From owner-freebsd-security@freebsd.org Mon May 4 15:12:06 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 67CBC2D2565 for ; Mon, 4 May 2020 15:12:06 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-il1-f173.google.com (mail-il1-f173.google.com [209.85.166.173]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49G5tY4DNFz4KR4; Mon, 4 May 2020 15:12:05 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-il1-f173.google.com with SMTP id c18so11584704ile.5; Mon, 04 May 2020 08:12:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TXYsuAE/CxCiagOQ0s3LrLvCfhA8tkFXMQNcb3tG8d0=; b=QNRf7MyDysbJnan0Gf9jabANsa70Z1xX2pbxhBjBlK9JYLKrGEikxJmM3aap6QyCmU NYzgAU8qcprIR1ki1ZY7k2SPQswTqUWpfi4+w3g16DvOb9P0jpPEf5FdmSCuVCj+ZFwc wN/I+BD/vpk+5AX37i8IniON4KSvzgFBu7qpAY3yVbgFTPSXf31h7UR22khTem77OiFt yuLfh8J5nFTJQWBgsRXBXnSCAbEzVdlmDfThmdaoINV9sPLXwZiLhzI4necypquSGo1A 4g4RCRUbFTEQT6x+XeSGKQTrlyqM8xFbOnct0feTlcmiBunhaAx6ootIFS2Dbn2+Vy7j w6Fg== X-Gm-Message-State: AGi0Pua24KiaVdz/0zlib0G9uAVk8SEtZYxlsECxF41Z3E9l2otRpzlZ qfvJVM5+0qsFU/3oUyzYYdW6prc5GT+gn9vTfAQ3zjn8 X-Google-Smtp-Source: APiQypIcIi+bDHISez6FMzLKX83Ap1TUP6zLU7Nd2unaN5okhkMcEoeZA2J4Td+99yqcvEd+mNohd31ottBEjQg3gNY= X-Received: by 2002:a92:cd01:: with SMTP id z1mr501451iln.182.1588605122898; Mon, 04 May 2020 08:12:02 -0700 (PDT) MIME-Version: 1.0 References: <20200423153835.GF42225@spindle.one-eyed-alien.net> In-Reply-To: <20200423153835.GF42225@spindle.one-eyed-alien.net> From: Ed Maste Date: Mon, 4 May 2020 11:11:50 -0400 Message-ID: Subject: Re: ASLR/PIE status in FreeBSD HEAD To: Brooks Davis Cc: Marcin Wojtas , freebsd-security@freebsd.org, Rafal Jaworowski Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 49G5tY4DNFz4KR4 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.173 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-3.46 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[freebsd.org]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[173.166.85.209.list.dnswl.org : 127.0.5.0]; IP_SCORE(-1.46)[ip: (-6.45), ipnet: 209.85.128.0/17(-0.40), asn: 15169(-0.43), country: US(-0.05)]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[173.166.85.209.rep.mailspike.net : 127.0.0.17]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 May 2020 15:12:06 -0000 On Thu, 23 Apr 2020 at 11:38, Brooks Davis wrote: > > > I was thinking if it is possible to come up with such wide test > > coverage to test every single application from the base system. Do you > > think it is achievable or should we rather follow the approach to do > > as many tests as possible, but rely on the community feedback to catch > > the corner cases (like the ntpd issue mentioned in this thread)? > > What about the ports? > > If we gate on full testing we'll never move forward. We had a GSoC > project a few years ago to try to generate lame tests for each program, > if someone picked that up, we could get better coverage fairly > quickly, but it would still be far from complete. Indeed, having a basic smoke test for as much of the base system as possible is a good initial step. I suspect it won't take very long to have confidence in turning on options for the base system, but ports will be a much longer process. For ports I think the first thing that needs to happen is to have some infrastructure in ports itself to allow individual ports to indicate (via elfctl) that they are not compatible with certain options; with that in place it should be