Date: Sun, 30 Mar 2014 20:24:36 -0400 From: Shawn Webb <lattera@gmail.com> To: Oliver Pinter <oliver.pntr@gmail.com> Cc: FreeBSD-current <freebsd-current@freebsd.org> Subject: Re: [CFT] ASLR and PIE on amd64 Message-ID: <20140331002436.GB14025@pwnie.vrt.sourcefire.com> In-Reply-To: <CAPjTQNFe7mrBCWNqWiJPPW7kkE9RyhEH-3XqvVkqDzb%2B-YrZkg@mail.gmail.com> References: <CADt0fhzxTF=CoRZSLXv3MpKJisZx1kCd48O3wqkSL-8vL3ogaA@mail.gmail.com> <CAPjTQNFe7mrBCWNqWiJPPW7kkE9RyhEH-3XqvVkqDzb%2B-YrZkg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--5I6of5zJg18YgZEa Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mar 31, 2014 02:07 AM +0200, Oliver Pinter wrote: > On 3/22/14, Shawn Webb <lattera@gmail.com> wrote: > > Hey All, > > > > First off, I hope that even as a non-committer, it's okay that I post > > a call for testing. If not, please excuse my newbishness in this > > process. This is my first time submitting a major patch upstream to > > FreeBSD. > > > > Over the past few months, I've had the opportunity and pleasure to > > enhance existing patches to FreeBSD that implement a common exploit > > mitigation technology called Address Space Layout Randomization (ASLR) > > along with support for Position Independent Executables (PIE). > > ASLR+PIE has been a long-requested feature by many people I've met on > > IRC. > > > > I've submitted my patch to PR kernel/181497. I'm currently in the > > process of adding PIE support to certain high-visibility applications > > in base (mainly network daemons). I've added a make.conf knob that's > > default to enabled (WITH_PIE=3D1). An application has to also explicitly > > support PIE as well by defining CAN_PIE in the Makefile prior to > > including bsd.prog.mk. After I get a decent amount of applications > > enabled with PIE support, I'll submit one last patch. > > > > The following sysctl's can be set with a kernel compiled with the > > PAX_ASLR option: > > > > security.pax.aslr.status: 1 > > security.pax.aslr.debug: 0 > > security.pax.aslr.mmap_len: 16 > > security.pax.aslr.stack_len: 12 > > security.pax.aslr.exec_len: 12 > > > > The security.pax.aslr.status sysctl enables and disables the ASLR > > system as a whole. The debug sysctl gives debugging output. The > > mmap_len sysctl tells the ASLR system how many bits to randomize with > > mmap() is called. The stack_len sysctl tells the ASLR system how many > > bits to randomize in the stack. The exec_len sysctl tells the ASLR > > system how many bits to randomize the execbase (this controls PIE). > > These sysctls can be set as a per-jail basis. If you have an > > application which doesn't support ASLR, yet you want ASLR enabled for > > everything else, you can simply place that misbehaving application in > > a jail with only that jail's ASLR settings turned off. > > > > Please let me know how your testing goes. I'm giving a presentation at > > BSDCan regarding this. > > > > If you want to keep tabs on my bleeding-edge development process, > > please follow my progress on GitHub: > > https://github.com/lattera/freebsd (branch: soldierx/lattera/aslr). > > > > Thank you very much, >=20 > Hi! >=20 > Please apply this patch. This fixed an issue with tunables. Patch merged successfully into my GitHub repo. Fixed with commit d2c0813. I'll include it in my next patch submission upstream when I submit my PIE work. Thanks! --5I6of5zJg18YgZEa Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBAgAGBQJTOLXEAAoJEGqEZY9SRW7u4+0QAIgtzmf65wTk3l/EdUhdKKVj WODd3XFnSSMHOYB7jFzWZ1rh8xEVB0FL63mlA2DQvOSGKXea8TJALeQLP3/WaMEW ryDii4hCnlbUnwWYtFzTQikHmt6FRIQQh67k23FcwUgN4V3MW54xI2rzkZY3vRQO sZDrTqpKIL7rz8wkmYNGbMz7Y7Q4qACChnRu+HyMiZZD9XwT1AybIm5sTU5XoZGQ nFqEfWyhEfupkvDlNnb02apfu78b31mKbyV6mf0LDOZs/LEu+Cn5/Y5/AzgO61Td HOJTGFUgNrAqKX3X1MJWkdSjuODhnds5HRbv/RRY7atW10Sk08nsazvwAgeuBNHo WTrWIl1YTD0UatvW9o4jh0BODLrJLLo4FnTiYpUop5tfoWog8J5EhJftxGajFrMb JTZIBibIMdE9vtkbg05n0JKsGh1OKBMmFOC/K8mgfD+TvT77VqqxRVpE4iUmQqUI XaES7I9syLOyEM1K9rV/mpnX3r/sb2ELSnKvCLfcMQKiewsS/b97opfPKhhXJ14p q3yi2IibBGc+pg4f+/86AGUqd8gfeJ7Gc3HwfMCJVaeeRv2EUdncX6CLfEWxtTo8 n2yp5YEm2TydbfFnjanmnktjTuTn6iopRasBt1FmkK3WA8P4LLhNx0rTG+Mx8WU+ uX8BnV7ecrruGTaOc9Ip =av/O -----END PGP SIGNATURE----- --5I6of5zJg18YgZEa--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140331002436.GB14025>