Hello,
Why have the DEP and ALSR flags been omitted during the compile for msvc?
Have there been build complications or security issues behind the reasons DEP and ALSR have been disabled for the Client/Server and Service that we should also consider before enabling and using builds with DEP and ALSR enabled?
Steven
Fz Client/Server - ALSR and DEP
Moderator: Project members
Re: Fz Client/Server - ALSR and DEP
What's ALSR?
Assuming DEP means Data Execution Prevention, what's the compiler flag for MinGW to enable it?
Assuming DEP means Data Execution Prevention, what's the compiler flag for MinGW to enable it?
Re: Fz Client/Server - ALSR and DEP
DEP=Data Execution Prevention
ALSR=Address Space Layout Randomization
ASLR, which is used to randomly arrange the positions of key data areas to block hackers from predicting target addresses, is meant to make Windows Vista more resilient to virus and worm attacks.
Got that from Google.
ALSR=Address Space Layout Randomization
ASLR, which is used to randomly arrange the positions of key data areas to block hackers from predicting target addresses, is meant to make Windows Vista more resilient to virus and worm attacks.
Got that from Google.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
Re: Fz Client/Server - ALSR and DEP
ALSR randomly arranges the positions of libraries, heaps and stacks in a process's address space and also mitigates buffer overruns.
http://en.wikipedia.org/wiki/Address_sp ... domization
DEP helps prevent code execution from data heap pages, stack pages and memory pool pages and raises an exception when execution of the stack occurs. It can help block a virus or other type of attack that has injected a process or service with additional code and then tries to run the injected code, execution of the injected code causes an exception and also prevents SEH overwrites by dynamically validating a thread's exception handler chain prior to allowing exceptions to be dispatched.
http://en.wikipedia.org/wiki/Data_Execution_Prevention
I was referring to the MSVC 2003 FZService project included with the server release, It uses these compile flags:
The FZService compile flags should be:
Heres a screenshot the FZService using DEP and ALSR disabled:
ALSR was disabled for FileZilla release builds, DEP is using its default configuration of Disabled in this instance because the compiler flag was not set and hence omitted from the build.
I believed you where using MSVC not MinGW since the included projects are msvc, The problem with MinGW is that you don't get many security benefits like stack protection, NX, address space randomization, etc.
MinGW does have some support for /GS and ALSR however, /GS can be enabled by using "-fstack-protector" compiler flag and ALSR can be enabled using the "-fpie" compiler flag but it might be problematic depending on your version of gcc and it leaves out many others.
"/GS" adds stack-based buffer overrun detection. It also juggles around some of the function arguments and the function stack variable to make some classes of attack harder to pull off...When /GS is triggered, the application is terminated.
The FZService is internet facing, running under the System account and reliant on itself for preventing all types of attacks...After I saw both the service/server and client all have DEP and ALSR disabled I decided to open up the project properties and saw both had been disabled on purpose and thats why I decided to ask what problems caused them to be disabled in all releases.
I will continue updating the msvc 2003 project to msvc 2008 in my spare time but I do find it concerning both features have been disabled for every FZ source and binary public release. I would like to know if you are able to update the msvc 2003 project to include both options by default and if you have any luck with "-fstack-protector" or "-fpie".
Cheers
Steven
http://en.wikipedia.org/wiki/Address_sp ... domization
DEP helps prevent code execution from data heap pages, stack pages and memory pool pages and raises an exception when execution of the stack occurs. It can help block a virus or other type of attack that has injected a process or service with additional code and then tries to run the injected code, execution of the injected code causes an exception and also prevents SEH overwrites by dynamically validating a thread's exception handler chain prior to allowing exceptions to be dispatched.
http://en.wikipedia.org/wiki/Data_Execution_Prevention
I was referring to the MSVC 2003 FZService project included with the server release, It uses these compile flags:
Code: Select all
/OUT:".\Release/FileZilla server.exe" /INCREMENTAL:NO /NOLOGO /MANIFEST /MANIFESTFILE:".\Release\FileZilla server.exe.intermediate.manifest" /MANIFESTUAC:"level='asInvoker' uiAccess='false'" /DEBUG /PDB:".\Release/FileZilla server.pdb" /MAP:".\Release/FileZilla server.map" /SUBSYSTEM:WINDOWS /OPT:REF /OPT:ICF /OPT:NOWIN98 /DYNAMICBASE:NO /MACHINE:X86 /ERRORREPORT:PROMPT version.lib ws2_32.lib odbc32.lib odbccp32.lib zlib.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib
Heres a screenshot showing the current default release FZService project properties:/OUT:".\Release/FileZilla server.exe" /INCREMENTAL:NO /NOLOGO /MANIFEST /MANIFESTFILE:".\Release\FileZilla server.exe.intermediate.manifest" /MANIFESTUAC:"level='asInvoker' uiAccess='false'" /DEBUG /PDB:".\Release/FileZilla server.pdb" /MAP:".\Release/FileZilla server.map" /SUBSYSTEM:WINDOWS /OPT:REF /OPT:ICF /OPT:NOWIN98 /DYNAMICBASE /NXCOMPAT /MACHINE:X86 /ERRORREPORT:PROMPT version.lib ws2_32.lib odbc32.lib odbccp32.lib zlib.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib
Heres a screenshot the FZService using DEP and ALSR disabled:
ALSR was disabled for FileZilla release builds, DEP is using its default configuration of Disabled in this instance because the compiler flag was not set and hence omitted from the build.
I believed you where using MSVC not MinGW since the included projects are msvc, The problem with MinGW is that you don't get many security benefits like stack protection, NX, address space randomization, etc.
MinGW does have some support for /GS and ALSR however, /GS can be enabled by using "-fstack-protector" compiler flag and ALSR can be enabled using the "-fpie" compiler flag but it might be problematic depending on your version of gcc and it leaves out many others.
"/GS" adds stack-based buffer overrun detection. It also juggles around some of the function arguments and the function stack variable to make some classes of attack harder to pull off...When /GS is triggered, the application is terminated.
The FZService is internet facing, running under the System account and reliant on itself for preventing all types of attacks...After I saw both the service/server and client all have DEP and ALSR disabled I decided to open up the project properties and saw both had been disabled on purpose and thats why I decided to ask what problems caused them to be disabled in all releases.
I will continue updating the msvc 2003 project to msvc 2008 in my spare time but I do find it concerning both features have been disabled for every FZ source and binary public release. I would like to know if you are able to update the msvc 2003 project to include both options by default and if you have any luck with "-fstack-protector" or "-fpie".
Cheers
Steven
Re: Fz Client/Server - ALSR and DEP
Neither /DYNAMICBASE nor /NXCOMPAT are understood by the version of Visual Studio I use.
-
- 226 Transfer OK
- Posts: 619
- Joined: 2005-11-02 06:41
Re: Fz Client/Server - ALSR and DEP
This is not a problem with FileZilla. This is a problem with GCC and MinGW. The proper thing to do is to go bug them or fix it there.
The project is open source. You are free to recompile with VS2008 with the flags you want available. You're also free to fork the project and host your own binaries if you wish. However, FZ Server is beta software that is not in active development. It currently only gets bug patches.
I appreciate the heads up, though. I hadn't known GCC's cross compiler didn't support these features.
The project is open source. You are free to recompile with VS2008 with the flags you want available. You're also free to fork the project and host your own binaries if you wish. However, FZ Server is beta software that is not in active development. It currently only gets bug patches.
I appreciate the heads up, though. I hadn't known GCC's cross compiler didn't support these features.