trivial to start marking individual ports. From owner-freebsd-security@freebsd.org Mon May 4 15:15:21 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CD1692D28AB for ; Mon, 4 May 2020 15:15:21 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-io1-f50.google.com (mail-io1-f50.google.com [209.85.166.50]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49G5yK0dFhz4Kh2 for ; Mon, 4 May 2020 15:15:20 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-io1-f50.google.com with SMTP id f3so12676696ioj.1 for ; Mon, 04 May 2020 08:15:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=25GFtJx8F0wt6mrAedsYDB2iuPbrznW8EsD8y1V5cIo=; b=VFaCMF71jN23c+5KvP438WuaVnZWCv0tUFxnMm9roO2haIf2cBPWSvZ1kQDhsoYmsO EsG0kRvRwpwVLizESiGqiybDyTHbBBNSJqxeRSP2SqFqcT8dwkllwgwvic4kna98EZLy oBf+mUbvjpvXlcM8p/Fs7U3a0JDsX+U298vU1GXv6g+cutRBnETWwpE75fYqELxKg26N Ngb1+yAqWWbI/m9fRBGPDC77qOTze7fRqxTwPkV7HNT8rSsGb88obwG/HR5t5Z6WAkqi LgVibeUTdVpvI/NTCH3nXAUZLBiCJtmd1NfHmaoKPBaB8dBesIGfZdLLOoArHO6axOMx DHrQ== X-Gm-Message-State: AGi0PuYXAgaCMKz0VRsFJg7jsjRS1la6+WiUpcMs3lnrZK0+mcuI02wj cWhR3SNfPxmL9Mj4WpkYpldvbkAA5i4bOzkisCvihF2qTac= X-Google-Smtp-Source: APiQypJjXVwYSVQCzhtHUYMLllczQZ2lg3zUQbHun37natS9CKp3odfS4hQmaqd00EuW9hvIL/HIN21g1BWBorLsjnA= X-Received: by 2002:a05:6602:2208:: with SMTP id n8mr16370842ion.102.1588605320159; Mon, 04 May 2020 08:15:20 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Ed Maste Date: Mon, 4 May 2020 11:15:05 -0400 Message-ID: Subject: Re: ASLR/PIE status in FreeBSD HEAD To: Dewayne Geraghty Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 49G5yK0dFhz4Kh2 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.50 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-3.08 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[freebsd.org]; MIME_TRACE(0.00)[0:+]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[50.166.85.209.list.dnswl.org : 127.0.5.0]; IP_SCORE(-1.08)[ip: (-4.53), ipnet: 209.85.128.0/17(-0.40), asn: 15169(-0.43), country: US(-0.05)]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[50.166.85.209.rep.mailspike.net : 127.0.0.17]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 May 2020 15:15:21 -0000 On Wed, 22 Apr 2020 at 02:10, Dewayne Geraghty wrote: > > Thank-you for the pointer to elfctl. Unfortunately it looks like I need > to create the section in the image file, due to my: (for example) > > # elfctl -l /usr/bin/ztest > Known features are: > aslr Disable ASLR > protmax Disable implicit PROT_MAX > stackgap Disable stack gap > elfctl: NT_FREEBSD_FEATURE_CTL note not found > > on > FreeBSD 12.1-STABLE #0 r359973M: Thu Apr 16 amd64 1201513 1201513 Ah, yes - r340701 needs to be MFC'd to stable/12 to make this work there. From owner-freebsd-security@freebsd.org Mon May 4 15:24:11 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 725422D2C0C for ; Mon, 4 May 2020 15:24:11 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-il1-f169.google.com (mail-il1-f169.google.com [209.85.166.169]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49G68T6CQlz4L95 for ; Mon, 4 May 2020 15:24:09 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-il1-f169.google.com with SMTP id u189so11649295ilc.4 for ; Mon, 04 May 2020 08:24:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hEXJ8C38+JjHrDX0jT4gzGKSjL6xNkgTvjnlbh7og4g=; b=WfZ3JsuegOAYWsw1MXJ+2vwD32rSUgMCMF1CpqrnJe/Gyv4gzjvHBLK3GjHN9Bbixu WAiUMRsgIFhWZkMu1gwJg59q5qQTCEBPMhBqtp6fkXjjspSOKrS38OynlGStgmX5+i80 vX9R6ZsC7hpPXuAYYMf8iBEvohTZ7gJN07vEeeDStekfrFl4aPAGCcYDyjUA+5jE/KU4 Nu5L+Nyo3PT9h3eRuAGbz11c2nenjf49gv3z1HG2OPjIjoalIL9pa9mz6Dt9FFw9AFbi Eqkt5z1dlZGN57nbEY4THJneL+FmGaN62qyPPnxXw6ruI8Z8jWTKq+ZqEYQJW8ltkrpG 66Sw== X-Gm-Message-State: AGi0PuYWbQRyByAQwQY4keNp2uzGV5k4lN61qLzaSTT4uGS0SymUrot1 tee5aSACbvwGVZgWQf8UE8FNQv8K4wJqBUOxNMVBDB+3 X-Google-Smtp-Source: APiQypKI+W1MdXd8ehCQn01+4rNkibH2h0AA4rAcN/SWM+/osDSLo+QU/5suP9705rCsZpRUaGPvyTmg5xD9+I1MzfQ= X-Received: by 2002:a92:cd01:: with SMTP id z1mr557128iln.182.1588605848887; Mon, 04 May 2020 08:24:08 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Ed Maste Date: Mon, 4 May 2020 11:23:53 -0400 Message-ID: Subject: Re: ASLR/PIE status in FreeBSD HEAD To: Marcin Wojtas Cc: freebsd-security@freebsd.org, Rafal Jaworowski Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 49G68T6CQlz4L95 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.169 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-3.68 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[freebsd.org]; TO_DN_SOME(0.00)[]; MIME_TRACE(0.00)[0:+]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[169.166.85.209.list.dnswl.org : 127.0.5.0]; IP_SCORE(-1.68)[ip: (-7.55), ipnet: 209.85.128.0/17(-0.40), asn: 15169(-0.43), country: US(-0.05)]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[169.166.85.209.rep.mailspike.net : 127.0.0.17]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 May 2020 15:24:11 -0000 On Mon, 20 Apr 2020 at 10:22, Marcin Wojtas wrote: > > Indeed I thought of kyua and measuring buildworld execution time for > stressing the DUT and having the first comparison numbers for the low > price. > > Do you think it is possible to get help here, i.e. is there a FreeBSD > devops team, maintaining the Jenkins CI whose spare cycles could be > used for this purpose? Or is this a field requiring external help from > interested parties? There aren't a lot of spare cycles to go around, but putting automation in place so that tests like this can easily be performed is certainly something that's in the Jenkins team's domain. > Yes, making use of something actively maintained would be great. Do > you see a need for IO stressing/benchmarking for the discussed cases? In the fullness of time I think it's important, but my opinion is that it's really functional tests that we need, for enabling features in -CURRENT; we can work on benchmarking before and after changing a default. From owner-freebsd-security@freebsd.org Mon May 4 23:39:10 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2CDF02C705F for ; Mon, 4 May 2020 23:39:10 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Received: from hermes.heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2560 bits) client-digest SHA256) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 49GK7d01RHz3ygQ; Mon, 4 May 2020 23:39:08 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Received: from [10.0.5.3] (noddy.