Comments (24)
@ro31337 I'm rebooting this conversation with the Rust folks. It's an important effect for Rust-compiled code when used by security-conscious companies on AWS, and we (the Rust team) should figure out what to do about it.
from skylight-ruby.
@danrasband thanks for the heads up! I'm not a Rust guy so I'll leave it to others on the team to give a real response :)
from skylight-ruby.
Actually, I'm not sure if this even has anything to do with Rust. 😕 All I know is that the native extension generated by this gem doesn't support DEP, according to AWS.
from skylight-ruby.
Is there more documentation from AWS on what that warning actually means? We here in Rust-land can imagine several scenarios where something could be considered "not supporting DEP", but none are unambiguously what AWS is warning about and all seem to require some non-default configuration on Skylight's end.
from skylight-ruby.
I'll see what I can dig up.
from skylight-ruby.
I think this is the most we're going to get from AWS docs:
By the way, the "Stack Cookies Enabled" section is also an issue for libskylight.so.
from skylight-ruby.
Yeah, those docs are about as unhelpful as possible. :P Is the tool open-source, so we can determine what it's looking for?
from skylight-ruby.
I've added a question on AWS's support forum:
https://forums.aws.amazon.com/message.jspa?messageID=681927#681927
from skylight-ruby.
Thanks!
from skylight-ruby.
Does this comment help at all?
https://forums.aws.amazon.com/thread.jspa?messageID=682094#jive-message-holder
Specifically, it seems like there are possibly some compile options that could help:
it's a matter of compiling and linking with the relevant options (ie. stack-protector and nxcompat)
from skylight-ruby.
AFAIK all Rust code should be compiled with those options by default. I'm not a Skylight employee but I doubt they'd have any reason to disable these in their build process. So what I'd like specifically is to understand what in the executable AWS is looking for, in the hopes that it's not hardcoded to detect something specific to C or C++ codegen.
from skylight-ruby.
I can confirm that as far as I can tell, we don't disable those options.
from skylight-ruby.
@danrasband @wycats I've asked around today and determined today that currently Rust only uses stack cookies on Windows (support for other platforms is forthcoming). So that error isn't spurious. The DEP issue is still a mystery.
from skylight-ruby.
Ah, very interesting!
from skylight-ruby.
@danrasband For stack cookies, I believe the relevant tracking issue is rust-lang/rust#16012 . I've just left a comment to attempt to restart discussion in there, which appears to have stagnated for a while.
from skylight-ruby.
Let me know if this is still an issue.
from skylight-ruby.
@wagenet it is compliance issue. Some organizations can't use Skylight, because of automatic reports generated by tools like AWS. There is actually only one executable on multiple servers that has no DEP - skylight library. It would be really nice to have. May I ask you to reopen the issue to show that you're interested in fixing it? (I believe it's just Rust compiler flag that is not there, but will be added to Rust sooner or later).
from skylight-ruby.
@ro31337 I understand your concern, but unfortunately, I'm not sure how to fix it. AFAICT, we aren't doing anything unusual in our build process or setting any strange flags. I'll investigate a little bit more to see if anything new comes up in my searches.
from skylight-ruby.
@ro31337 We need some help reproducing this issue. Can you give us some more information on the environment you're running in?
What version and distribution of Linux are you running? What version of Ruby? Are you running inside a container?
from skylight-ruby.
I think all you may need to do is add this to extconf.rb:
$LDFLAGS << " -Wl,-z,noexecstack"
from skylight-ruby.
@sfackler thanks, I'm happy to give that a try if we can get a reproduction of it.
from skylight-ruby.
I was able to reproduce on Arch Linux at least by just installing the skylight gem. readelf -l libskylight.so
looks like this:
Elf file type is DYN (Shared object file)
Entry point 0x53880
There are 6 program headers, starting at offset 64
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000b7a254 0x0000000000b7a254 R E 0x200000
LOAD 0x0000000000b7a258 0x0000000000d7a258 0x0000000000d7a258
0x0000000000040fa8 0x00000000000437a0 RW 0x200000
DYNAMIC 0x0000000000bb3138 0x0000000000db3138 0x0000000000db3138
0x00000000000001e0 0x00000000000001e0 RW 0x8
TLS 0x0000000000b7a258 0x0000000000d7a258 0x0000000000d7a258
0x00000000000000f0 0x00000000000000f0 R 0x8
GNU_EH_FRAME 0x0000000000af4220 0x0000000000af4220 0x0000000000af4220
0x0000000000000008 0x0000000000000008 R 0x4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RWE 0x8
Section to Segment mapping:
Segment Sections...
00 .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame .gcc_except_table
01 .tdata .ctors .dtors .jcr .data.rel.ro .dynamic .got .got.plt .data .bss
02 .dynamic
03 .tdata
04 .eh_frame_hdr
05
In particular, the RWE
in the GNU_STACK
section means that it's asking for an executable stack.
from skylight-ruby.
Steps to reproduce from our side:
-
Create AWS EC2 instance with skylight library deployed (we use ruby, I think you can just put
libskylight.so
anywhere in your file system) -
Run proprietary tool Amazon Inspector against this instance with default rules.
-
You should see the message (it can take some time to test your instance):
The following executable files on instance ... do not support DEP: /usr/local/rvm/gems/ruby-2.X.X@XXX/gems/skylight-1.3.0/lib/skylight/native/x86_64-linux/libskylight.so
@wycats please see above if this helps. There is no any special setup required here (I'd be happy to provide more steps if you're not successful reproducing that). I think @sfackler is right. The data segment for the binary file is executable: RWE.
from skylight-ruby.
@wagenet good news, we have a repro!
from skylight-ruby.
Related Issues (20)
- Remove git dependency? HOT 3
- Allow yml files to be named yml.erb HOT 2
- 100% CPU Usage On Puma Workers at "idle" in Development. HOT 9
- Segmentation Fault HOT 1
- Middleware thread safey HOT 2
- Issue after gems upgrade HOT 4
- Delete old releases HOT 1
- Undefined method `safe_constantize' HOT 1
- Redis Deprecation warnings HOT 2
- Error after upgrading searchkick & elasticsearch gems HOT 3
- Possibly incorrect allocations reported HOT 1
- How to fix this warning HOT 2
- Verifying that probes are working HOT 1
- Puma 6 is breaking Skylight HOT 6
- Support for Psych 5 HOT 11
- Ignore specific GraphQL request
- No event sequence rendered for endpoints
- Incompatibility with GraphQL-Ruby 2.0.18+ out-of-the-box HOT 3
- Skylight and Sentry stacktrace issues HOT 10
- Join forces with stackprof HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from skylight-ruby.