From owner-freebsd-arch@freebsd.org Thu Mar 10 15:51:27 2016 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2F438ACAAA7 for ; Thu, 10 Mar 2016 15:51:27 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 14AF4FF8 for ; Thu, 10 Mar 2016 15:51:27 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id 139EDACAAA5; Thu, 10 Mar 2016 15:51:27 +0000 (UTC) Delivered-To: arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EDD5BACAAA3 for ; Thu, 10 Mar 2016 15:51:26 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 992A7FF5 for ; Thu, 10 Mar 2016 15:51:26 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kostik@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id u2AFpL2F004924 (version=TLSv1 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Thu, 10 Mar 2016 17:51:21 +0200 (EET) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua u2AFpL2F004924 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id u2AFpLBk004923 for arch@freebsd.org; Thu, 10 Mar 2016 17:51:21 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Thu, 10 Mar 2016 17:51:21 +0200 From: Konstantin Belousov To: arch@freebsd.org Subject: Call for testing - ASLR patch Message-ID: <20160310155121.GA1741@kib.kiev.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on tom.home X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2016 15:51:27 -0000 I have a small and straightforward yet feature-packed patch to implement ASLR for FreeBSD available for broader testing. The patch can be fetched from https://www.kib.kiev.ua/kib/aslr/aslr.5.patch . With this change, randomization is applied to all non-fixed mappings. By randomization I mean the base address for the mapping is selected with a guaranteed amount of entropy (bits). If the mapping was requested to be superpage aligned, the randomization honours the superpage attributes. The randomization is done on a best-effort basis - that is, the allocator falls back to a first fit strategy if fragmentation prevents entropy injection. It is trivial to implement a strong mode where failure to guarantee the requested amount of entropy results in mapping request failure, but I do not consider that to be usable. I have not fine-tuned the amount of entropy injected right now. It is only a quantitive change that will not change the implementation. The current amount is controlled by aslr_pages_rnd. To not spoil coalescing optimizations, to reduce the page table fragmentation inherent to ASLR, and to keep the transient superpage promotion for the malloced memory, the locality is implemented for anonymous private mappings, which are automatically grouped until fragmentation kicks in. The initial location for the anon group range is, of course, randomized. The default mode keeps the sbrk area unpopulated by other mappings, but this can be turned off, which gives much more breathing bits on the small AS architectures (funny that 32bits is considered small). This is tied with the question of following an application's hint about the mmap(2) base address. Testing shows that ignoring the hint does not affect the function of common applications, but I would expect more demanding code could break. By default sbrk is preserved and mmap hints are satisfied, which can be changed by using the kern.elf{32,64}.aslr_care_sbrk sysctl. Stack gap, W^X, shared page randomization, KASLR and other techniques are explicitely out of scope of this work. The paxtest results for the run with the patch applied and aggresively tuned can be seen at the https://www.kib.kiev.ua/kib/aslr/paxtest.log . For comparision, the run on Fedora 23 on the same machine is at https://www.kib.kiev.ua/kib/aslr/fedora.log . ASLR is enabled on per-ABI basis, and currently it is only enabled on native i386 and amd64 (including compat 32bit) ABIs. I expect to test and enable ASLR for armv6 and arm64 as well, later. The procctl(2) control for ASLR is implemented, by I have not provided a userspace wrapper around the syscall. In fact, the most reasonable control needed is per-image and not per-process, but we have no tradition to put the kernel-read attributes into the extattrs of binary, so I am still pondering that part and this also explains the non-written tool. Thanks to Oliver Pinter and Shawn Webb of the HardenedBSD project for pursuing ASLR for FreeBSD. Although this work is not based on theirs, it was inspired by their efforts. Thanks to Ed Maste, Robert Watson, John Baldwin, and Alan Cox for some discussions about the patch, and for The FreeBSD Foundation for directing me.