From owner-freebsd-security@freebsd.org Fri Apr 17 12:58:22 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 282632B85DE for ; Fri, 17 Apr 2020 12:58:22 +0000 (UTC) (envelope-from mw@semihalf.com) Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 493bk43nNXz3MsR for ; Fri, 17 Apr 2020 12:58:19 +0000 (UTC) (envelope-from mw@semihalf.com) Received: by mail-qk1-x731.google.com with SMTP id 20so2173571qkl.10 for ; Fri, 17 Apr 2020 05:58:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semihalf-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to:cc; bh=FZxgckTWq7oHHwa35+mJNlnWzFOzXt6D4FLXWaFlUWk=; b=OgyRF0QcHYQJXtzrBU7Wdx1u1MuNUbo9cp6u4DbQTHb1IXLJ65wnWeK0/mcKgG/n19 Q6JPzL6JYHm32BVSypF6GLNLYkIE6YtIOOhVzeDfr1GdHgXfERjz7DTe22Q09v0HLSxx b8FecQMcfg0BhGLeeJ9mSyP0ObSdq3BSjHCe0wqw6V7BXA704F7N3H3bmsRo6bZtcifF cwYdVNtJ7K1sgzWRnvC6T1mb1ybosIoLp0/cuY1qmhTQ8h1YQeyO2Q8UIKs2aRyvgrlv bNDA8hnlFsJm0Xa856Y3LeXP1D1nxeV7v3ewbs8EsXW4y9E4u7omePlDQtHWtTVRjGrH e6+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=FZxgckTWq7oHHwa35+mJNlnWzFOzXt6D4FLXWaFlUWk=; b=baUVp7MK5qhw8AWIAUHNHzxk6iDILeyCRC8U47y7GswPCyws5Rwj3wxJV2UCxqdqFz rJc8IT8O7/gviGT6K+997KRtlS5JIXVEOr6zRJZK3KkQqL75he65y1ZmnWoAz4LPCm+A +ctfcRZYbXW3aHWoN2Tr880GyJ9AUV3YU+RJk9ZrVOmNYq/uV7Vsh6csRvEdFjrJe6X4 wz8lCJmSqeOqZ7JaLZjHXhRQKCOc2c6AMe7JYuGhYdpbedt2XJlV2u5aDvLPowoQW7sr rIL2TjFCwHt43KKHQPhD5CfkfAVJcAge2KQ/U9v1NnTQMi1mBlZPGnhyCC3na+VoqAsW cDzQ== X-Gm-Message-State: AGi0PuYOe4ft5erypa1PQezJdazrtbcxRR+NZxDbRM9pgAWptEZ5lbB7 HXXMELF937gg72GnbS6PBbzyMe2kKP+ldpHOZU9jp1B1K1s= X-Google-Smtp-Source: APiQypI4H6lyn9QWK6PejyulzVjTKGg623A4RPq7Kd/xkkYsAb98WcKI6ZIT7rI2XYBndxkTMpr+3Iv61L1FNIOOm9o= X-Received: by 2002:a37:4c8d:: with SMTP id z135mr3032795qka.128.1587128298208; Fri, 17 Apr 2020 05:58:18 -0700 (PDT) MIME-Version: 1.0 From: Marcin Wojtas Date: Fri, 17 Apr 2020 14:58:06 +0200 Message-ID: Subject: ASLR/PIE status in FreeBSD HEAD To: freebsd-security@freebsd.org Cc: Rafal Jaworowski X-Rspamd-Queue-Id: 493bk43nNXz3MsR X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=semihalf-com.20150623.gappssmtp.com header.s=20150623 header.b=OgyRF0Qc; dmarc=none; spf=none (mx1.freebsd.org: domain of mw@semihalf.com has no SPF policy when checking 2607:f8b0:4864:20::731) smtp.mailfrom=mw@semihalf.com X-Spamd-Result: default: False [-3.29 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[semihalf-com.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[semihalf.com]; URI_COUNT_ODD(1.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[semihalf-com.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[1.3.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; IP_SCORE(-1.99)[ip: (-9.14), ipnet: 2607:f8b0::/32(-0.33), asn: 15169(-0.43), country: US(-0.05)]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Apr 2020 12:58:22 -0000 Hi, Together with our customers, Semihalf is interested in improving the status of security mitigations enablement in FreeBSD. To start with, based on our initial research it seems that after 2019 enhancements the ASLR/PIE features are in pretty much ready state. Building the world using the 'WITH_PIE' flag produced proper binaries and the sanity showed no obvious degradations. Additionally, for the ASLR we performed a comparison of the pax tests ( https://github.com/opntr/paxtest-freebsd) for amd64/arm64 and they indicate the feature is working fine after setting the according sysctl knobs. I'd be happy to