From owner-freebsd-security@freebsd.org Sat Apr 18 00:14:01 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EBC952B07AB for ; Sat, 18 Apr 2020 00:14:01 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Received: from hermes.heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2560 bits) client-digest SHA256) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 493tjf5Qnwz42pm for ; Sat, 18 Apr 2020 00:13:58 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Received: from [10.0.5.3] (noddy.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPSA id 03I0Cbvk067154 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Sat, 18 Apr 2020 10:12:38 +1000 (AEST) (envelope-from dewayne@heuristicsystems.com.au) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=heuristicsystems.com.au; s=hsa; t=1587168758; x=1587773559; bh=sZR2cUAhE0TUI/WERGUrLvkSmUoInN6eFFYEWiMdR44=; h=Subject:To:From:Message-ID:Date; b=ACZWAMI0pdlcYAkFjVE0rYMcltE4r45KoXcuuFLAvI0XIoha+4BEDyy6I8xFKD0q0 DvX4W2w63dj+jl54n8rK2uCq7R6FNJwqDH4bynaaILKvvPgjaPBMzlrgjIySedQuQi RSElRvEJWFzSimOBa/rJrfE6fm+BSpjRrQH+JdjSzK8qaumglhXaT X-Authentication-Warning: b3.hs: Host noddy.hs [10.0.5.3] claimed to be [10.0.5.3] Subject: Re: ASLR/PIE status in FreeBSD HEAD To: freebsd-security@freebsd.org References: From: Dewayne Geraghty Autocrypt: addr=dewayne@heuristicsystems.com.au; prefer-encrypt=mutual; keydata= mQFNBFbOsVMBCgDfvi2PspSwoMEtFhF+aFLQKtzSA9f0dhDqthKHESdfbqxvKzhkBjvTJ5Na EgjKoKfoQTh5xuIv3HLhtDo5PeasPgQl9cPJeriqmqlS+UhY5BGYcMc1AO/TX0fsDaQz96ko at3RUW7sff/qPgVzSurk+DV5h866gPdn5Jdjohyl2F1rzRl6dnaAIyg49zlwZOnPHJGKye+B meqUCnPRglhkpNqXR3v1ulbWpfwhdNDvWT82qTG/qsFy/agjJvxwLuEBeoGc1dPWasO8Nztt 0dqf1Lpeg6SX2yJd76WVS4znt88OEbx/QL2PTJ/YtSepS68WaeKuARKPukkU+QXDep0gaLPl /TvU5xAZndNB3rYnpmoLb32pDHlrJbZUVyTMqc3J2EYM6aaizCpg4VEvVpVSqUT4D9MuREhu PeZ3SvEazQARAQABiQF3BB8BCAAhBQJWzrFTFwyAAWHe5yZt8RJL0vaU1MfDto5dBmeFAgcA AAoJEJVk7a1LmFrdy2QJ/AysDdFIMCRiaqEellprZQyEz5I/qZJEi6yRfXH813hhISFz6moh urZYLQ9SRdyMntT8W3Oc4pJc9fF9RSnY0SSQY/arZbrvsv6hKb1KtIK7P5mLS914J9buxEcJ SWeVuOuMA9aCNqg5uMu19pH5pXayORfbv+K7vFPiyllZ64ShUWZJL69vAc/TsbvMrGtG1M4P qyWCOKEiUT93zhVGQoA0aUYjMAZoyvozZCuieo4O8hkPgMz9lka+3bqQBSOB+qO4Iz+CZs0k Lw7Soga6bRqLK86DH99WjTA6Oj1r8Won+j4V9fnTDCVJoSyqdVHLySDv/lHaNu4Ia4AO4i2d shmLw03gOUvoWLJx5X01A5Zio4FvecnpZqQ0Wz5Ph9MiK3lwarfjonTOLeNGd5BpdnHu5VRC fJml7uAYeyKsD8C4tEBEZXdheW5lIEdlcmFnaHR5IDxkZXdheW5lLmdlcmFnaHR5QGNvbnNj aXVtaW50ZXJuYXRpb25hbC5jb20uYXU+iQGXBBMBCABBAhshCwsKDQkIDAcLAwIECBUKCQgL AwIBBRYDAgEAAh4BAheAFiEEC8bIxjMx+sDl4ZCClWTtrUuYWt0FAl5UUOgACgkQlWTtrUuY Wt3xZAn/W/mq5nDhLIfqxVM9GbU8rGzNsGLfnt5NCVcWlBKhgxOOw9EWkcRTMymwX9OMqwxI +te6Gvy7rG53T2xprtsQyqESZmjWcUSEPsQ9hjw4VZCL15ftBeZMYyO2T1e41UImXAlftleT 2kXCktgyAfwfCzHhFiZM8k9QMFQV1x+JukJ9xPFBgICRLsLsVNVw/R1L7KqARuws4HqXxY1J SCpO+FB4b6tWSIRKbzlb6tctdKppKbG/adVYuoK61ngvmsAzy/9OLhF8u1MNCgyFd2woOErh /zyuap8KvJZMlwAIqpjsoHyXsa0cq8A/uNQSmodwBpRsEGXCmZIZq2FJw6N+38to8C8m97q0 YWrY63VsoA6hA4A4/ywzE3EiwGvqJQBMRv2ET3TIdTyLoEIwXq2bDPU7XTZGh5UZEsKFMHH5 228= Message-ID: Date: Sat, 18 Apr 2020 10:12:32 +1000 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 493tjf5Qnwz42pm X-Spamd-Bar: -------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=heuristicsystems.com.au header.s=hsa header.b=ACZWAMI0; dmarc=none; spf=pass (mx1.freebsd.org: domain of dewayne@heuristicsystems.com.au designates 203.41.22.115 as permitted sender) smtp.mailfrom=dewayne@heuristicsystems.com.au X-Spamd-Result: default: False [-8.56 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[heuristicsystems.com.au:s=hsa]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_MED(-2.00)[heuristicsystems.com.au.dwl.dnswl.org : 127.0.4.2]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_DN_NONE(0.00)[]; RCVD_IN_DNSWL_MED(-0.20)[115.22.41.203.list.dnswl.org : 127.0.4.2]; DKIM_TRACE(0.00)[heuristicsystems.com.au:+]; DMARC_NA(0.00)[heuristicsystems.com.au]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; IP_SCORE(-3.36)[ip: (-9.75), ipnet: 203.40.0.0/13(-4.32), asn: 1221(-2.74), country: AU(0.01)]; ASN(0.00)[asn:1221, ipnet:203.40.0.0/13, country:AU]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-Mailman-Approved-At: Sat, 18 Apr 2020 08:19:19 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Apr 2020 00:14:02 -0000 I'm on a similar ride. We run applications in both i386 and amd64 jails with FreeBSD's ASLR enabled (sendmail, squid, apache, ...) and all good. On the build server, the i386 jail with aslr enabled wasn't able to build gcc9; so this was disabled kern.elf32.*. ntp was the only real application that didn't play nicely with aslr. Fortunately, this was very helpful: /usr/bin/proccontrol -m aslr -s disable /usr/local/sbin/ntpd... And yes we started with HardenedBSD which was very successful in late 2018, and contains many good ideas. As some applications on the On 17/04/2020 10:58 pm, Marcin Wojtas wrote: > Hi, > > Together with our customers, Semihalf is interested in improving the status > of security mitigations enablement in FreeBSD. To start with, based on our > initial research it seems that after 2019 enhancements the ASLR/PIE > features are in pretty much ready state. > > Building the world using the 'WITH_PIE' flag produced proper binaries and > the sanity showed no obvious degradations. Additionally, for the ASLR we > performed a comparison of the pax tests ( > https://github.com/opntr/paxtest-freebsd) for amd64/arm64 and they indicate > the feature is working fine after setting the according sysctl knobs. I'd > be happy to present the results and discuss the details, but firstly I'd > like to ask more general questions: > > 1. Are there any hard blockers, like missing features or bugs, that prevent > enabling ASLR by default in the kernel and building the base system with > -DWITH_PIE? > > 2. In case the enablement becomes eventually approved, will it be better to > do it for all archs or focus only on the selected ones? > > 3. IMO it may be worth to benchmark/stress the system for the stability > verification and perf comparison purpose. Do you think it may be reasonable > to create a kind of reference matrix (archs vs tests)? Those could be done > to evaluate the current state of the OS, but also for validating each > proposed feature. I also think engaging the FreeBSD CI might be a huge help > in such an effort. BTW, any particular tests / benchmarks come to your mind > as useful in this case? > > I'd appreciate any feedback. > > Best regards, > Marcin Wojtas (mw@) > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >