From owner-svn-doc-head@freebsd.org  Tue Apr 12 22:56:06 2016
Return-Path: <owner-svn-doc-head@freebsd.org>
Delivered-To: svn-doc-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id DD634B0D7DF;
 Tue, 12 Apr 2016 22:56:06 +0000 (UTC)
 (envelope-from wblock@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id A1AFC1ABA;
 Tue, 12 Apr 2016 22:56:06 +0000 (UTC)
 (envelope-from wblock@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u3CMu5GS079612;
 Tue, 12 Apr 2016 22:56:05 GMT (envelope-from wblock@FreeBSD.org)
Received: (from wblock@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u3CMu51Y079611;
 Tue, 12 Apr 2016 22:56:05 GMT (envelope-from wblock@FreeBSD.org)
Message-Id: <201604122256.u3CMu51Y079611@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: wblock set sender to
 wblock@FreeBSD.org using -f
From: Warren Block <wblock@FreeBSD.org>
Date: Tue, 12 Apr 2016 22:56:05 +0000 (UTC)
To: doc-committers@freebsd.org, svn-doc-all@freebsd.org,
 svn-doc-head@freebsd.org
Subject: svn commit: r48598 - head/en_US.ISO8859-1/htdocs/news/status
X-SVN-Group: doc-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-doc-head@freebsd.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: SVN commit messages for the doc tree for head
 <svn-doc-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-doc-head>,
 <mailto:svn-doc-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-doc-head/>
List-Post: <mailto:svn-doc-head@freebsd.org>
List-Help: <mailto:svn-doc-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-doc-head>,
 <mailto:svn-doc-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2016 22:56:07 -0000

Author: wblock
Date: Tue Apr 12 22:56:05 2016
New Revision: 48598
URL: https://svnweb.freebsd.org/changeset/doc/48598

Log:
  Add ASLR report from Konstantin Belousov <kostikbel@gmail.com>.

Modified:
  head/en_US.ISO8859-1/htdocs/news/status/report-2016-01-2016-03.xml

Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2016-01-2016-03.xml
==============================================================================
--- head/en_US.ISO8859-1/htdocs/news/status/report-2016-01-2016-03.xml	Tue Apr 12 22:50:54 2016	(r48597)
+++ head/en_US.ISO8859-1/htdocs/news/status/report-2016-01-2016-03.xml	Tue Apr 12 22:56:05 2016	(r48598)
@@ -1578,4 +1578,113 @@
       </task>
     </help>
   </project>
+
+  <project cat='proj'>
+    <title>Address Space Layout Randomization</title>
+
+    <contact>
+      <person>
+	<name>
+	  <given>Konstantin</given>
+	  <common>Belousov</common>
+	</name>
+	<email>kib@FreeBSD.org</email>
+      </person>
+
+      <person>
+	<name>
+	  <given>Ed</given>
+	  <common>Maste</common>
+	</name>
+	<email>emaste@FreeBSD.org</email>
+      </person>
+    </contact>
+
+    <links>
+      <url href="https://kib.kiev.ua/kib/aslr">Patch home.</url>
+    </links>
+
+    <body>
+      <p>I wrote a small and straightforward yet feature-packed patch
+	to implement ASLR for &os; available for broader testing.</p>
+
+      <p>With this change, randomization is applied to all non-fixed
+	mappings.  By randomization I mean the base address for the
+	mapping is selected with a guaranteed amount of entropy
+	(bits).  If the mapping was requested to be superpage aligned,
+	the randomization honours the superpage attributes.</p>
+
+      <p>The randomization is done on a best-effort basis - that is,
+	the allocator falls back to a first fit strategy if
+	fragmentation prevents entropy injection.  It is trivial to
+	implement a strong mode where failure to guarantee the
+	requested amount of entropy results in mapping request
+	failure, but I do not consider that to be usable.</p>
+
+      <p>I have not fine-tuned the amount of entropy injected right
+	now.  It is only a quantitive change that will not change the
+	implementation.  The current amount is controlled by
+	aslr_pages_rnd.</p>
+
+      <p>To not spoil coalescing optimizations, to reduce the page
+	table fragmentation inherent to ASLR, and to keep the
+	transient superpage promotion for the malloced memory, the
+	locality is implemented for anonymous private mappings, which
+	are automatically grouped until fragmentation kicks in.  The
+	initial location for the anon group range is, of course,
+	randomized.  After some additional tuning, the measures
+	appeared to be quite effective.  In particular, very
+	address-space hungry build of PyPy 5.0 on i386 successfully
+	finished with the most aggressive functionality of the patch
+	activated.</p>
+
+      <p>The default mode keeps the sbrk area unpopulated by other
+	mappings, but this can be turned off, which gives much more
+	breathing bits on the small AS architectures (funny that
+	32bits is considered small).  This is tied with the question
+	of following an application's hint about the <tt>mmap(2)</tt>
+	base address.  Testing shows that ignoring the hint does not
+	affect the function of common applications, but I would expect
+	more demanding code could break.  By default sbrk is preserved
+	and mmap hints are satisfied, which can be changed by using
+	the kern.elf{32,64}.aslr_care_sbrk sysctl (currently enabled
+	by default for wider testing).</p>
+
+      <p>Stack gap, W^X, shared page randomization, KASLR and other
+	techniques are explicitely out of scope of this work.</p>
+
+      <p>The paxtest results for the run with the previous version 5
+	of the patch applied and aggresively tuned can be seen at the
+	https://www.kib.kiev.ua/kib/aslr/paxtest.log .  For
+	comparison, the run on Fedora 23 on the same machine is at
+	https://www.kib.kiev.ua/kib/aslr/fedora.log .</p>
+
+      <p>ASLR is enabled on per-ABI basis, and currently it is only
+	enabled on native i386 and amd64 (including compat 32bit) and
+	ARMv6 ABIs.  I expect to test and enable ASLR for arm64 as
+	well, later.</p>
+
+      <p>The <tt>procctl(2)</tt> control for ASLR is implemented, but
+	I have not provided a userspace wrapper around the syscall.
+	In fact, the most reasonable control needed is per-image and
+	not per-process, but we have no tradition to put the
+	kernel-read attributes into the extattrs of binary, so I am
+	still pondering that part and this also explains the
+	non-written tool.</p>
+
+      <p>Thanks to Oliver Pinter and Shawn Webb of the HardenedBSD
+	project for pursuing ASLR for &os;.  Although this work is
+	not based on theirs, it was inspired by their efforts.</p>
+
+      <p>Thanks to Ed Maste, Robert Watson, John Baldwin, and Alan Cox
+	for some discussions about the patch, and for The FreeBSD
+	Foundation for directing me.</p>
+
+      <p>Bartek Rutkowski tested PyPy builds on i386, and David Naylor
+	helped with the port which was at point of turbulence and
+	upgrade during the work.</p>
+    </body>
+
+    <sponsor>The FreeBSD Foundation</sponsor>
+  </project>
 </report>