present the results and discuss the details, but firstly I'd like to ask more general questions: 1. Are there any hard blockers, like missing features or bugs, that prevent enabling ASLR by default in the kernel and building the base system with -DWITH_PIE? 2. In case the enablement becomes eventually approved, will it be better to do it for all archs or focus only on the selected ones? 3. IMO it may be worth to benchmark/stress the system for the stability verification and perf comparison purpose. Do you think it may be reasonable to create a kind of reference matrix (archs vs tests)? Those could be done to evaluate the current state of the OS, but also for validating each proposed feature. I also think engaging the FreeBSD CI might be a huge help in such an effort. BTW, any particular tests / benchmarks come to your mind as useful in this case? I'd appreciate any feedback. Best regards, Marcin Wojtas (mw@) From owner-freebsd-security@freebsd.org Fri Apr 17 13:13:12 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 430F42B9206 for ; Fri, 17 Apr 2020 13:13:12 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-wm1-x344.google.com (mail-wm1-x344.google.com [IPv6:2a00:1450:4864:20::344]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 493c3B4NJkz3PDQ for ; Fri, 17 Apr 2020 13:13:10 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-wm1-x344.google.com with SMTP id z6so2950196wml.2 for ; Fri, 17 Apr 2020 06:13:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=Pw3luhP2tc3Usdqn7Zx0VCOvxSeGywP412gV1pxmq3A=; b=eer0P45bIGsDkNRJbPg80g8pWcmXPzO4C8pECEON6P2Ki+gZcO/+tU7CtR6+wYWY/p eks2fch8vwaDWC/8xyL1gLntd0UWtK3AeEoCNo3YlqzeF9ejYjsK7QwTqH4xIXrur1P0 ox2nfx+Zinw2947XmM0q9oe1DCaQQ9OHyzN4ZAOMX6tzOtYMsWCjWHIUlJ+3JsWAE+KB tcfvZkWPvsCvy4lnWkSiVA3g55v7cBAVxnGqNscuubkkxwkkY35yYGfOtaffIypSkvCu sFJPkJ6cytJpLU6s+lkAgxrILtjRGTOOxMnKxHl4iyHGxQtULLVKi/tHfb039b4Ykjli xBFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=Pw3luhP2tc3Usdqn7Zx0VCOvxSeGywP412gV1pxmq3A=; b=CpWLInyz5Nrv2Qx3TwuN7vpbkblfqGTIMnXwvvUzonoSFzbfcW5WI0xhc/5lNg2Wqt ztI8o9DIu5vOsdPOjtYOmmMHVDPmjmXifGnmy7+IAG+KQ9PgAgJ1acED+3Uf0MQpCWwz A6kUcJYT871TW5wl/xDA1EXKpdtQRPGQI3YfGYDzgAW1rPIqdajtyVBDvh7SGnu6vCSO zjxayN5IWioJOQGkFPTnMQY9Pc1t0UPjSC0tfeF8PqHyYuCi3ZjOMxa7id8wVDZ9Bte1 tbSYBXyJnzSFejl2Wao4UxFpjdauK504298qLbezLo1PynsCUN+2ZZV+gP/hKMESf28b EpoA== X-Gm-Message-State: AGi0PuazwkG/+UqNql5S8db9j/cz2eCrfehvCVOWUUicW9iu4JeMgdrT cPQFqECYSfzkvK64oSZ+nAL7oVIOO47P3Dcv X-Google-Smtp-Source: APiQypI7tnzBPjxTxBph1CtU1LMMIPJcpFxRwz5F1EnT7pEQvjtx4BbD+cD+rq204OTNFG+1mgMjVw== X-Received: by 2002:a1c:668a:: with SMTP id a132mr3502558wmc.46.1587128814575; Fri, 17 Apr 2020 06:06:54 -0700 (PDT) Received: from mutt-hbsd ([62.102.148.68]) by smtp.gmail.com with ESMTPSA id m15sm7351353wmc.35.2020.04.17.06.06.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Apr 2020 06:06:53 -0700 (PDT) Date: Fri, 17 Apr 2020 09:06:58 -0400 From: Shawn Webb To: Marcin Wojtas Cc: freebsd-security@freebsd.org, Rafal Jaworowski Subject: Re: ASLR/PIE status in FreeBSD HEAD Message-ID: <20200417130658.wijvhim5ylvgptub@mutt-hbsd> X-Operating-System: FreeBSD mutt-hbsd 13.0-CURRENT-HBSD FreeBSD 13.0-CURRENT-HBSD X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0xFF2E67A277F8E1FA References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="wxvo2txspfvpizzm" Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 493c3B4NJkz3PDQ X-Spamd-Bar: ++++++++ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=hardenedbsd.org header.s=google header.b=eer0P45b; dmarc=none; spf=pass (mx1.freebsd.org: domain of shawn.webb@hardenedbsd.org designates 2a00:1450:4864:20::344 as permitted sender) smtp.mailfrom=shawn.webb@hardenedbsd.org X-Spamd-Result: default: False [8.32 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(0.00)[+ip6:2a00:1450:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[hardenedbsd.org:+]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; IP_SCORE(-0.06)[ip: (2.52), ipnet: 2a00:1450::/32(-2.35), asn: 15169(-0.43), country: US(-0.05)]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; ARC_NA(0.00)[]; RECEIVED_SPAMHAUS_XBL(5.00)[68.148.102.62.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.4]; R_DKIM_ALLOW(0.00)[hardenedbsd.org:s=google]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; SH_AUTHBL_RECEIVED(4.00)[68.148.102.62.khpj7ygk5idzvmvt5x4ziurxhy.authbl.dq.spamhaus.net : 127.0.0.20]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[hardenedbsd.org]; NEURAL_SPAM_MEDIUM(0.86)[0.860,0]; BAD_REP_POLICIES(0.10)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(0.12)[0.124,0]; RCVD_IN_DNSWL_NONE(0.00)[4.4.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; MID_RHS_NOT_FQDN(0.50)[]; GREYLIST(0.00)[pass,body]; RCVD_TLS_ALL(0.00)[] X-Spam: Yes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Apr 2020 13:13:12 -0000 --wxvo2txspfvpizzm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 17, 2020 at 02:58:06PM +0200, Marcin Wojtas wrote: > Hi, >=20 > Together with our customers, Semihalf is interested in improving the stat= us > of security mitigations enablement in FreeBSD. To start with, based on our > initial research it seems that after 2019 enhancements the ASLR/PIE > features are in pretty much ready state. >=20 > Building the world using the 'WITH_PIE' flag produced proper binaries and > the sanity showed no obvious degradations. Additionally, for the ASLR we > performed a comparison of the pax tests ( > https://github.com/opntr/paxtest-freebsd) for amd64/arm64 and they indica= te > the feature is working fine after setting the according sysctl knobs. I'd > be happy to present the results and discuss the details, but firstly I'd > like to ask more general questions: Quick note: paxtest's algorithms for measuring ASLR was meant to test ASLR, not FreeBSD's ASR implementation. Thus, paxtest results for FreeBSD's ASR are moot. Link to the relevant discussion, as pointed out by the dude who coined the term ASLR: https://reviews.freebsd.org/D5603#120017 Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Sha= wn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --wxvo2txspfvpizzm Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAl6ZqewACgkQ/y5nonf4 4fqoEA/9ExvDuYFF8TxdyAV4ESl9c8Qn5splrgOrjJayesO0mgcHkvUJlgbvZlLc O7es95PD+pIm0lYzIqp/q/KA06eaE8dGovynG6s4gfiy/RLVzvc1HWcTKa/BQINA jm7TwBzMQCu45UcWC+ocXS6guXy1EIoL5ujxXsk8ORMY3THDX757o2UifJBPYBcB V8k91JSiQtAO1qLRm3P0523VLXMdq7PBjBR8a3XN0M3yAt54sLl8A9wGsWKITAk8 LejrHLsMQBtvVM8Ox/y564fNPs3GB0cP4t9WL8KMJnZ/NiLTguJ2vTpZEo1xEOeg 5HkeVRkeWVBPbaUPvoqUMYjQaTA/FaiD8TtP0mlayS+jxXUTCXvnpdRhQNKjLVan fwUiSCfu5sLHuYFJjYzEQzPdDqsfjRl+MPv1d9qSMy2AuqpoLoH+LmPoXb3CWZA8 Zc9nrqGEwCwsQHCDSOkvGqD6sAhtNq7vXIhyJ4WSvpoAQgC0DcApZ58L9SvFOJnB mhaaKSWjvA8IqJglQ0/2lt496oJC/Sg9fBX3QlWS/0loVsvbfDYxx24p70sDFA4b HulgSfqy4FoLNg0nNyA5V4fdSVgyyx02LJng08X9aqSdUiru7x09y5J3V/P6GH4Y