From owner-freebsd-current@FreeBSD.ORG Sat Mar 22 01:13:45 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BD0DC861 for ; Sat, 22 Mar 2014 01:13:45 +0000 (UTC) Received: from mail-ve0-x235.google.com (mail-ve0-x235.google.com [IPv6:2607:f8b0:400c:c01::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 8054BC0E for ; Sat, 22 Mar 2014 01:13:45 +0000 (UTC) Received: by mail-ve0-f181.google.com with SMTP id oy12so3435520veb.12 for ; Fri, 21 Mar 2014 18:13:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=dGl/xkLCGiPDOhqOhEXWOIwPdSn8vO9E+w/Ev3Dkli8=; b=rVTq3wJcx54Dsbv8ZTdiPXGPqoyGlbevhfThwNUTjbRrXjwCkv9F0qRLke1mXuqy5l FS7n8RkEIo1pVHbLJy1erluuLTsUJfp1z0ZiMCrU+X5CyVHkt8QoB2Pr50h61TrTfPyz x9UaasvXTACcCe8+IZFd3a7q/Ed2s6nOVUtNibb9FnP0c3Z7DjCHDeezbwcR+zyPyrMW ja7p5iZcoW9H4gBiOnLZW7+ru9YSIfJWC/1uHTTI0TVdKvpCyHSPgKD1BSuM48qYjiPq 4m20xEMXuzFbBI2nOXgJUvzi2xJA1EH1bDqj/6QGq3ZeIwOL4EDY6Tl0mRIeAKbjYKvN 4Pwg== MIME-Version: 1.0 X-Received: by 10.220.92.135 with SMTP id r7mr39833359vcm.11.1395450824692; Fri, 21 Mar 2014 18:13:44 -0700 (PDT) Received: by 10.58.203.170 with HTTP; Fri, 21 Mar 2014 18:13:44 -0700 (PDT) Date: Fri, 21 Mar 2014 21:13:44 -0400 Message-ID: Subject: [CFT] ASLR and PIE on amd64 From: Shawn Webb To: FreeBSD-current Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Mar 2014 01:13:45 -0000 Hey All, First off, I hope that even as a non-committer, it's okay that I post a call for testing. If not, please excuse my newbishness in this process. This is my first time submitting a major patch upstream to FreeBSD. Over the past few months, I've had the opportunity and pleasure to enhance existing patches to FreeBSD that implement a common exploit mitigation technology called Address Space Layout Randomization (ASLR) along with support for Position Independent Executables (PIE). ASLR+PIE has been a long-requested feature by many people I've met on IRC. I've submitted my patch to PR kernel/181497. I'm currently in the process of adding PIE support to certain high-visibility applications in base (mainly network daemons). I've added a make.conf knob that's default to enabled (WITH_PIE=1). An application has to also explicitly support PIE as well by defining CAN_PIE in the Makefile prior to including bsd.prog.mk. After I get a decent amount of applications enabled with PIE support, I'll submit one last patch. The following sysctl's can be set with a kernel compiled with the PAX_ASLR option: security.pax.aslr.status: 1 security.pax.aslr.debug: 0 security.pax.aslr.mmap_len: 16 security.pax.aslr.stack_len: 12 security.pax.aslr.exec_len: 12 The security.pax.aslr.status sysctl enables and disables the ASLR system as a whole. The debug sysctl gives debugging output. The mmap_len sysctl tells the ASLR system how many bits to randomize with mmap() is called. The stack_len sysctl tells the ASLR system how many bits to randomize in the stack. The exec_len sysctl tells the ASLR system how many bits to randomize the execbase (this controls PIE). These sysctls can be set as a per-jail basis. If you have an application which doesn't support ASLR, yet you want ASLR enabled for everything else, you can simply place that misbehaving application in a jail with only that jail's ASLR settings turned off. Please let me know how your testing goes. I'm giving a presentation at BSDCan regarding this. If you want to keep tabs on my bleeding-edge development process, please follow my progress on GitHub: https://github.com/lattera/freebsd (branch: soldierx/lattera/aslr). Thank you very much, Shawn Webb