From owner-freebsd-security@freebsd.org Wed Mar 9 16:05:14 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 492B2AC925B for ; Wed, 9 Mar 2016 16:05:14 +0000 (UTC) (envelope-from spankthespam@gmail.com) Received: from mail-vk0-x22b.google.com (mail-vk0-x22b.google.com [IPv6:2607:f8b0:400c:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 04C9563D for ; Wed, 9 Mar 2016 16:05:14 +0000 (UTC) (envelope-from spankthespam@gmail.com) Received: by mail-vk0-x22b.google.com with SMTP id e6so61041913vkh.2 for ; Wed, 09 Mar 2016 08:05:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=FyZsCGxc14k+JxOHbbaeIiZhngK5e/hNSRAzZPpyqX8=; b=R5apct7FGwrmbsL1xUlJw1TDHVrbruRjhBX/1dQRmtrkS9jrnHgXV/vQFSS7MLN8pu 1BXWo1EFQapNwm6/hW3nNvVQYQUiFu9k8L8k2VA4b5baMv2uXK6s0WcMr68Ih/N28GCv /1TznW/YZFRmpZBv1QzonDAogzsR51f/+8hJPlIObd21Gwkjybx7tSKEdoAVCzmUQIUh WgB++0wBoMbHDbY5VzDcZQ82pLdYX+u45aGDCHdIzt8jGXFXV31bD5ssdZG9eq+TPu4K vED5N1duGJfGfU6RA8zwmcXOdxG1fgwS2jOw7/eCZy33OWoFOmEoirnOgPt5cfYZHD+9 9/xg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=FyZsCGxc14k+JxOHbbaeIiZhngK5e/hNSRAzZPpyqX8=; b=LoLdjy5CPLWOFhZYkeF9GsAiE7cujDo1bUvYIO/UfvNRXIWIzg+lQ9Hrqsdd0xdGTK KmG/mr+3uOoiHrWgjBMZHXTSM9TsP3mvOiLzf7qKyrxFhWeRsSf/aGaoWuUckqE2iJrR f0zJP8lzLA0oAUMjWHro/ECdXNAOgw2KQ6XAEI2fxtK7iMcEoXtdS/kvVW/PsbqyUzMA dPTlEh/9aCio8Wlwv3U+B2pFMLYcTMVq6MojSWPfdYrpMeQ5D5PFEYnUEVSUvREkqqCp stxnW16CB/497rqpyqvGGB+0LWopPPlQ4K+Z0lojgPebQ4dLYDoa30lCXo/SjJKlY47W wJ6Q== X-Gm-Message-State: AD7BkJLw45WqOQ/kFzkzY2l+wQXZbgIz/3TBfilvGjzucTu0C30/fJ6ZRPuGZftu92C3lHdEHNvYtFRrpRrxNQ== MIME-Version: 1.0 X-Received: by 10.31.6.130 with SMTP id 124mr26979334vkg.106.1457539513011; Wed, 09 Mar 2016 08:05:13 -0800 (PST) Received: by 10.31.133.16 with HTTP; Wed, 9 Mar 2016 08:05:12 -0800 (PST) In-Reply-To: <56E02D95.9020303@anongoth.pl> References: <56E02D95.9020303@anongoth.pl> Date: Wed, 9 Mar 2016 16:05:12 +0000 Message-ID: Subject: Re: Will 11.0-RELEASE include ASLR? From: Big Lebowski To: Piotr Kubaj Cc: freebsd-security Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2016 16:05:14 -0000 Hi Piotr, There are people who can probably answer it better, but until they do, I can share what I've heard about it: on the FreeBSD side there are few things that stop ASLR implementation: - there's no actual agreement between the influencial developers on wether ASLR is viable or needed in first place - there was no planning or discussion how to implement ALSR in FreeBSD, Shawn simply started writing the code, and some developers would like to discuss and plan things first - there are doubts expressed in the code reviews about code quality and compliance to FreeBSD standards. Some developers dedicated their time to review the code and provide feedback, there were few cycles of rewrite, review, rinse, repeat, but if you'd look into the reviews, Shawn closed them, and I understand they'd only be considered for inclusion if they'd meet the code quality standards expected As a side note, one person saying 'ASLR implementation is finished' and proper ASLR implementation that's properly tested, functional and not in fact opening other security issues are two vastly different things, that should be approached very carefully. Cheers, BL On Wed, Mar 9, 2016 at 2:05 PM, Piotr Kubaj wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Shawn Webb has recently announced that ASLR is complete on HardenedBSD. > There are patches ready for FreeBSD to use and it's ready to be shipped > in FreeBSD. However, for some reason FreeBSD developers do not want to > ship ASLR in FreeBSD. Why can't it be included at least as non-default > src.conf option and marked as experimental? > > FreeBSD is the only OS that matters that doesn't have ASLR. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQIcBAEBCAAGBQJW4C2QAAoJEHpZm4Ugg5yd2MoQAMPZ+UxbpTo9YvJz6YYB8wtH > tRw3jQMUb4K6s26IO1mp/K6p+DM+HXcVvamO2cxjRKseQy/oLBGizgfR1ktBqdXQ > xuqQJc5BCSdKgTsBs0IvNQghvUQkEyvYi+wn9EY9qJh6oEguAkcAWUhl5rGN2FhM > Gwf9VDoPAR+n9Pjl6brcqyQvWczfDx9+VFpF0joeiI5PRRMF1UUsTYM/OHvtVoQA > n1f8qNppIdprjwUjWE/BX6POaDhs4ZZKJRaFmbCuYudDPpX7P1yj7CHz/xthjMYG > 325NnCJpN81fwCmcgvDFU3BYkEC9JSkBoA+5oDdRU3MALsJNQ10rz+IhAaeAsCMb > oz7Oy0Gykeic60NLuMZlhOfl79XW666T1B9wOWlkrAlBPCY6v2kz6t/oJbHHGQOf > CCBuhQJCdzdqyTnv0Bx4ZXiiecwhjvxaAPCwgppnxf2qLuBgxr9BsswMVp7wgYfM > 2sfxk0pS0RuV5M2qWN9UATOyOiO5aPsC4f+WUzUM0LC6MbuHVDJu3QaUo7F3b3Ic > KX150B3gWtsGlZZs8N9mIM3Aj/O5E496JHEf6zmlz6ssLuE6gIO8ICqpFSaXzkJC > IWzgIVdL88gK6niVg7KCOAuzVZ1sxcx7cBCtGzAhVy9RhYKqwAtN9T2YOBC75cQW > OdRGf2V3trcK664nKgEA > =lM/6 > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " >