From owner-svn-doc-head@freebsd.org Tue Jul 14 17:15:41 2015 Return-Path: Delivered-To: svn-doc-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BD51D99C866; Tue, 14 Jul 2015 17:15:41 +0000 (UTC) (envelope-from wblock@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AA77B16A8; Tue, 14 Jul 2015 17:15:41 +0000 (UTC) (envelope-from wblock@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.14.9/8.14.9) with ESMTP id t6EHFfOQ019261; Tue, 14 Jul 2015 17:15:41 GMT (envelope-from wblock@FreeBSD.org) Received: (from wblock@localhost) by repo.freebsd.org (8.14.9/8.14.9/Submit) id t6EHFfeK019260; Tue, 14 Jul 2015 17:15:41 GMT (envelope-from wblock@FreeBSD.org) Message-Id: <201507141715.t6EHFfeK019260@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: wblock set sender to wblock@FreeBSD.org using -f From: Warren Block Date: Tue, 14 Jul 2015 17:15:41 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r46975 - head/en_US.ISO8859-1/htdocs/news/status X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2015 17:15:41 -0000 Author: wblock Date: Tue Jul 14 17:15:40 2015 New Revision: 46975 URL: https://svnweb.freebsd.org/changeset/doc/46975 Log: Add Shawn Webb 's ASLR report. Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2015-04-2015-06.xml Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2015-04-2015-06.xml ============================================================================== --- head/en_US.ISO8859-1/htdocs/news/status/report-2015-04-2015-06.xml Tue Jul 14 16:18:23 2015 (r46974) +++ head/en_US.ISO8859-1/htdocs/news/status/report-2015-04-2015-06.xml Tue Jul 14 17:15:40 2015 (r46975) @@ -1356,4 +1356,119 @@ + + + Address Space Layout Randomization (ASLR) + + + + + Shawn + Webb + + shawn.webb@hardenedbsd.org + + + + + Oliver + Pinter + + oliver.pinter@hardenedbsd.org + + + + HardenedBSD + core@hardenedbsd.org + + + + + HardenedBSD + True Stack Randomization + Announcing ASLR Completion + Call for Donations + SoldierX + + + +

HardenedBSD is a downstream distribution of &os; aimed at + implementing exploit mitigation and security technologies. + The HardenedBSD development team has focused on several key + features, one being Address Space Layout Randomization (ASLR). + ASLR is a computer security technique that aids in mitigating + low-level vulnerabilities such as buffer overflows. ASLR + randomizes the memory layout of running applications to + prevent an attacker from knowing where a given vulnerability + lies in memory.

+ +

This last quarter, the HardenedBSD team has finalized the + core implementation of ASLR. We implemented true stack + randomization along with a random stack gap. This change + allows us to apply 42 bits of entropy to the stack, the + highest of any operating system. We bumped the + hardening.pax.aslr.stack_len sysctl(8) to 42 + by default on amd64.

+ +

We also now randomize the Virtual Dynamic Shared Object + (VDSO). The VDSO is one or more pages of memory shared + between the kernel and the userland. On amd64, it contains + the signal trampoline and timing code + (gettimeofday(4), for example).

+ +

With these two changes, the ASLR implementation is now + complete. There are still tasks to work on, however. We need + to update our documentation and enhance a few pieces of code. + Our ASLR implementation is in use in production by HardenedBSD + and is performing robustly.

+ +

Additionally, we are currently running a fundraiser to help + us establish a not-for-profit organization and for hardware + updates. We have received a lot of help from the community + and we greatly appreciate the help. We need further help + to take the project to the next level. We look forward to + working with the &os; project in providing excellent + security.

+ + + + SoldierX + + + + +

Update the aslr(4) manpage and the wiki + page.

+ + + +

Improve the Shared Object load order feature with Michael + Zandi's improvements.

+ + + +

Re-port the ASLR work to vanilla &os;. Include the + custom work requested by &os; developers.

+ + + +

Close the existing review on Phabricator.

+ + + +

Open multiple smaller reviews for pieces of the ASLR + patch that can be split out logically.

+ + + +

Perform a special backport to HardenedBSD 10-STABLE for + OPNSense to pull in.

+ + + +

golang segfaults in HardenedBSD. Help would be + nice in debugging.

+ + +