-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security and DEP #51
Comments
@danrasband thanks for the heads up! I'm not a Rust guy so I'll leave it to others on the team to give a real response :) |
Actually, I'm not sure if this even has anything to do with Rust. 😕 All I know is that the native extension generated by this gem doesn't support DEP, according to AWS. |
Is there more documentation from AWS on what that warning actually means? We here in Rust-land can imagine several scenarios where something could be considered "not supporting DEP", but none are unambiguously what AWS is warning about and all seem to require some non-default configuration on Skylight's end. |
I'll see what I can dig up. |
I think this is the most we're going to get from AWS docs: By the way, the "Stack Cookies Enabled" section is also an issue for libskylight.so. |
Yeah, those docs are about as unhelpful as possible. :P Is the tool open-source, so we can determine what it's looking for? |
I've added a question on AWS's support forum: https://forums.aws.amazon.com/message.jspa?messageID=681927#681927 |
Thanks! |
Does this comment help at all? https://forums.aws.amazon.com/thread.jspa?messageID=682094#jive-message-holder Specifically, it seems like there are possibly some compile options that could help:
|
AFAIK all Rust code should be compiled with those options by default. I'm not a Skylight employee but I doubt they'd have any reason to disable these in their build process. So what I'd like specifically is to understand what in the executable AWS is looking for, in the hopes that it's not hardcoded to detect something specific to C or C++ codegen. |
I can confirm that as far as I can tell, we don't disable those options. |
@danrasband @wycats I've asked around today and determined today that currently Rust only uses stack cookies on Windows (support for other platforms is forthcoming). So that error isn't spurious. The DEP issue is still a mystery. |
Ah, very interesting! |
@danrasband For stack cookies, I believe the relevant tracking issue is rust-lang/rust#16012 . I've just left a comment to attempt to restart discussion in there, which appears to have stagnated for a while. |
Let me know if this is still an issue. |
@wagenet it is compliance issue. Some organizations can't use Skylight, because of automatic reports generated by tools like AWS. There is actually only one executable on multiple servers that has no DEP - skylight library. It would be really nice to have. May I ask you to reopen the issue to show that you're interested in fixing it? (I believe it's just Rust compiler flag that is not there, but will be added to Rust sooner or later). |
@ro31337 I understand your concern, but unfortunately, I'm not sure how to fix it. AFAICT, we aren't doing anything unusual in our build process or setting any strange flags. I'll investigate a little bit more to see if anything new comes up in my searches. |
@ro31337 I'm rebooting this conversation with the Rust folks. It's an important effect for Rust-compiled code when used by security-conscious companies on AWS, and we (the Rust team) should figure out what to do about it. |
@ro31337 We need some help reproducing this issue. Can you give us some more information on the environment you're running in? What version and distribution of Linux are you running? What version of Ruby? Are you running inside a container? |
I think all you may need to do is add this to extconf.rb: $LDFLAGS << " -Wl,-z,noexecstack" |
@sfackler thanks, I'm happy to give that a try if we can get a reproduction of it. |
I was able to reproduce on Arch Linux at least by just installing the skylight gem.
In particular, the |
Steps to reproduce from our side:
@wycats please see above if this helps. There is no any special setup required here (I'd be happy to provide more steps if you're not successful reproducing that). I think @sfackler is right. The data segment for the binary file is executable: RWE. |
@wagenet good news, we have a repro! |
We just ran an Application Security Best Practices inspection using AWS Inspector (currently in preview), on our application, and it came up with the following "High" level notice:
Apparently, DEP stands for "Data Execution Prevention" and libskylight.so doesn't support it. I'm not sure if this is a Rust issue, or a skylight issue.
I'm not too concerned about the security warning, since I'm pretty confident that a Rust library is going to be much more secure than a C library, but it would be nice to figure it out and get the security alert to go away.
The text was updated successfully, but these errors were encountered: