Page MenuHome GnuPG
Create Task
Maniphest T2366

No DEP/ASLR or other security mitigations for GpgEX/GpgOL
Open, NormalPublic
Actions

Description

This issue is a duplicate of #2171 but I can't seem to comment on it and wanted to add some extra information.

I consider this issue to be very high priority as in this day and age loading non-DEP/ASLR aware modules into applications that
process untrusted input is a huge liability. This is particularly problematic for extension DLLs like GpgOL and probably GpgEX.
Given this is cryptographic software, security of the binaries should be of utmost importance. At a minimum, DEP & ASLR should
be enabled, but there are some additional helpful options that could be enabled for further hardening of the emitted binaries.

A summary of the major relevant compiler options per feature:

  • DEP (essential) /NXCOMPAT (on by default since VS2010)
  • ASLR (essential) /DYNAMICBASE (on by default since VS2010)
  • 64-bit ASLR (recommended) /HIGHENTROPYVA (on by default for 64-bit images but requires VS2012+)
  • Digital Signature (recommended) /INTEGRITYCHECK (off by default)

To give you an idea of how far behind GpgOL is with respect to hardening of the binary, Outlook 2016 x64 on the system I'm
writing this on has 285 modules(!) loaded into the process. Only two of those aren't marked as DEP aware (GpgOL being one),
while only one isn't marked as ASLR capable (GpgOL).

Appreciate this is open-source software and there's finite resources to address issues but I feel this should be a high-priority
candidate for whatever resources are available.

Details

Version
2.3.1

Revisions and Commits

rX GpgEX
rX8c3c8dbd7b5c Use c++ hardening flags

Related Objects

Event Timeline

sdl_nexiom.net set Version to 2.3.1.May 23 2016, 4:48 AM
sdl_nexiom.net added projects: Windows 32, Windows, gpg4win, gpgol, Windows 64, Bug Report.
sdl_nexiom.net added a subscriber: sdl_nexiom.net.
werner added a project: Duplicate.May 27 2016, 9:54 AM
werner added a subscriber: werner.

You can now. Thus is not a bug but a feature request.

Note that we do not use Microsoft compilers but use gcc and in cross build
environment.

werner lowered the priority of this task from High to Normal.May 27 2016, 9:54 AM
werner added a project: Feature Request.
werner removed a project: Bug Report.

Duplicate of T2171

aheinecke added a subscriber: aheinecke.Oct 28 2016, 10:57 AM

GpgOL is built with DEP and and ASLR now. Need to enable this for GpgEX and some
other parts of Gpg4win, too. So not yet fully resolved but I keep it in mind.

aheinecke claimed this task.Oct 28 2016, 10:57 AM
sdl_nexiom.net added a comment.Oct 31 2016, 2:18 AM

That's awesome aheinecke! Honestly wasn't sure if this issue would ever get much
attention. Thanks for the effort in making Gpg4win a more secure product!

kai merged a task: T2171: ASLR and DEP not enable in EXE and DLL's.Apr 4 2017, 2:52 PM
kai moved this task from Backlog to Done on the Duplicate board.
kai added a subscriber: emanuel.
kai removed a project: Duplicate.Apr 4 2017, 3:03 PM
aheinecke added a parent task: T3103: Release Gpg4win 3.0 stable.Apr 24 2017, 5:45 PM
aheinecke added a comment.May 14 2017, 1:49 PM

GpgEX is now also compiled with ASLR + DEP. I still have to check some other binaries of Gpg4win before I close this task but I no longer see it as blocking a 3.0 release where I wanted to have this included.

aheinecke removed a parent task: T3103: Release Gpg4win 3.0 stable.May 14 2017, 1:49 PM
aheinecke added a commit: rX8c3c8dbd7b5c: Use c++ hardening flags.May 14 2017, 7:27 PM