From nobody Tue Nov 16 22:30:19 2021 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 22705189B968 for ; Tue, 16 Nov 2021 22:30:32 +0000 (UTC) (envelope-from mw@semihalf.com) Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Hv13W3cq4z4rJn for ; Tue, 16 Nov 2021 22:30:31 +0000 (UTC) (envelope-from mw@semihalf.com) Received: by mail-lf1-x12a.google.com with SMTP id b40so1448888lfv.10 for ; Tue, 16 Nov 2021 14:30:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semihalf-com.20210112.gappssmtp.com; s=20210112; h=mime-version:from:date:message-id:subject:to:cc; bh=OUwuJBUWw8yZGbd3k5PPVXOxDFl9VXn8n6umoHdL5PM=; b=cLPNOJYzT/Mi2tzszrwj1eVL18IUyrUkohFsnlhz6a3TSZygBIIEG1xI091/ddSpig couhE/n6x+bKI4H6deHWnROhP7ubp13ANsBry9RMl/+4HH59shXZ6C1iqNS7M5r4GZbx 7ZIoEgB9GWxy7b5NaDoXtMvsmi08WlbSWlDl9C+HmOnxO4c88FZDUJboNd/Aoz6o17Nl VygScl4h4lOnGSvLQoQ5alpj0wHxIUXWBW+lfxB6o14ETByN2o0CMLYbhZpdZXo/zzWv IbZuB1Pkd0VK4Kcvnu8LYmk62xN20p73B/b+oVZcNs1w2cydExLxqvqzuvVLaR/sE6Op lMPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=OUwuJBUWw8yZGbd3k5PPVXOxDFl9VXn8n6umoHdL5PM=; b=V0q1uy4M95f+Lm+aWWwInxlx1DavkL8IA97jZW9ycTyDdxzuvKM6/cKFGBhcsQAqK+ /IhvuSmK4X1xHkWnx6S+0l24n4gFldHeELzWyMZv1CQFjU3h1vMAokkTnAdY3bzhbiyl JHQA2/qqPUYzxHRULYmShRBQkWpK2WCXc2i+0C395G3nlbztUdr2xjKhc4Z33Y0Zg1tE OIR/z9mu4IKi8vk+8Q7V0w6DDZyk1XiE8jY8Lkok8uy2/Xz0VySvX11Gx8w35wXT1BBr Xvq12bSwtV7gbd/y8HgSSon3MFIGQ/y8TFwQAFnCm9XrvZNv80nUQhDHaSstvVhTBJ6M eqdQ== X-Gm-Message-State: AOAM531N6Dd61e8eg4fI8J7L7dsUSzK3v5MkK3E4v8C0UfJcKzm7nOpb Mkhoowaj984qgLDQfGh56OK2Z7rB9jC4kfqEo31lE8V1yAx5ag== X-Google-Smtp-Source: ABdhPJxNxxVRaxX1f8GrbQtF26xaOutii4RBVYsD2a3pB1WSw7bLm/g4jEGHV3FOMYUbGK5zQ55o8uW0P033uYGzRkQ= X-Received: by 2002:ac2:4c34:: with SMTP id u20mr10479979lfq.671.1637101830197; Tue, 16 Nov 2021 14:30:30 -0800 (PST) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 From: Marcin Wojtas Date: Tue, 16 Nov 2021 23:30:19 +0100 Message-ID: Subject: HEADS-UP: ASLR for 64-bit executables enabled by default on main To: freebsd-current@freebsd.org Cc: Fabien Thomas , MARECHAL Boris , Rafal Jaworowski , Damien DEVILLE Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4Hv13W3cq4z4rJn X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=semihalf-com.20210112.gappssmtp.com header.s=20210112 header.b=cLPNOJYz; dmarc=none; spf=none (mx1.freebsd.org: domain of mw@semihalf.com has no SPF policy when checking 2a00:1450:4864:20::12a) smtp.mailfrom=mw@semihalf.com X-Spamd-Result: default: False [0.70 / 15.00]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[semihalf-com.20210112.gappssmtp.com:s=20210112]; FREEFALL_USER(0.00)[mw]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_SHORT(1.00)[1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org]; DMARC_NA(0.00)[semihalf.com]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; RCPT_COUNT_FIVE(0.00)[5]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[semihalf-com.20210112.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::12a:from]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N As of b014e0f15bc7 the ASLR (Address Space Layout Randomization) feature becomes enabled for the all 64-bit binaries by default. Address Space Layout Randomization (ASLR) is an exploit mitigation technique implemented in the majority of modern operating systems. It involves randomly positioning the base address of an executable and the position of libraries, heap, and stack, in a process's address space. Although over the years ASLR proved to not guarantee full OS security on its own, this mechanism can make exploitation more difficult (especially when combined with other methods, such as W^X). Tests on the tier 1 64-bit architectures demonstrated that the ASLR is stable and does not result in noticeable performance degradation, therefore it is considered safe to enable this mechanism by default. Moreover its effectiveness is increased for PIE (Position Independent Executable) binaries. Thanks to commit 9a227a2fd642 ("Enable PIE by default on 64-bit architectures"), building from src is not necessary to have PIE binaries and it is enough to control usage of ASLR in the OS solely by setting the appropriate sysctls. The defaults were toggled for the 64-bit PIE and non-PIE executables. As for the drawbacks, a consequence of using the ASLR is more significant VM fragmentation, hence the issues may be encountered in the systems with a limited address space in high memory consumption cases, such as buildworld. As a result, although the tests on 32-bit architectures with ASLR enabled were mostly on par with what was observed on 64-bit ones, the defaults for the former are not changed at this time. Also, for the sake of safety the feature remains disabled for 32-bit executables on 64-bit machines, too. The committed change affects the overall OS operation, so the following should be taken into consideration: * Address space fragmentation. * A changed ABI due to modified layout of address space. * More complicated debugging due to: * Non-reproducible address space layout between runs. * Some debuggers automatically disable ASLR for spawned processes, making target's environment different between debug and non-debug runs. The known issues (such as PR239873 or PR253208) have been fixed in HEAD up front, however please pay attention to the system behavior after upgrading the kernel to the newest revisions. In order to confirm/rule-out the dependency of any encountered issue on ASLR it is strongly advised to re-run the test with the feature disabled - it can be done by setting the following sysctls in the /etc/sysctl.conf file: kern.elf64.aslr.enable=0 kern.elf64.aslr.pie_enable=0 The change is a result of combined efforts under the auspices of the FreeBSD Foundation and the Semihalf team sponsored by Stormshield. Best regards, Marcin