From owner-freebsd-arch@FreeBSD.ORG Wed Oct 15 08:31:42 2014 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9C4F0416; Wed, 15 Oct 2014 08:31:42 +0000 (UTC) Received: from mail-oi0-x232.google.com (mail-oi0-x232.google.com [IPv6:2607:f8b0:4003:c06::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5CF921E8; Wed, 15 Oct 2014 08:31:42 +0000 (UTC) Received: by mail-oi0-f50.google.com with SMTP id i138so603915oig.9 for ; Wed, 15 Oct 2014 01:31:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=f0mgBf4Hz8G9oftU7UKI7mx/rCYbG5upG9k0fZG91YQ=; b=Tsec6mUN+Z38K78o9goWAVpzidS98RoY12og5ZNZmOkyzs8z6fgyTKhspl6KVGO3y2 xEQpK9xMuxsYDKuLIhi4TRVv4rZbpFHKSkLXEHNLo3Kq4vTPfYzPvZEIVh/6R0qLpzsf EObXt8+cQ7kIHQwgGPbCDBU9pXs/fROyD7ks3458XFosGQX951U07QLSQI8cOA1SjAMn UN516n5SLS9nvE68yoPSPZGyhjSPJ9yswzWSeVFuJ70WT59Q3rgq3K2WfMdJ0ztHO4Qh k3sVdKLXTcyahIoEmj90j4vJLbXX4BiXfEHxuMBAMT4TwtJkYc7JZ6KfemyaTJ0TB97D C23Q== MIME-Version: 1.0 X-Received: by 10.60.147.196 with SMTP id tm4mr9477771oeb.4.1413361901790; Wed, 15 Oct 2014 01:31:41 -0700 (PDT) Received: by 10.202.191.213 with HTTP; Wed, 15 Oct 2014 01:31:41 -0700 (PDT) In-Reply-To: References: <20141015061029.GO48641@ivaldir.etoilebsd.net> Date: Wed, 15 Oct 2014 10:31:41 +0200 Message-ID: Subject: Re: PIE/PIC support on base From: Oliver Pinter To: David Carlier Content-Type: text/plain; charset=ISO-8859-1 Cc: Baptiste Daroussin , freebsd-arch@freebsd.org X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Oct 2014 08:31:42 -0000 On 10/15/14, David Carlier wrote: > In first place, we might consider the usual attack targets : > > /bin/(c)sh > /sbin/sendmail > /bin/ntp > /sbin/dhclient > /secure/usr.sbin/sshd .... sendmail, ntp, sshd etc ... are quite sensitive > and popular services, hence applying PIE (+ ASLR) will prevent attacks by > this bias. > /sbin/casperd (hence lib/libcapsicum|libcasper with pic ...) ... as FreeBSD > is getting more popularity, such specific FreeBSD's security components > might become an appealing target attack. > > I may have other suggestions in mind (like /sbin/(jail|jexec ... etc) but > these are the first step stones. > > Kind regards. I think this list should include audit related tools too and all of the setuid programs. > > On Wed, Oct 15, 2014 at 7:10 AM, Baptiste Daroussin > wrote: > >> On Mon, Oct 13, 2014 at 11:02:27PM +0100, David Carlier wrote: >> > Hi all, >> > >> > HardenedBSD plans to add PIE support on base in various place. >> > >> > These are B. Drewery suggestions : >> > >> > The _pic ones are not needed. The main lib file just needs >> > INSTALL_PIC_ARCHIVE=yes. >> > >> > Modifying CFLAGS in every Makefile is not right, just add a USE_PIE or >> > something to pull in common logic from share/mk. >> > >> > Also I know that, at least for a start, it wished to be applied in some >> few >> > places, like tcpdump/traceroute, sendmail ... shells ... I thought >> > about >> > also casper/capsicum ... ntp ... jail >> > >> What would probably be interesting is to list binary by binary on which >> one you >> do want to add the USE_PIE, and with rational explaining why. >> >> On some OS you often can see ssh(1) not being PIE while sshd(8) have PIE. >> I >> think cherry-picking what should be PIE is the right >> >> regards, >> Bapt >> > _______________________________________________ > freebsd-arch@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-arch > To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org" >