Date: Mon, 31 Mar 2014 02:07:01 +0200 From: Oliver Pinter <oliver.pntr@gmail.com> To: Shawn Webb <lattera@gmail.com> Cc: FreeBSD-current <freebsd-current@freebsd.org> Subject: Re: [CFT] ASLR and PIE on amd64 Message-ID: <CAPjTQNFe7mrBCWNqWiJPPW7kkE9RyhEH-3XqvVkqDzb%2B-YrZkg@mail.gmail.com> In-Reply-To: <CADt0fhzxTF=CoRZSLXv3MpKJisZx1kCd48O3wqkSL-8vL3ogaA@mail.gmail.com> References: <CADt0fhzxTF=CoRZSLXv3MpKJisZx1kCd48O3wqkSL-8vL3ogaA@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On 3/22/14, Shawn Webb <lattera@gmail.com> wrote: > Hey All, > > First off, I hope that even as a non-committer, it's okay that I post > a call for testing. If not, please excuse my newbishness in this > process. This is my first time submitting a major patch upstream to > FreeBSD. > > Over the past few months, I've had the opportunity and pleasure to > enhance existing patches to FreeBSD that implement a common exploit > mitigation technology called Address Space Layout Randomization (ASLR) > along with support for Position Independent Executables (PIE). > ASLR+PIE has been a long-requested feature by many people I've met on > IRC. > > I've submitted my patch to PR kernel/181497. I'm currently in the > process of adding PIE support to certain high-visibility applications > in base (mainly network daemons). I've added a make.conf knob that's > default to enabled (WITH_PIE=1). An application has to also explicitly > support PIE as well by defining CAN_PIE in the Makefile prior to > including bsd.prog.mk. After I get a decent amount of applications > enabled with PIE support, I'll submit one last patch. > > The following sysctl's can be set with a kernel compiled with the > PAX_ASLR option: > > security.pax.aslr.status: 1 > security.pax.aslr.debug: 0 > security.pax.aslr.mmap_len: 16 > security.pax.aslr.stack_len: 12 > security.pax.aslr.exec_len: 12 > > The security.pax.aslr.status sysctl enables and disables the ASLR > system as a whole. The debug sysctl gives debugging output. The > mmap_len sysctl tells the ASLR system how many bits to randomize with > mmap() is called. The stack_len sysctl tells the ASLR system how many > bits to randomize in the stack. The exec_len sysctl tells the ASLR > system how many bits to randomize the execbase (this controls PIE). > These sysctls can be set as a per-jail basis. If you have an > application which doesn't support ASLR, yet you want ASLR enabled for > everything else, you can simply place that misbehaving application in > a jail with only that jail's ASLR settings turned off. > > Please let me know how your testing goes. I'm giving a presentation at > BSDCan regarding this. > > If you want to keep tabs on my bleeding-edge development process, > please follow my progress on GitHub: > https://github.com/lattera/freebsd (branch: soldierx/lattera/aslr). > > Thank you very much, Hi! Please apply this patch. This fixed an issue with tunables. > > Shawn Webb > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" > [-- Attachment #2 --] From 0890be10be9dc158037c137cf44e49dae33d753d Mon Sep 17 00:00:00 2001 From: Oliver Pinter <oliver.pntr@gmail.com> Date: Mon, 31 Mar 2014 02:02:42 +0200 Subject: [PATCH] PaX ASLR: fixed tunables in kern_pax.c Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com> --- sys/kern/kern_pax.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sys/kern/kern_pax.c b/sys/kern/kern_pax.c index 2185baf..b03cc03 100644 --- a/sys/kern/kern_pax.c +++ b/sys/kern/kern_pax.c @@ -99,21 +99,21 @@ SYSCTL_PROC(_security_pax_aslr, OID_AUTO, mmap_len, NULL, 0, sysctl_pax_aslr_mmap, "I", "Number of bits randomized for mmap(2) calls. " "32 bit: [8,16] 64 bit: [16,32]"); -TUNABLE_INT("security.pax.aslr.mmap", &pax_aslr_mmap_len); +TUNABLE_INT("security.pax.aslr.mmap_len", &pax_aslr_mmap_len); SYSCTL_PROC(_security_pax_aslr, OID_AUTO, stack_len, CTLTYPE_INT|CTLFLAG_RW|CTLFLAG_TUN|CTLFLAG_PRISON, NULL, 0, sysctl_pax_aslr_stack, "I", "Number of bits randomized for the stack. " "32 bit: [6,12] 64 bit: [12,21]"); -TUNABLE_INT("security.pax.aslr.stack", &pax_aslr_stack_len); +TUNABLE_INT("security.pax.aslr.stack_len", &pax_aslr_stack_len); SYSCTL_PROC(_security_pax_aslr, OID_AUTO, exec_len, CTLTYPE_INT|CTLFLAG_RW|CTLFLAG_TUN|CTLFLAG_PRISON, NULL, 0, sysctl_pax_aslr_exec, "I", "Number of bits randomized for the PIE exec base. " "32 bit: [6,12] 64 bit: [12,21]"); -TUNABLE_INT("security.pax.aslr.stack", &pax_aslr_exec_len); +TUNABLE_INT("security.pax.aslr.exec_len", &pax_aslr_exec_len); static int sysctl_pax_aslr_status(SYSCTL_HANDLER_ARGS) -- 1.9.0help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPjTQNFe7mrBCWNqWiJPPW7kkE9RyhEH-3XqvVkqDzb%2B-YrZkg>