l7T3Mb0TsARmL4Xedsq6HPElXAWOpU1uVHLA9QOWuihWlyXhaCo= =dO2N -----END PGP SIGNATURE----- --wxvo2txspfvpizzm-- From owner-freebsd-security@freebsd.org Fri Apr 17 13:52:11 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E0A152BA2F9 for ; Fri, 17 Apr 2020 13:52:11 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-il1-f182.google.com (mail-il1-f182.google.com [209.85.166.182]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 493cwC0q9cz3wtw for ; Fri, 17 Apr 2020 13:52:10 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-il1-f182.google.com with SMTP id f2so2164374ilq.7 for ; Fri, 17 Apr 2020 06:52:10 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=C/QC2Lhy+axENLuSQT4b3p32sK/ffPOBECwfPHf1g8U=; b=XB+KW4CVZQOwpoK306Wz8wFaa5SKFtCDOgLoOqzYcf78Zk4wxiwGDc2qxs7ngO7hrs ED7m38MCQKy5F+yZy+cTZZkp/hrzOIVr33LoT6ga/WzkFBULoUQuaVmGeb7++seXXvWA ASVky6/2bLzds3GjVv8ZU7sdfUahqzIBvYDQayMzREfAjUSIT+F37N6eslG3TsWkY1bG U0SBRmQ8xT6lWtkz3eOVtjFIrneKfvhFR6Mz+bPG4o53aVA+V6jQxzbtyHg8TnFJQB7L EP3mMPtg5Io1UO+IPQL/25qU7KZE678g0c83465rBMqMieHrUBmHceu4k2nLM55+rdtE 9/lQ== X-Gm-Message-State: AGi0PuaBXvY9+bIo9qjnQfYMYfT3RMQ4hEMgLR5K3X0jWgiIGknWio8T v78kxXzB/2RQmc8cKjXIEZ0KeSz2Qk1JGi11y1k= X-Google-Smtp-Source: APiQypJtkYhngwnz/TZ/3+sE5d5/j64SAPO247UD5pe4Jw8ObBDLd8E8GxkIm4kMoe7AY2RRblTsHAKnlXtcqQ48kbk= X-Received: by 2002:a05:6e02:141:: with SMTP id j1mr3204237ilr.100.1587131529823; Fri, 17 Apr 2020 06:52:09 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Ed Maste Date: Fri, 17 Apr 2020 09:51:56 -0400 Message-ID: Subject: Re: ASLR/PIE status in FreeBSD HEAD To: Marcin Wojtas Cc: freebsd-security@freebsd.org, Rafal Jaworowski Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 493cwC0q9cz3wtw X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.182 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-3.37 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[freebsd.org]; TO_DN_SOME(0.00)[]; MIME_TRACE(0.00)[0:+]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[182.166.85.209.list.dnswl.org : 127.0.5.0]; IP_SCORE(-1.37)[ip: (-5.99), ipnet: 209.85.128.0/17(-0.40), asn: 15169(-0.43), country: US(-0.05)]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Apr 2020 13:52:11 -0000 On Fri, 17 Apr 2020 at 08:58, Marcin Wojtas wrote: > > Hi, > > Together with our customers, Semihalf is interested in improving the status > of security mitigations enablement in FreeBSD. Happy to hear that there's interest in this work! > 1. Are there any hard blockers, like missing features or bugs, that prevent > enabling ASLR by default in the kernel and building the base system with > -DWITH_PIE? I believe there are no showstopper issues but there are a some prerequisites. One is that there are some applications that may misbehave with randomization enabled. They would need to be identified, and tagged (with the elfctl tool now in the base system). > 2. In case the enablement becomes eventually approved, will it be better to > do it for all archs or focus only on the selected ones? There's a general and increasing preference of avoiding different defaults per architecture. One issue though is that some options may have much larger performance impacts on certain architectures - e.g. position independent executables (PIE) on i386. > 3. IMO it may be worth to benchmark/stress the system for the stability > verification and perf comparison purpose. Do you think it may be reasonable > to create a kind of reference matrix (archs vs tests)? Those could be done > to evaluate the current state of the OS, but also for validating each > proposed feature. I also think engaging the FreeBSD CI might be a huge help > in such an effort. BTW, any particular tests / benchmarks come to your mind > as useful in this case? Yes, benchmarking and testing are very important tasks on a path to enabling these by default. I agree with the CI comment; we should start with CI build + kyua runs with options turned on, in advance of changing the default. I would be interested in seeing macro-level benchmarking with mitigations on/off - for example, I assume Firefox must have a performance test suite that they use for tracking their own performance changes during development, and we could use benchmarks like that to see the impact of mitigations. Coming up with a full set of appropriate benchmarks will be a useful endeavour. From owner-freebsd-security@freebsd.org Fri Apr 17 14:04:15 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BE5372BA891 for ; Fri, 17 Apr 2020 14:04:15 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-il1-f177.google.com (mail-il1-f177.google.com [209.85.166.177]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 493dB66NWDz3xjZ for ; Fri, 17 Apr 2020 14:04:14 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-il1-f177.google.com with SMTP id i2so2175718ils.12 for ; Fri, 17 Apr 2020 07:04:14 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4hUHWoEDZEeunCW4SzSLZM2Ae4yLjXp90L0m1aJGfkE=; b=Rn8JfSu5szh462hEV6Sm94bNGpourDf5ny1YpWOYP1xtbBQ3QK8jjFcftDcbOxVkTr BtaPdyKH9l3zGPdy5cHf39zRwbEHdeJfBcizlWxuwtq85zcjGIXJBFpabbJvki1pA2zC NBP+dOYia21qsPdYBLw84EWcGRGbW0dWOqjVZxxzkClOwKg+IgWR+kwvwQz4800j5tfD c5lRFNZSRdr+PVgZ7jjCw5V6DXEx9I3lBbtiXeeGtnubmp/bK/gy4S8sZUZzBWX0TASc uUyl8TSjJVjqcEYRAhKhlFyw85cYHI44sEVh3L1Cd8KJkRL6geLGyHovnyWbXEapX8OS Bhuw== X-Gm-Message-State: AGi0PuZAGoAb5OW/fSP0qWBOnfh4JRy2yVRDr9zi72rQ5sqv9/s0u7ux NYUp3pt+59LmFKM3kUPEqr7jXCHXsisZ2wqIfIfnsg== X-Google-Smtp-Source: APiQypJmxN6qUViubEY1S6mweofReR2ndTPMyj0w6+8K5rv4cEWEBn0U/nIj3wN0iVYvDbKL47N44oNf5XBxDMSNrGo= X-Received: by 2002:a05:6e02:141:: with SMTP id j1mr3268858ilr.100.1587132253331; Fri, 17 Apr 2020 07:04:13 -0700 (PDT) MIME-Version: 1.0 References: <20200417130658.wijvhim5ylvgptub@mutt-hbsd> In-Reply-To: <20200417130658.wijvhim5ylvgptub@mutt-hbsd> From: Ed Maste Date: Fri, 17 Apr 2020 10:04:01 -0400 Message-ID: Subject: Re: ASLR/PIE status in FreeBSD HEAD To: Shawn Webb Cc: Marcin Wojtas , freebsd-security@freebsd.org, Rafal Jaworowski Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 493dB66NWDz3xjZ X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.177 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-3.57 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[freebsd.org]; TO_DN_SOME(0.00)[]; MIME_TRACE(0.00)[0:+]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[177.166.85.209.list.dnswl.org : 127.0.5.0]; IP_SCORE(-1.57)[ip: (-6.96), ipnet: 209.85.128.0/17(-0.40), asn: 15169(-0.43), country: US(-0.05)]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[177.166.85.209.rep.mailspike.net : 127.0.0.17]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Apr 2020 14:04:15 -0000 On Fri, 17 Apr 2020 at 09:13, Shawn Webb wrote: > > Quick note: paxtest's algorithms for measuring ASLR was meant to test > ASLR, not FreeBSD's ASR implementation. Thus, paxtest results for > FreeBSD's ASR are