
  • 64-bit ASLR (recommended) /HIGHENTROPYVA (on by default for 64-bit images but requires VS2012+)
  • Digital Signature (recommended) /INTEGRITYCHECK (off by default)

To give you an idea of how far behind GpgOL is with respect to hardening of the binary, Outlook 2016 x64 on the system I'm
writing this on has 285 modules(!) loaded into the process. Only two of those aren't marked as DEP aware (GpgOL being one),
while only one isn't marked as ASLR capable (GpgOL).

Appreciate this is open-source software and there's finite resources to address issues but I feel this should be a high-priority
candidate for whatever resources are available.

Details

werner added a subscriber: werner.

You can now. Thus is not a bug but a feature request.

Note that we do not use Microsoft compilers but use gcc and in cross build
environment.

werner lowered the priority of this task from High to Normal.May 27 2016, 9:54 AM
werner added a project: Feature Request.
werner removed a project: Bug Report.

Duplicate of T2171

GpgOL is built with DEP and and ASLR now. Need to enable this for GpgEX and some
other parts of Gpg4win, too. So not yet fully resolved but I keep it in mind.

That's awesome aheinecke! Honestly wasn't sure if this issue would ever get much
attention. Thanks for the effort in making Gpg4win a more secure product!

kai moved this task from Backlog to Done on the Duplicate board.
kai added a subscriber: emanuel.
kai removed a project: Duplicate.Apr 4 2017, 3:03 PM

GpgEX is now also compiled with ASLR + DEP. I still have to check some other binaries of Gpg4win before I close this task but I no longer see it as blocking a 3.0 release where I wanted to have this included.