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPSA id 044NcmUk018875 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Tue, 5 May 2020 09:38:51 +1000 (AEST) (envelope-from dewayne@heuristicsystems.com.au) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=heuristicsystems.com.au; s=hsa; t=1588635531; x=1589240332; bh=mIjUOLN7zYojNKlDPdUgY2rgFl8+lgHNjmXaapkv0vY=; h=Subject:To:Cc:From:Message-ID:Date; b=Rkk1k7n1Sa1cI5qRyf6bxnFOoRYxqyWEHbsmGxJD9mT7T08zvcelGTe+M21e0qC1N VW0gO/6JsLihlEh1GkMCv7iL+Fm3h2muvQy13Jt1lHepWcTIwFcorMgDXj0/t1+WRO mlkC2NpPxLd4B1OgXfkvKzJEXJThb5Dzq7JrBDSkA3d1JomWPS9Fb X-Authentication-Warning: b3.hs: Host noddy.hs [10.0.5.3] claimed to be [10.0.5.3] Subject: Re: ASLR/PIE status in FreeBSD HEAD To: Ed Maste , Brooks Davis Cc: freebsd-security@freebsd.org, Marcin Wojtas , Rafal Jaworowski References: <20200423153835.GF42225@spindle.one-eyed-alien.net> From: Dewayne Geraghty Autocrypt: addr=dewayne@heuristicsystems.com.au; prefer-encrypt=mutual; keydata= mQFNBFbOsVMBCgDfvi2PspSwoMEtFhF+aFLQKtzSA9f0dhDqthKHESdfbqxvKzhkBjvTJ5Na EgjKoKfoQTh5xuIv3HLhtDo5PeasPgQl9cPJeriqmqlS+UhY5BGYcMc1AO/TX0fsDaQz96ko at3RUW7sff/qPgVzSurk+DV5h866gPdn5Jdjohyl2F1rzRl6dnaAIyg49zlwZOnPHJGKye+B meqUCnPRglhkpNqXR3v1ulbWpfwhdNDvWT82qTG/qsFy/agjJvxwLuEBeoGc1dPWasO8Nztt 0dqf1Lpeg6SX2yJd76WVS4znt88OEbx/QL2PTJ/YtSepS68WaeKuARKPukkU+QXDep0gaLPl /TvU5xAZndNB3rYnpmoLb32pDHlrJbZUVyTMqc3J2EYM6aaizCpg4VEvVpVSqUT4D9MuREhu PeZ3SvEazQARAQABiQF3BB8BCAAhBQJWzrFTFwyAAWHe5yZt8RJL0vaU1MfDto5dBmeFAgcA AAoJEJVk7a1LmFrdy2QJ/AysDdFIMCRiaqEellprZQyEz5I/qZJEi6yRfXH813hhISFz6moh urZYLQ9SRdyMntT8W3Oc4pJc9fF9RSnY0SSQY/arZbrvsv6hKb1KtIK7P5mLS914J9buxEcJ SWeVuOuMA9aCNqg5uMu19pH5pXayORfbv+K7vFPiyllZ64ShUWZJL69vAc/TsbvMrGtG1M4P qyWCOKEiUT93zhVGQoA0aUYjMAZoyvozZCuieo4O8hkPgMz9lka+3bqQBSOB+qO4Iz+CZs0k Lw7Soga6bRqLK86DH99WjTA6Oj1r8Won+j4V9fnTDCVJoSyqdVHLySDv/lHaNu4Ia4AO4i2d shmLw03gOUvoWLJx5X01A5Zio4FvecnpZqQ0Wz5Ph9MiK3lwarfjonTOLeNGd5BpdnHu5VRC fJml7uAYeyKsD8C4tEBEZXdheW5lIEdlcmFnaHR5IDxkZXdheW5lLmdlcmFnaHR5QGNvbnNj aXVtaW50ZXJuYXRpb25hbC5jb20uYXU+iQGXBBMBCABBAhshCwsKDQkIDAcLAwIECBUKCQgL AwIBBRYDAgEAAh4BAheAFiEEC8bIxjMx+sDl4ZCClWTtrUuYWt0FAl5UUOgACgkQlWTtrUuY Wt3xZAn/W/mq5nDhLIfqxVM9GbU8rGzNsGLfnt5NCVcWlBKhgxOOw9EWkcRTMymwX9OMqwxI +te6Gvy7rG53T2xprtsQyqESZmjWcUSEPsQ9hjw4VZCL15ftBeZMYyO2T1e41UImXAlftleT 2kXCktgyAfwfCzHhFiZM8k9QMFQV1x+JukJ9xPFBgICRLsLsVNVw/R1L7KqARuws4HqXxY1J SCpO+FB4b6tWSIRKbzlb6tctdKppKbG/adVYuoK61ngvmsAzy/9OLhF8u1MNCgyFd2woOErh /zyuap8KvJZMlwAIqpjsoHyXsa0cq8A/uNQSmodwBpRsEGXCmZIZq2FJw6N+38to8C8m97q0 YWrY63VsoA6hA4A4/ywzE3EiwGvqJQBMRv2ET3TIdTyLoEIwXq2bDPU7XTZGh5UZEsKFMHH5 228= Message-ID: <9ad00dc0-b9d5-525a-9d5d-b65dac60f0d4@heuristicsystems.com.au> Date: Tue, 5 May 2020 09:38:44 +1000 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 49GK7d01RHz3ygQ X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=fail (rsa verify failed) header.d=heuristicsystems.com.au header.s=hsa header.b=Rkk1k7n1; dmarc=none; spf=pass (mx1.freebsd.org: domain of dewayne@heuristicsystems.com.au designates 203.41.22.115 as permitted sender) smtp.mailfrom=dewayne@heuristicsystems.com.au X-Spamd-Result: default: False [-4.90 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx:c]; R_DKIM_REJECT(1.00)[heuristicsystems.com.au:s=hsa]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; DMARC_NA(0.00)[heuristicsystems.com.au]; RCPT_COUNT_FIVE(0.00)[5]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[heuristicsystems.com.au:-]; RCVD_IN_DNSWL_MED(-0.20)[115.22.41.203.list.dnswl.org : 127.0.4.2]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; IP_SCORE(-3.40)[ip: (-9.75), ipnet: 203.40.0.0/13(-4.41), asn: 1221(-2.87), country: AU(0.01)]; ASN(0.00)[asn:1221, ipnet:203.40.0.0/13, country:AU]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-Mailman-Approved-At: Tue, 05 May 2020 09:24:29 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 May 2020 23:39:10 -0000 It would be palatable to have a "secure.mk" under /usr/ports/Mk/Uses that enables pie, relro, now, noexecstack and elfctl features. Then port users can enable/disable their (elfctl) default features as they wish. I look forward to removing long lists of category/ports from my make.conf that make these adjustments at the moment. All of my internet facing services use the above settings (sans elfctl). We also have a production system that uses these applications with aslr and stackgap=1 under i386 successfully. :) I'd also throw cfo into the mix, but small steps grasshopper... To Ed, I like the notion of elfctl because it allows me to set once and forget about how the executable should run, so setting a default at buildtime is a good idea. (I had to think about this for awhile as I prefer the explicitness of proccontrol, however elfctl is akin to chmod in that its a control that isn't set everytime a program is run.) I supposed proccontrol will override elfctl settings? Regards, Dewayne PS The elfctl manpage's History states that elfctl first appeared in FBSD 13, I'm using 12.1 Stable ;) that On 5/05/2020 1:11 am, Ed Maste wrote: > On Thu, 23 Apr 2020 at 11:38, Brooks Davis wrote: >> >>> I was thinking if it is possible to come up with such wide test >>> coverage to test every single application from the base system. Do you >>> think it is achievable or should we rather follow the approach to do >>> as many tests as possible, but rely on the community feedback to catch >>> the corner cases (like the ntpd issue mentioned in this thread)? >>> What about the ports? >> >> If we gate on full testing we'll never move forward. We had a GSoC >> project a few years ago to try to generate lame tests for each program, >> if someone picked that up, we could get better coverage fairly >> quickly, but it would still be far from complete. > > Indeed, having a basic smoke test for as much of the base system as > possible is a good initial step. I suspect it won't take very long to > have confidence in turning on options for the base system, but ports > will be a much longer process. > > For ports I think the first thing that needs to happen is to have some > infrastructure in ports itself to allow individual ports to indicate > (via elfctl) that they are not compatible with certain options; with > that in place it should be trivial to start marking individual ports. > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@freebsd.org Tue May 5 10:04:04 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 43A912DFDF9 for ; Tue, 5 May 2020 10:04:04 +0000 (UTC) (envelope-from mw@semihalf.com) Received: from mail-qv1-xf30.google.com (mail-qv1-xf30.google.com [IPv6:2607:f8b0:4864:20::f30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49Gb0g46wzz3BsC for ; Tue, 5 May 2020 10:04:03 +0000 (UTC) (envelope-from mw@semihalf.com) Received: by mail-qv1-xf30.google.com with SMTP id ck5so682514qvb.11 for ; Tue, 05 May 2020 03:04:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semihalf-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=hZ8wZW4W5rbH+ZzHAZuhzkvsftIlFuPqPp25ORZlzRA=; b=cfNGAGw9sFKwogHH5y+mEF2JK1JTD2MGm8CACP1DzXVNw7mDooZC0hhVIBgRlCyESH QViih5l1FryQce+x8hbUJ2xqNlf0I/SKMR1EjxAAyOxl2gnN1YcDM3IKjQ4V2L2jsTEr h5EGi/nLfl+5jA0xX4L0Adz0+CaplMOh9a6zyyeUGc4rkuvaCCma95bQGqwK45RWjQk2 q7vzngsIG3mqq/Shwt8u85f8CHn+CCh2FwXtNmeXlxBiX9MWOGH7MdRrvheo+lGlDB/w 1iw6AACJO7SMTDVPzh6OaAoM19w0o90PBUYfHJzo0w4E5CZmAfKp8LiblI0b1plUUqYM skqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=hZ8wZW4W5rbH+ZzHAZuhzkvsftIlFuPqPp25ORZlzRA=; b=f3aozuattQPhHV4mYI4Wvc2ENOBmiy/VVwXzxOFgmlF5HSFbYpCeh2CpmBl7a88hJT PumY3tNcCKHyXfA8zdvBBbLRm09HkAsfhe51r4aN4VWLcJVuu27sE92EfqJpjJq6y9+p 06OBWDHbjzkRfhUNzGjaaxXTkDcmRYB6XNE7C99ZpO3I33S/8MZZNVDbfuIfgTeJDfRJ kiphPii+sLAB9ge8yStYUrEP65RJ3ZI+E8ccczNZ1zC/94PGgMOOsA62pxS0Q2La6lP4 KfxOYb4lzNZZ2U7nJfYTi+IgALLbgiJe4ec3Ja5bF/ZS0OXwE3ljSHcRL84KrC69nQXv kdBA== X-Gm-Message-State: AGi0PuaSSrC62FNeGJ3yhZCdt1CMcdPD7rKVvmoZWZ4N5JcvgfI/tX24 UU5D9d2l/042vG51Si4ww6jdCSPEZ5ObQDUENbUUCA== X-Google-Smtp-Source: APiQypL1u9j4c6Y5/yS2I2UCkfoOeaV1E8HPcMe3/Zq3EjEmW8O6sI9YY7I8m2fhvn6jXlXovGkf10TZ+Ndg8tH7cHg= X-Received: by 2002:a0c:a892:: with SMTP id x18mr1800637qva.247.1588673042408; Tue, 05 May 2020 03:04:02 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Marcin Wojtas Date: Tue, 5 May 2020 12:03:52 +0200 Message-ID: Subject: Re: ASLR/PIE status in FreeBSD HEAD To: Ed Maste Cc: freebsd-security@freebsd.org, Rafal Jaworowski Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 49Gb0g46wzz3BsC X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=semihalf-com.20150623.gappssmtp.com header.s=20150623 header.b=cfNGAGw9; dmarc=none; spf=none (mx1.freebsd.org: domain of mw@semihalf.com has no SPF policy when checking 2607:f8b0:4864:20::f30) smtp.mailfrom=mw@semihalf.com X-Spamd-Result: default: False [-3.69 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[semihalf-com.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[semihalf.com]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[semihalf-com.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[0.3.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; IP_SCORE(-1.39)[ip: (-6.13), ipnet: 2607:f8b0::/32(-0.33), asn: 15169(-0.43), country: US(-0.05)]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 May 2020 10:04:04 -0000 pon., 4 maj 2020 o 17:24 Ed Maste napisa=C5=82(a): > > On Mon, 20 Apr 2020 at 10:22, Marcin Wojtas wrote: > > > > Indeed I thought of kyua and measuring buildworld execution time for > > stressing the DUT and having the first comparison numbers for the low > > price. > > > > Do you think it is possible to get help here, i.e. is there a FreeBSD > > devops team, maintaining the Jenkins CI whose spare cycles could be > > used for this purpose? Or is this a field requiring external help from > > interested parties? > > There aren't a lot of spare cycles to go around, but putting > automation in place so that tests like this can easily be performed is > certainly something that's in the Jenkins team's domain. Of course the available bandwidth is a limitation, but IMO we should start with defining the requirements so that eventually it could be added to the backlog. > > > Yes, making use of something actively maintained would be great. Do > > you see a need for IO stressing/benchmarking for the discussed cases? > > In the fullness of time I think it's important, but my opinion is that > it's really functional tests that we need, for enabling features in > -CURRENT; we can work on benchmarking before and after changing a > default. Understood. Since there seem to be no blockers / major objections at this point, how do you suggest proceed with the topic? How about having a live discussion with interested parties, so that we can establish at least a rough plan allowing to achieve the enablement of this (and possibly other) feature in a foreseeable