moot. paxtest's entropy estimate is superficial, and indeed can produce a more or less invalid result depending on the distribution of allocated objects. There are a number of other tools which perform a more rigorous or comprehensive analysis. paxtest is useful in providing basic indication of whether various things are randomized or not. From owner-freebsd-security@freebsd.org Sat Apr 18 00:14:01 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EBC952B07AB for ; Sat, 18 Apr 2020 00:14:01 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Received: from hermes.heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2560 bits) client-digest SHA256) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 493tjf5Qnwz42pm for ; Sat, 18 Apr 2020 00:13:58 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Received: from [10.0.5.3] (noddy.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPSA id 03I0Cbvk067154 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Sat, 18 Apr 2020 10:12:38 +1000 (AEST) (envelope-from dewayne@heuristicsystems.com.au) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=heuristicsystems.com.au; s=hsa; t=1587168758; x=1587773559; bh=sZR2cUAhE0TUI/WERGUrLvkSmUoInN6eFFYEWiMdR44=; h=Subject:To:From:Message-ID:Date; b=ACZWAMI0pdlcYAkFjVE0rYMcltE4r45KoXcuuFLAvI0XIoha+4BEDyy6I8xFKD0q0 DvX4W2w63dj+jl54n8rK2uCq7R6FNJwqDH4bynaaILKvvPgjaPBMzlrgjIySedQuQi RSElRvEJWFzSimOBa/rJrfE6fm+BSpjRrQH+JdjSzK8qaumglhXaT X-Authentication-Warning: b3.hs: Host noddy.hs [10.0.5.3] claimed to be [10.0.5.3] Subject: Re: ASLR/PIE status in FreeBSD HEAD To: freebsd-security@freebsd.org References: From: Dewayne Geraghty Autocrypt: addr=dewayne@heuristicsystems.com.au; prefer-encrypt=mutual; keydata= mQFNBFbOsVMBCgDfvi2PspSwoMEtFhF+aFLQKtzSA9f0dhDqthKHESdfbqxvKzhkBjvTJ5Na EgjKoKfoQTh5xuIv3HLhtDo5PeasPgQl9cPJeriqmqlS+UhY5BGYcMc1AO/TX0fsDaQz96ko at3RUW7sff/qPgVzSurk+DV5h866gPdn5Jdjohyl2F1rzRl6dnaAIyg49zlwZOnPHJGKye+B meqUCnPRglhkpNqXR3v1ulbWpfwhdNDvWT82qTG/qsFy/agjJvxwLuEBeoGc1dPWasO8Nztt 0dqf1Lpeg6SX2yJd76WVS4znt88OEbx/QL2PTJ/YtSepS68WaeKuARKPukkU+QXDep0gaLPl /TvU5xAZndNB3rYnpmoLb32pDHlrJbZUVyTMqc3J2EYM6aaizCpg4VEvVpVSqUT4D9MuREhu PeZ3SvEazQARAQABiQF3BB8BCAAhBQJWzrFTFwyAAWHe5yZt8RJL0vaU1MfDto5dBmeFAgcA AAoJEJVk7a1LmFrdy2QJ/AysDdFIMCRiaqEellprZQyEz5I/qZJEi6yRfXH813hhISFz6moh urZYLQ9SRdyMntT8W3Oc4pJc9fF9RSnY0SSQY/arZbrvsv6hKb1KtIK7P5mLS914J9buxEcJ SWeVuOuMA9aCNqg5uMu19pH5pXayORfbv+K7vFPiyllZ64ShUWZJL69vAc/TsbvMrGtG1M4P qyWCOKEiUT93zhVGQoA0aUYjMAZoyvozZCuieo4O8hkPgMz9lka+3bqQBSOB+qO4Iz+CZs0k Lw7Soga6bRqLK86DH99WjTA6Oj1r8Won+j4V9fnTDCVJoSyqdVHLySDv/lHaNu4Ia4AO4i2d shmLw03gOUvoWLJx5X01A5Zio4FvecnpZqQ0Wz5Ph9MiK3lwarfjonTOLeNGd5BpdnHu5VRC fJml7uAYeyKsD8C4tEBEZXdheW5lIEdlcmFnaHR5IDxkZXdheW5lLmdlcmFnaHR5QGNvbnNj aXVtaW50ZXJuYXRpb25hbC5jb20uYXU+iQGXBBMBCABBAhshCwsKDQkIDAcLAwIECBUKCQgL AwIBBRYDAgEAAh4BAheAFiEEC8bIxjMx+sDl4ZCClWTtrUuYWt0FAl5UUOgACgkQlWTtrUuY Wt3xZAn/W/mq5nDhLIfqxVM9GbU8rGzNsGLfnt5NCVcWlBKhgxOOw9EWkcRTMymwX9OMqwxI +te6Gvy7rG53T2xprtsQyqESZmjWcUSEPsQ9hjw4VZCL15ftBeZMYyO2T1e41UImXAlftleT 2kXCktgyAfwfCzHhFiZM8k9QMFQV1x+JukJ9xPFBgICRLsLsVNVw/R1L7KqARuws4HqXxY1J SCpO+FB4b6tWSIRKbzlb6tctdKppKbG/adVYuoK61ngvmsAzy/9OLhF8u1MNCgyFd2woOErh /zyuap8KvJZMlwAIqpjsoHyXsa0cq8A/uNQSmodwBpRsEGXCmZIZq2FJw6N+38to8C8m97q0 YWrY63VsoA6hA4A4/ywzE3EiwGvqJQBMRv2ET3TIdTyLoEIwXq2bDPU7XTZGh5UZEsKFMHH5 228= Message-ID: Date: Sat, 18 Apr 2020 10:12:32 +1000 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 