From owner-svn-doc-all@freebsd.org Tue Apr 12 22:56:06 2016
Return-Path: <owner-svn-doc-all@freebsd.org>
Delivered-To: svn-doc-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
[IPv6:2001:1900:2254:206a::19:1])
by mailman.ysv.freebsd.org (Postfix) with ESMTP id DD634B0D7DF;
Tue, 12 Apr 2016 22:56:06 +0000 (UTC)
(envelope-from wblock@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
[IPv6:2610:1c1:1:6068::e6a:0])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id A1AFC1ABA;
Tue, 12 Apr 2016 22:56:06 +0000 (UTC)
(envelope-from wblock@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u3CMu5GS079612;
Tue, 12 Apr 2016 22:56:05 GMT (envelope-from wblock@FreeBSD.org)
Received: (from wblock@localhost)
by repo.freebsd.org (8.15.2/8.15.2/Submit) id u3CMu51Y079611;
Tue, 12 Apr 2016 22:56:05 GMT (envelope-from wblock@FreeBSD.org)
Message-Id: <201604122256.u3CMu51Y079611@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: wblock set sender to
wblock@FreeBSD.org using -f
From: Warren Block <wblock@FreeBSD.org>
Date: Tue, 12 Apr 2016 22:56:05 +0000 (UTC)
To: doc-committers@freebsd.org, svn-doc-all@freebsd.org,
svn-doc-head@freebsd.org
Subject: svn commit: r48598 - head/en_US.ISO8859-1/htdocs/news/status
X-SVN-Group: doc-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-doc-all@freebsd.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "SVN commit messages for the entire doc trees \(except for "
user" , " projects" , and " translations"
\)" <svn-doc-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-doc-all>,
<mailto:svn-doc-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-doc-all/>
List-Post: <mailto:svn-doc-all@freebsd.org>
List-Help: <mailto:svn-doc-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-doc-all>,
<mailto:svn-doc-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2016 22:56:07 -0000
Author: wblock
Date: Tue Apr 12 22:56:05 2016
New Revision: 48598
URL: https://svnweb.freebsd.org/changeset/doc/48598
Log:
Add ASLR report from Konstantin Belousov <kostikbel@gmail.com>.
Modified:
head/en_US.ISO8859-1/htdocs/news/status/report-2016-01-2016-03.xml
Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2016-01-2016-03.xml
==============================================================================
--- head/en_US.ISO8859-1/htdocs/news/status/report-2016-01-2016-03.xml Tue Apr 12 22:50:54 2016 (r48597)
+++ head/en_US.ISO8859-1/htdocs/news/status/report-2016-01-2016-03.xml Tue Apr 12 22:56:05 2016 (r48598)
@@ -1578,4 +1578,113 @@
</task>
</help>
</project>
+
+ <project cat='proj'>
+ <title>Address Space Layout Randomization</title>
+
+ <contact>
+ <person>
+ <name>
+ <given>Konstantin</given>
+ <common>Belousov</common>
+ </name>
+ <email>kib@FreeBSD.org</email>
+ </person>
+
+ <person>
+ <name>
+ <given>Ed</given>
+ <common>Maste</common>
+ </name>
+ <email>emaste@FreeBSD.org</email>
+ </person>
+ </contact>
+
+ <links>
+ <url href="https://kib.kiev.ua/kib/aslr">Patch home.</url>
+ </links>
+
+ <body>
+ <p>I wrote a small and straightforward yet feature-packed patch
+ to implement ASLR for &os; available for broader testing.</p>
+
+ <p>With this change, randomization is applied to all non-fixed
+ mappings. By randomization I mean the base address for the
+ mapping is selected with a guaranteed amount of entropy
+ (bits). If the mapping was requested to be superpage aligned,
+ the randomization honours the superpage attributes.</p>
+
+ <p>The randomization is done on a best-effort basis - that is,
+ the allocator falls back to a first fit strategy if
+ fragmentation prevents entropy injection. It is trivial to
+ implement a strong mode where failure to guarantee the
+ requested amount of entropy results in mapping request
+ failure, but I do not consider that to be usable.</p>
+
+ <p>I have not fine-tuned the amount of entropy injected right
+ now. It is only a quantitive change that will not change the
+ implementation. The current amount is controlled by
+ aslr_pages_rnd.</p>
+
+ <p>To not spoil coalescing optimizations, to reduce the page
+ table fragmentation inherent to ASLR, and to keep the
+ transient superpage promotion for the malloced memory, the
+ locality is implemented for anonymous private mappings, which
+ are automatically grouped until fragmentation kicks in. The
+ initial location for the anon group range is, of course,
+ randomized. After some additional tuning, the measures
+ appeared to be quite effective. In particular, very
+ address-space hungry build of PyPy 5.0 on i386 successfully
+ finished with the most aggressive functionality of the patch
+ activated.</p>
+
+ <p>The default mode keeps the sbrk area unpopulated by other
+ mappings, but this can be turned off, which gives much more
+ breathing bits on the small AS architectures (funny that
+ 32bits is considered small). This is tied with the question
+ of following an application's hint about the <tt>mmap(2)</tt>
+ base address. Testing shows that ignoring the hint does not
+ affect the function of common applications, but I would expect
+ more demanding code could break. By default sbrk is preserved
+ and mmap hints are satisfied, which can be changed by using
+ the kern.elf{32,64}.aslr_care_sbrk sysctl (currently enabled
+ by default for wider testing).</p>
+
+ <p>Stack gap, W^X, shared page randomization, KASLR and other
+ techniques are explicitely out of scope of this work.</p>
+
+ <p>The paxtest results for the run with the previous version 5
+ of the patch applied and aggresively tuned can be seen at the
+ https://www.kib.kiev.ua/kib/aslr/paxtest.log . For
+ comparison, the run on Fedora 23 on the same machine is at
+ https://www.kib.kiev.ua/kib/aslr/fedora.log .</p>
+
+ <p>ASLR is enabled on per-ABI basis, and currently it is only
+ enabled on native i386 and amd64 (including compat 32bit) and
+ ARMv6 ABIs. I expect to test and enable ASLR for arm64 as
+ well, later.</p>
+
+ <p>The <tt>procctl(2)</tt> control for ASLR is implemented, but
+ I have not provided a userspace wrapper around the syscall.
+ In fact, the most reasonable control needed is per-image and
+ not per-process, but we have no tradition to put the
+ kernel-read attributes into the extattrs of binary, so I am
+ still pondering that part and this also explains the
+ non-written tool.</p>
+
+ <p>Thanks to Oliver Pinter and Shawn Webb of the HardenedBSD
+ project for pursuing ASLR for &os;. Although this work is
+ not based on theirs, it was inspired by their efforts.</p>
+
+ <p>Thanks to Ed Maste, Robert Watson, John Baldwin, and Alan Cox
+ for some discussions about the patch, and for The FreeBSD
+ Foundation for directing me.</p>
+
+ <p>Bartek Rutkowski tested PyPy builds on i386, and David Naylor
+ helped with the port which was at point of turbulence and
+ upgrade during the work.</p>
+ </body>
+
+ <sponsor>The FreeBSD Foundation</sponsor>
+ </project>
</report>