From owner-freebsd-arch@FreeBSD.ORG Wed Oct 15 07:46:22 2014 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 87A19774 for ; Wed, 15 Oct 2014 07:46:22 +0000 (UTC) Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0F627CDD for ; Wed, 15 Oct 2014 07:46:21 +0000 (UTC) Received: by mail-lb0-f172.google.com with SMTP id b6so543317lbj.17 for ; Wed, 15 Oct 2014 00:46:14 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=C4y9x99zgkZU5O2VEmvF9zFzTSiHSX50n/eXGgNmI0U=; b=Mn+bLsTi+QRRDhtvhGeLyQvIARHnj0WbI6G4PnrN4wdbfzRxSgjT447coWrlV4WgTU vyJWYKqJhKnmOQD4hNjREWd8Mues92U6JTEF5Tg7ZQ66bwPyhDurL9tf+BDAZ9KQIlaB zckSJ9sRP0HTRLMaYBarYRLcHzJRUWtHObqHQIPDrzhyMWG5J7GcTBCE4WFkt9+Z551H 0B8kN7U4WLL4g+hTUdAlmRvTlk6dZVEYtPqUXBme9NgnTwPsADCefjQmC23bToE/1jen rJM3UOVaN3vPmssLQ9jooJHwrwAtZW4zLuc8SZ/k3E7Xgx9g4o4nitzXrDx6Ed2U/pPf ixYw== X-Gm-Message-State: ALoCoQl1tjMOkzhYtu4wwKf6Vv5q9N9N5+ZmVPYnu7YJXscLF5jg0T5aIhz6+p6sYAmtoRhb333t MIME-Version: 1.0 X-Received: by 10.112.135.229 with SMTP id pv5mr10442368lbb.52.1413359174184; Wed, 15 Oct 2014 00:46:14 -0700 (PDT) Received: by 10.25.23.85 with HTTP; Wed, 15 Oct 2014 00:46:14 -0700 (PDT) X-Originating-IP: [185.58.16.66] In-Reply-To: <20141015061029.GO48641@ivaldir.etoilebsd.net> References: <20141015061029.GO48641@ivaldir.etoilebsd.net> Date: Wed, 15 Oct 2014 08:46:14 +0100 Message-ID: Subject: Re: PIE/PIC support on base From: David Carlier To: Baptiste Daroussin Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-arch@freebsd.org X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Oct 2014 07:46:22 -0000 In first place, we might consider the usual attack targets : /bin/(c)sh /sbin/sendmail /bin/ntp /sbin/dhclient /secure/usr.sbin/sshd .... sendmail, ntp, sshd etc ... are quite sensitive and popular services, hence applying PIE (+ ASLR) will prevent attacks by this bias. /sbin/casperd (hence lib/libcapsicum|libcasper with pic ...) ... as FreeBSD is getting more popularity, such specific FreeBSD's security components might become an appealing target attack. I may have other suggestions in mind (like /sbin/(jail|jexec ... etc) but these are the first step stones. Kind regards. On Wed, Oct 15, 2014 at 7:10 AM, Baptiste Daroussin wrote: > On Mon, Oct 13, 2014 at 11:02:27PM +0100, David Carlier wrote: > > Hi all, > > > > HardenedBSD plans to add PIE support on base in various place. > > > > These are B. Drewery suggestions : > > > > The _pic ones are not needed. The main lib file just needs > > INSTALL_PIC_ARCHIVE=yes. > > > > Modifying CFLAGS in every Makefile is not right, just add a USE_PIE or > > something to pull in common logic from share/mk. > > > > Also I know that, at least for a start, it wished to be applied in some > few > > places, like tcpdump/traceroute, sendmail ... shells ... I thought about > > also casper/capsicum ... ntp ... jail > > > What would probably be interesting is to list binary by binary on which > one you > do want to add the USE_PIE, and with rational explaining why. > > On some OS you often can see ssh(1) not being PIE while sshd(8) have PIE. I > think cherry-picking what should be PIE is the right > > regards, > Bapt >