From owner-freebsd-security@freebsd.org Mon May 25 15:24:27 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D4E0C3299C7 for ; Mon, 25 May 2020 15:24:27 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-io1-f68.google.com (mail-io1-f68.google.com [209.85.166.68]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49W1966Z19z40c6 for ; Mon, 25 May 2020 15:24:26 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-io1-f68.google.com with SMTP id f3so18960737ioj.1 for ; Mon, 25 May 2020 08:24:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bgbhekkMs6R4Sic5Qh+L/qj3ZDYUlzkzDVyKgqGGqHc=; b=mXtDbFW3zmIYPuxuHoIKv88XxzXHCwGFQhQY2qa9T2uk3XCfHpqQtAe2W8uRXMfQP9 3u2l2ItA482Q3x371aizJpIeNYjZKC5TK4UvZkKob1nI06ta3xLOXwdgLtt6R3siOYYy Gq+mCIftD6k7eE4JG8vy5vwpeKE1OXegVvSiBTsUllLL1i+Aq0+JHV+H1HyBzlN6mzr5 +BmoMIU34UInELGKp32pjyD/l8HNQTpLcret2sKqBBCzXOi6Kwufs1FQdnRODdpCdfG4 F9dpo/PogibfkreAmxApJRrNfmx7XYuGo6a24Y/bxmsBtnyHVVYPMdJcmzX4OGDJKaOG bvUQ== X-Gm-Message-State: AOAM530bV4TYz5XDLlKTibxKR0WJ8zU3Pmh2PNpKHCIbL4Hikl8aU1nO sjunj75j/qfK2+LWhwf/11j6cOnSQnEbKAJcrdp+Jf/0w+c= X-Google-Smtp-Source: ABdhPJxNqRPpZYfOkbLLjVy6E83mhhFRhQvsvIHPfTpZT0PR1jesXd8KnGLYgxPHIqYd7QX6KQSvYAF9bkakVlMD7N0= X-Received: by 2002:a05:6638:a47:: with SMTP id 7mr19343398jap.12.1590420265582; Mon, 25 May 2020 08:24:25 -0700 (PDT) MIME-Version: 1.0 References: <151792368.1257575.1589959200761.JavaMail.zimbra@stormshield.eu> In-Reply-To: <151792368.1257575.1589959200761.JavaMail.zimbra@stormshield.eu> From: Ed Maste Date: Mon, 25 May 2020 11:24:13 -0400 Message-ID: Subject: Re: ASLR/PIE status in FreeBSD HEAD To: Damien DEVILLE Cc: Marcin Wojtas , freebsd-security@freebsd.org, Rafal Jaworowski Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 49W1966Z19z40c6 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.68 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-2.07 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.002]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; NEURAL_HAM_LONG(-0.99)[-0.991]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[freebsd.org]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-0.08)[-0.078]; RCVD_IN_DNSWL_NONE(0.00)[209.85.166.68:from]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.166.68:from]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 May 2020 15:24:27 -0000 On Wed, 20 May 2020 at 03:20, Damien DEVILLE wrote: > > Hi everyone, > > This a very good news. Thanks to Semihalf to their commitment on this subject. > At Stormshield as a security vendor using FreeBSD we are highly interested in all subjects that enhance the security level of FreeBSD. > What is your target in term of timing ? Are there any plans to work on other hardening subjects (like for example improving W^X) ? Do you have any roadmap in terms of features and deadlines ? My goal is that we can test & enable these features in advance of FreeBSD 13.0 (although there's no published timeline for 13 yet). We can aim for iterating over each of the settings over the rest of this year. Basic W^X for mmap and mprotect at the system call interface is trivial - I put a(n untested) patch up at https://reviews.freebsd.org/D24933 as an illustration. There's a TODO in the description before this could be committable - adding procctl(2), proccontrol(1), and ELF tagging support. > We would be interested to take part to live discussions as a vendor if some are planned. Sounds good. This will make a good topic in lieu of BSDCan developer summit sessions. Interested folks please email me off-list and fill in the poll of suitable times at http://whenisgood.net/qbmg72a