perspective? Best regards, Marcin From owner-freebsd-security@freebsd.org Tue May 5 23:59:34 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2D5B22D9DC0 for ; Tue, 5 May 2020 23:59:34 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-io1-f67.google.com (mail-io1-f67.google.com [209.85.166.67]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49GxXj18S2z3Dn8; Tue, 5 May 2020 23:59:33 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-io1-f67.google.com with SMTP id f3so394097ioj.1; Tue, 05 May 2020 16:59:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UP9C2AEeBu9v0wlCEeQPexsfhFpga4IKS2hx7/h7E3Q=; b=jP1/uF0c8Xl1aL5wIS8iXR7bHuW8nkUjrmgjc5YM70ifU/z4i0tUraocK4H2fSZO2c hxEFjhwXJTyahxmK5ZbaSAwGn1OY3SVkeotJ4BbAVDS/USojMrEF3u/S0dYRtWtX3g0Z 3jAYRf2WSEE6bcKAaGOrU81VVkPDgv/E2B5sG1yRFSL4gbrl3Q8auNXOj/Sj4DG0MioQ hICYhN0eayBIzq33vBqcnq+lbUkBI9ZSVvMZVoM0q6UroqzVVNYYYjvi7aThfDqIhXdX P8a9bhvCGO7QJNDZffC5Tg1R7Sc3v4DU3Lv0Z094TsIiCvTe7RkZk9wt0sUaHQ3nG6Eb 8ztw== X-Gm-Message-State: AGi0PubCfxjpcE2Lax5y43qlVo+jGX1o/fFd6Vq34Cblknw/wAnddMPh LxtHIRS3QUbmW2gdVNZyNrFqffsxx6qXtBiMFELU1mCk X-Google-Smtp-Source: APiQypIKsrIU/PXx3zU3NDPQBBOcRjJrk24MFk5qPhyEPJPUSmvPAR8JgmQQj0nJXVZQK/SZyplcM0FYixgDTMqSKdA= X-Received: by 2002:a05:6602:2208:: with SMTP id n8mr6204792ion.102.1588723171846; Tue, 05 May 2020 16:59:31 -0700 (PDT) MIME-Version: 1.0 References: <20200423153835.GF42225@spindle.one-eyed-alien.net> <9ad00dc0-b9d5-525a-9d5d-b65dac60f0d4@heuristicsystems.com.au> In-Reply-To: <9ad00dc0-b9d5-525a-9d5d-b65dac60f0d4@heuristicsystems.com.au> From: Ed Maste Date: Tue, 5 May 2020 19:59:19 -0400 Message-ID: Subject: Re: ASLR/PIE status in FreeBSD HEAD To: Dewayne Geraghty Cc: Brooks Davis , freebsd-security@freebsd.org, Marcin Wojtas , Rafal Jaworowski Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 49GxXj18S2z3Dn8 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.67 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-2.17 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.996,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; DMARC_NA(0.00)[freebsd.org]; RCPT_COUNT_FIVE(0.00)[5]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[67.166.85.209.list.dnswl.org : 127.0.5.0]; IP_SCORE(-0.18)[ip: (-0.02), ipnet: 209.85.128.0/17(-0.39), asn: 15169(-0.43), country: US(-0.05)]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[67.166.85.209.rep.mailspike.net : 127.0.0.17]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 May 2020 23:59:34 -0000 On Mon, 4 May 2020 at 19:39, Dewayne Geraghty wrote: > > It would be palatable to have a "secure.mk" under /usr/ports/Mk/Uses > that enables pie, relro, now, noexecstack and elfctl features. Then > port users can enable/disable their (elfctl) default features as they wish. The general intent for elfctl isn't to have a lot of knobs to worry about, either user- or developer-facing, and they'll generally be opt-outs. Ports with known incompatibilities will be tagged at build time (regardless of whether mitigations are enabled), and mitigations should be able to be turned on system-wide. We should be able to address non-executable stack in a similar way - virtually all ports should have a RW GNU_STACK segment indicating that the stack is not executable, so a ports build stage could check for that and produce an error if not, with some sort of override for any exceptional cases. We definitely want some global infrastructure for pie, relro, and bind_now.