From owner-freebsd-security@freebsd.org Fri Apr 17 12:58:22 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 282632B85DE for ; Fri, 17 Apr 2020 12:58:22 +0000 (UTC) (envelope-from mw@semihalf.com) Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 493bk43nNXz3MsR for ; Fri, 17 Apr 2020 12:58:19 +0000 (UTC) (envelope-from mw@semihalf.com) Received: by mail-qk1-x731.google.com with SMTP id 20so2173571qkl.10 for ; Fri, 17 Apr 2020 05:58:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semihalf-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to:cc; bh=FZxgckTWq7oHHwa35+mJNlnWzFOzXt6D4FLXWaFlUWk=; b=OgyRF0QcHYQJXtzrBU7Wdx1u1MuNUbo9cp6u4DbQTHb1IXLJ65wnWeK0/mcKgG/n19 Q6JPzL6JYHm32BVSypF6GLNLYkIE6YtIOOhVzeDfr1GdHgXfERjz7DTe22Q09v0HLSxx b8FecQMcfg0BhGLeeJ9mSyP0ObSdq3BSjHCe0wqw6V7BXA704F7N3H3bmsRo6bZtcifF cwYdVNtJ7K1sgzWRnvC6T1mb1ybosIoLp0/cuY1qmhTQ8h1YQeyO2Q8UIKs2aRyvgrlv bNDA8hnlFsJm0Xa856Y3LeXP1D1nxeV7v3ewbs8EsXW4y9E4u7omePlDQtHWtTVRjGrH e6+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=FZxgckTWq7oHHwa35+mJNlnWzFOzXt6D4FLXWaFlUWk=; b=baUVp7MK5qhw8AWIAUHNHzxk6iDILeyCRC8U47y7GswPCyws5Rwj3wxJV2UCxqdqFz rJc8IT8O7/gviGT6K+997KRtlS5JIXVEOr6zRJZK3KkQqL75he65y1ZmnWoAz4LPCm+A +ctfcRZYbXW3aHWoN2Tr880GyJ9AUV3YU+RJk9ZrVOmNYq/uV7Vsh6csRvEdFjrJe6X4 wz8lCJmSqeOqZ7JaLZjHXhRQKCOc2c6AMe7JYuGhYdpbedt2XJlV2u5aDvLPowoQW7sr rIL2TjFCwHt43KKHQPhD5CfkfAVJcAge2KQ/U9v1NnTQMi1mBlZPGnhyCC3na+VoqAsW cDzQ== X-Gm-Message-State: AGi0PuYOe4ft5erypa1PQezJdazrtbcxRR+NZxDbRM9pgAWptEZ5lbB7 HXXMELF937gg72GnbS6PBbzyMe2kKP+ldpHOZU9jp1B1K1s= X-Google-Smtp-Source: APiQypI4H6lyn9QWK6PejyulzVjTKGg623A4RPq7Kd/xkkYsAb98WcKI6ZIT7rI2XYBndxkTMpr+3Iv61L1FNIOOm9o= X-Received: by 2002:a37:4c8d:: with SMTP id z135mr3032795qka.128.1587128298208; Fri, 17 Apr 2020 05:58:18 -0700 (PDT) MIME-Version: 1.0 From: Marcin Wojtas Date: Fri, 17 Apr 2020 14:58:06 +0200 Message-ID: Subject: ASLR/PIE status in FreeBSD HEAD To: freebsd-security@freebsd.org Cc: Rafal Jaworowski X-Rspamd-Queue-Id: 493bk43nNXz3MsR X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=semihalf-com.20150623.gappssmtp.com header.s=20150623 header.b=OgyRF0Qc; dmarc=none; spf=none (mx1.freebsd.org: domain of mw@semihalf.com has no SPF policy when checking 2607:f8b0:4864:20::731) smtp.mailfrom=mw@semihalf.com X-Spamd-Result: default: False [-3.29 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[semihalf-com.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[semihalf.com]; URI_COUNT_ODD(1.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[semihalf-com.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[1.3.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; IP_SCORE(-1.99)[ip: (-9.14), ipnet: 2607:f8b0::/32(-0.33), asn: 15169(-0.43), country: US(-0.05)]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Apr 2020 12:58:22 -0000 Hi, Together with our customers, Semihalf is interested in improving the status of security mitigations enablement in FreeBSD. To start with, based on our initial research it seems that after 2019 enhancements the ASLR/PIE features are in pretty much ready state. Building the world using the 'WITH_PIE' flag produced proper binaries and the sanity showed no obvious degradations. Additionally, for the ASLR we performed a comparison of the pax tests ( https://github.com/opntr/paxtest-freebsd) for amd64/arm64 and they indicate the feature is working fine after setting the according sysctl knobs. I'd be happy to present the results and discuss the details, but firstly I'd like to ask more general questions: 1. Are there any hard blockers, like missing features or bugs, that prevent enabling ASLR by default in the kernel and building the base system with -DWITH_PIE? 2. In case the enablement becomes eventually approved, will it be better to do it for all archs or focus only on the selected ones? 3. IMO it may be worth to benchmark/stress the system for the stability verification and perf comparison purpose. Do you think it may be reasonable to create a kind of reference matrix (archs vs tests)? Those could be done to evaluate the current state of the OS, but also for validating each proposed feature. I also think engaging the FreeBSD CI might be a huge help in such an effort. BTW, any particular tests / benchmarks come to your mind as useful in this case? I'd appreciate any feedback. Best regards, Marcin Wojtas (mw@)