493tjf5Qnwz42pm X-Spamd-Bar: -------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=heuristicsystems.com.au header.s=hsa header.b=ACZWAMI0; dmarc=none; spf=pass (mx1.freebsd.org: domain of dewayne@heuristicsystems.com.au designates 203.41.22.115 as permitted sender) smtp.mailfrom=dewayne@heuristicsystems.com.au X-Spamd-Result: default: False [-8.56 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[heuristicsystems.com.au:s=hsa]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_MED(-2.00)[heuristicsystems.com.au.dwl.dnswl.org : 127.0.4.2]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_DN_NONE(0.00)[]; RCVD_IN_DNSWL_MED(-0.20)[115.22.41.203.list.dnswl.org : 127.0.4.2]; DKIM_TRACE(0.00)[heuristicsystems.com.au:+]; DMARC_NA(0.00)[heuristicsystems.com.au]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; IP_SCORE(-3.36)[ip: (-9.75), ipnet: 203.40.0.0/13(-4.32), asn: 1221(-2.74), country: AU(0.01)]; ASN(0.00)[asn:1221, ipnet:203.40.0.0/13, country:AU]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-Mailman-Approved-At: Sat, 18 Apr 2020 08:19:19 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Apr 2020 00:14:02 -0000 I'm on a similar ride. We run applications in both i386 and amd64 jails with FreeBSD's ASLR enabled (sendmail, squid, apache, ...) and all good. On the build server, the i386 jail with aslr enabled wasn't able to build gcc9; so this was disabled kern.elf32.*. ntp was the only real application that didn't play nicely with aslr. Fortunately, this was very helpful: /usr/bin/proccontrol -m aslr -s disable /usr/local/sbin/ntpd... And yes we started with HardenedBSD which was very successful in late 2018, and contains many good ideas. As some applications on the On 17/04/2020 10:58 pm, Marcin Wojtas wrote: > Hi, > > Together with our customers, Semihalf is interested in improving the status > of security mitigations enablement in FreeBSD. To start with, based on our > initial research it seems that after 2019 enhancements the ASLR/PIE > features are in pretty much ready state. > > Building the world using the 'WITH_PIE' flag produced proper binaries and > the sanity showed no obvious degradations. Additionally, for the ASLR we > performed a comparison of the pax tests ( > https://github.com/opntr/paxtest-freebsd) for amd64/arm64 and they indicate > the feature is working fine after setting the according sysctl knobs. I'd > be happy to present the results and discuss the details, but firstly I'd > like to ask more general questions: > > 1. Are there any hard blockers, like missing features or bugs, that prevent > enabling ASLR by default in the kernel and building the base system with > -DWITH_PIE? > > 2. In case the enablement becomes eventually approved, will it be better to > do it for all archs or focus only on the selected ones? > > 3. IMO it may be worth to benchmark/stress the system for the stability > verification and perf comparison purpose. Do you think it may be reasonable > to create a kind of reference matrix (archs vs tests)? Those could be done > to evaluate the current state of the OS, but also for validating each > proposed feature. I also think engaging the FreeBSD CI might be a huge help > in such an effort. BTW, any particular tests / benchmarks come to your mind > as useful in this case? > > I'd appreciate any feedback. > > Best regards, > Marcin Wojtas (mw@) > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >