From owner-freebsd-arch@FreeBSD.ORG Thu Jul 24 13:52:05 2014 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8E47ABE9; Thu, 24 Jul 2014 13:52:05 +0000 (UTC) Received: from mail-qg0-x235.google.com (mail-qg0-x235.google.com [IPv6:2607:f8b0:400d:c04::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 111D52248; Thu, 24 Jul 2014 13:52:04 +0000 (UTC) Received: by mail-qg0-f53.google.com with SMTP id q107so3287855qgd.12 for ; Thu, 24 Jul 2014 06:52:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=+SWXkQhjhHOAnFj/8i2Ybw8I2B9FpiFRf4zv9yzC3Ac=; b=UnEO++cDQT765oYCL+oqS6EsG5zqTr2zYDczRsEb/4KzM7zud3a2CLiAExCp02rfJo 0LUL9MDmc0BMM+oiauo3U6NDzX9s1e+hN7eCUmg7DjFRFNEjMAyrxI8pB1PVP2A1+sRl GVmESSbk2GULOarkaa5d+JDG2+Ghmofu5MK9sz371c73GVCJZhBG7h9ZE483hlJF0qud Mk5Ok7fAm0khNhYLtcgKamS8OJOBtSNWGsOalO7YMqhbkDgjF9uU4GJpMiaiAaC+FV6+ eIu+d0p1GnyOhIh9Frw3ZXD+OYUIbC1rcTddgMA3mUFb4DLGfQsmOHGvunGoiqwBh2H4 K5bw== X-Received: by 10.224.134.201 with SMTP id k9mr15475750qat.59.1406209923994; Thu, 24 Jul 2014 06:52:03 -0700 (PDT) Received: from pwnie.vrt.sourcefire.com (moist.vrt.sourcefire.com. [198.148.79.134]) by mx.google.com with ESMTPSA id b6sm8923789qak.42.2014.07.24.06.52.02 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 24 Jul 2014 06:52:02 -0700 (PDT) Date: Thu, 24 Jul 2014 09:52:00 -0400 From: Shawn Webb To: Robert Watson Subject: Re: [RFC] ASLR Whitepaper and Candidate Final Patch Message-ID: <20140724135200.GR29618@pwnie.vrt.sourcefire.com> References: <96C72773-3239-427E-A90B-D05FF0F5B782@freebsd.org> <20140720201858.GB29618@pwnie.vrt.sourcefire.com> <20140723004543.GH29618@pwnie.vrt.sourcefire.com> <796EDB88-3768-48AA-B909-8A7FFBED0C1E@kientzle.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="CPn8Wy5ME997YUMW" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: Mutt/1.5.23 (2014-03-12) Cc: Tim Kientzle , Bryan Drewery , Pedro Giffuni , freebsd-arch@freebsd.org, PaX Team , Oliver Pinter X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jul 2014 13:52:05 -0000 --CPn8Wy5ME997YUMW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Jul 24, 2014 10:43 AM +0100, Robert Watson wrote: > On Wed, 23 Jul 2014, Tim Kientzle wrote: >=20 > >>> I'll take a look at ElectricFence this weekend. Additionally, I have = a=20 > >>> netbook somewhere. Once I find it and its power cord, I'll install=20 > >>> FreeBSD/x86 and re-run the same tests on that. > >> > >> Somewhat related to ElectricFence? will ASLR have an adverse effect on= =20 > >> debuggers? > >> > >> I googled around and got to this: > >> > >> http://www.outflux.net/blog/archives/2010/07/03/gdb-turns-off-aslr/ > >> > >> So I guess we may have to patch gdb (and lldb)? > > > > I suspect the issue here is that debugging often requires multiple runs= of a=20 > > program with repeatable behavior between runs. > > > > Consider: > > > > * I run the program under GDB, it crashes at a certain PC address > > > > * I restart the program, set a breakpoint at that PC address > > > > I want to be confident that the PC address where I?m setting the breakp= oint=20 > > will have the same meaning between runs. >=20 > Non-determism in debugging is a big issue with=20 > diversification/randomisation-based mitigation techniques. There are a n= umber=20 > of aspects to the problem, but the most clear implication is that it shou= ld be=20 > possible to create deterministic and reproducible debugging environments = in=20 > the local development context. This means, I think, being able to create= a=20 > hierarchy of processes in which the randomisation features are by policy= =20 > turned off. The contexts in which that property is set are interesting -= - do=20 > you want a "no randomisation subshell" in which every program you run has= ASLR=20 > turned off? Or do you just want gdb to turn it off? What if, this time= =20 > around, you want gdb to have it turned on? And how do you deal with=20 > setuid/setgid/transitioning binaries -- we don't want a regular user to s= ay=20 > "turn off ASLR for this process subtree" and have it prevent ASLR from=20 > protecting a setuid binary from the user. Great points. I agree completely. This is why I've added two facilities for toggling ASLR. I modified mac_bsdextended(4)/ugidfw(8) to provide toggling ASLR on a per-binary basis. I also made the sysctl tunables settable per-jail. This allows one to place the executable in question in a jail where ASLR is turned off just for that jail. I came across this on Tuesday of this week when doing ClamAV development. Since I do all my development in a jail, I came across a bug in ClamAV and I needed deterministic behavior, so I turned off ASLR just for that jail and was able to find the cause of the bug and fix it. >=20 > I think the natural conclusion is that you need multiple means to disable= ASLR=20 > that operate at different granularities, and that have different control= =20 > mechanisms. Off-hand, I see a few: >=20 > (1) A global enable/disable flag that sets the default policy. We have that via the sysctl security.pax.aslr.status, which is settable at boot-time via /boot/loader.conf or at runtime if the kernel has been compiled with PAX_SYSCTLS option. >=20 > (2) A new inherited process property, or perhaps credential property, ena= bling > ASLR. This can be changed to 'disabled' using a system call -- perh= aps > prctl() or similar. If we hit a transitioning binary (e.g., setuid)= then > in the same way that we manipulate other properties, we'd reset to t= he > global default. It would be easy to imagine this being CR_ASLR on t= he > cr_flags field of the credential. This could be set in various ways= by > userspace applications -- by gdb, as a login-shell property, perhaps= via > 'su' or something simular? This is interesting. I didn't think of using the prctl facility. I'll look into that. >=20 > (3) As suggested by Kostik, an ELF note on binaries indicating that the b= inary > is not ASLR-compatible, which would override (I guess) the global po= licy > flag and process/credential flag. We could then set this with > NO_ASLR=3Dtrue in Makefiles, during package creation, etc. I really don't like ELF flags. It's really heavy-handed. It can trip file-based IDSs (the hash of the file changes when you change an ELF flag). It requires that the user, sysadmin, or team of sysadmins keep a database of binaries for which the ELF flag needs to be changed when the binary gets updated or replaced (think: freebsd-update, pkgng/ports). This is why I went with mac_bsdextended(4)/ugidfw(8). In the end, the user is still maintaining a database (via ugidfw(8) rules). But the user doesn't need to go back and modify anything if that binary were to ever be modified. With that said, we are planning on also adding FS extended attribute support as well. Though I'm unsure if extended attributes work over network-mounted filesystems like NFS. >=20 > (4) It sounds like a jail-scope policy would also be useful -- I guess th= is > might actually be the same as (1) in the sense that (1) could be > represented in terms of a jail-scope policy. We have already implemented this as per-jail sysctl tunables. >=20 > I'm not opposed to MAC policy modules being able to manipulate ASLR behav= iour,=20 > but I think I'd prefer that the core policy controls (e.g., the above) be= =20 > MAC-independent. Part of the reason is that you may want ASLR on very lo= w-end=20 > systems where the additional cost of MAC interposition is more measurable. How much overhead does mac_bsdextended(4) have? I'm assuming a small ruleset pertaining to ASLR. >=20 > How does this interact with features like the Linuxulator? Do we also wa= nt=20 > ABI emulations to be able to disable ASLR as ABIs might not support it [w= ell]? Oliver has done testing on the linuxulator and has found it to be stable. He can share more info about this. Thanks, Shawn --CPn8Wy5ME997YUMW Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJT0Q9/AAoJEGqEZY9SRW7uwNQP/ieOC7enFVBkD0V5LgXn3Txi xF2MZQM3JMPIpwv6+J7fhnKezt2YSC2lrpuqWBNwD3XOTXXV0aAA9JwsB5bjTLYo /4H+2db28XhYA48oNZ3LVODDHiF4gEc3xOh026j/wqvtvsSYavbS9c9ete5CvWqn Y2cFhUSMeVwNprqanRZ07yCdPCYPbgdU3loNwgEYVJYhXyozapq3U7+Y4fQJrYDd 8O8v0LfODkJeTVYdE2qJFAnYd3UEm6gEKHLnP1dJfxzBQ0FUXmJqly+zOsC8rljE ibxaZQjceBtKSlSKsoftymN1hN/FmDEH+ldSL3CKRnJ+NMgKQpiL71r8E3cON4R3 XUpivGUbAQ7kS57IXTXjjJI/ikyawDUacBctSzfFNaFth6RfB7c0bcCj7mlr22pA ig7uOr8qsjVuXZovBphGkcu2BLNKs1C7MO7nmZjDQ47VnrkzE7TERzN0tMxOdT4Z ZcX1y/Z5NN/FjxYs4xXAKVQz+frl866GcTTVo44ex24LH21uwREgRYpU3mxFSHJi a8SHmHvnxwRP+Md2qXpeA7QL1h274Lytdnshytv89nrvZ2AJQOd7I2GE0LTcjQEc Fp9L9IXKv6dXxMn/M4iw5ZK+y9x2MNMSQP3oAQehK7NJUZ8ZxcDeHzfAs4cwLvH0 4vB84c7u71GUWPFqBs88 =+6yX -----END PGP SIGNATURE----- --CPn8Wy5ME997YUMW--