From owner-freebsd-current@FreeBSD.ORG Mon Mar 31 00:07:02 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D96ABE2E for ; Mon, 31 Mar 2014 00:07:02 +0000 (UTC) Received: from mail-ob0-x22a.google.com (mail-ob0-x22a.google.com [IPv6:2607:f8b0:4003:c01::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A13B5BF8 for ; Mon, 31 Mar 2014 00:07:02 +0000 (UTC) Received: by mail-ob0-f170.google.com with SMTP id uz6so8424332obc.1 for ; Sun, 30 Mar 2014 17:07:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=uy3oNK8WhYdIP7woqZi4DavYAlLWR7O5Oy+BFDvoI2I=; b=qoNCl1iOUaYph3V+SDVta986zXQml/7h8j4lzQkEVZdtXREaZUZSiJsJp+eoqWzVDB +FBBERQAzDEyjUOvmQnphbYpa9Ud9on45MBIFgb8cAkVlMToSVt5KG4mexJZ0YlV8v3B E17/zCNP0ENlXGmYpgICjc9xJVUbzhcdX6czx3St9T7V8N5vdAGRcbT3C2PkmYn2p6wA /GuWn28AEMjuwZ/lxZjhXY+BCuD/Bk8vmYmrE/Pl+fd2nwVrJemJ6T+g8TYVXhyL0phe Vb484n+TZekeSL3W5vHcZjIOHRGmYdecoI8kwG5STyOUAe8EpgmhnjBm2TWp2rL4YAGV SUfw== MIME-Version: 1.0 X-Received: by 10.182.28.7 with SMTP id x7mr15828obg.43.1396224421881; Sun, 30 Mar 2014 17:07:01 -0700 (PDT) Received: by 10.182.80.7 with HTTP; Sun, 30 Mar 2014 17:07:01 -0700 (PDT) In-Reply-To: References: Date: Mon, 31 Mar 2014 02:07:01 +0200 Message-ID: Subject: Re: [CFT] ASLR and PIE on amd64 From: Oliver Pinter To: Shawn Webb Content-Type: multipart/mixed; boundary=089e015380bab16b1604f5dbd4e0 Cc: FreeBSD-current X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2014 00:07:03 -0000 --089e015380bab16b1604f5dbd4e0 Content-Type: text/plain; charset=ISO-8859-1 On 3/22/14, Shawn Webb wrote: > Hey All, > > First off, I hope that even as a non-committer, it's okay that I post > a call for testing. If not, please excuse my newbishness in this > process. This is my first time submitting a major patch upstream to > FreeBSD. > > Over the past few months, I've had the opportunity and pleasure to > enhance existing patches to FreeBSD that implement a common exploit > mitigation technology called Address Space Layout Randomization (ASLR) > along with support for Position Independent Executables (PIE). > ASLR+PIE has been a long-requested feature by many people I've met on > IRC. > > I've submitted my patch to PR kernel/181497. I'm currently in the > process of adding PIE support to certain high-visibility applications > in base (mainly network daemons). I've added a make.conf knob that's > default to enabled (WITH_PIE=1). An application has to also explicitly > support PIE as well by defining CAN_PIE in the Makefile prior to > including bsd.prog.mk. After I get a decent amount of applications > enabled with PIE support, I'll submit one last patch. > > The following sysctl's can be set with a kernel compiled with the > PAX_ASLR option: > > security.pax.aslr.status: 1 > security.pax.aslr.debug: 0 > security.pax.aslr.mmap_len: 16 > security.pax.aslr.stack_len: 12 > security.pax.aslr.exec_len: 12 > > The security.pax.aslr.status sysctl enables and disables the ASLR > system as a whole. The debug sysctl gives debugging output. The > mmap_len sysctl tells the ASLR system how many bits to randomize with > mmap() is called. The stack_len sysctl tells the ASLR system how many > bits to randomize in the stack. The exec_len sysctl tells the ASLR > system how many bits to randomize the execbase (this controls PIE). > These sysctls can be set as a per-jail basis. If you have an > application which doesn't support ASLR, yet you want ASLR enabled for > everything else, you can simply place that misbehaving application in > a jail with only that jail's ASLR settings turned off. > > Please let me know how your testing goes. I'm giving a presentation at > BSDCan regarding this. > > If you want to keep tabs on my bleeding-edge development process, > please follow my progress on GitHub: > https://github.com/lattera/freebsd (branch: soldierx/lattera/aslr). > > Thank you very much, Hi! Please apply this patch. This fixed an issue with tunables. > > Shawn Webb > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" > --089e015380bab16b1604f5dbd4e0 Content-Type: application/octet-stream; name="0001-PaX-ASLR-fixed-tunables-in-kern_pax.c.patch" Content-Disposition: attachment; filename="0001-PaX-ASLR-fixed-tunables-in-kern_pax.c.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: file0 RnJvbSAwODkwYmUxMGJlOWRjMTU4MDM3YzEzN2NmNDRlNDlkYWUzM2Q3NTNkIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBPbGl2ZXIgUGludGVyIDxvbGl2ZXIucG50ckBnbWFpbC5jb20+ CkRhdGU6IE1vbiwgMzEgTWFyIDIwMTQgMDI6MDI6NDIgKzAyMDAKU3ViamVjdDogW1BBVENIXSBQ YVggQVNMUjogZml4ZWQgdHVuYWJsZXMgaW4ga2Vybl9wYXguYwoKU2lnbmVkLW9mZi1ieTogT2xp dmVyIFBpbnRlciA8b2xpdmVyLnBudHJAZ21haWwuY29tPgotLS0KIHN5cy9rZXJuL2tlcm5fcGF4 LmMgfCA2ICsrKy0tLQogMSBmaWxlIGNoYW5nZWQsIDMgaW5zZXJ0aW9ucygrKSwgMyBkZWxldGlv bnMoLSkKCmRpZmYgLS1naXQgYS9zeXMva2Vybi9rZXJuX3BheC5jIGIvc3lzL2tlcm4va2Vybl9w YXguYwppbmRleCAyMTg1YmFmLi5iMDNjYzAzIDEwMDY0NAotLS0gYS9zeXMva2Vybi9rZXJuX3Bh eC5jCisrKyBiL3N5cy9rZXJuL2tlcm5fcGF4LmMKQEAgLTk5LDIxICs5OSwyMSBAQCBTWVNDVExf UFJPQyhfc2VjdXJpdHlfcGF4X2FzbHIsIE9JRF9BVVRPLCBtbWFwX2xlbiwKICAgICBOVUxMLCAw LCBzeXNjdGxfcGF4X2FzbHJfbW1hcCwgIkkiLAogICAgICJOdW1iZXIgb2YgYml0cyByYW5kb21p emVkIGZvciBtbWFwKDIpIGNhbGxzLiAiCiAgICAgIjMyIGJpdDogWzgsMTZdIDY0IGJpdDogWzE2 LDMyXSIpOwotVFVOQUJMRV9JTlQoInNlY3VyaXR5LnBheC5hc2xyLm1tYXAiLCAmcGF4X2FzbHJf bW1hcF9sZW4pOworVFVOQUJMRV9JTlQoInNlY3VyaXR5LnBheC5hc2xyLm1tYXBfbGVuIiwgJnBh eF9hc2xyX21tYXBfbGVuKTsKIAogU1lTQ1RMX1BST0MoX3NlY3VyaXR5X3BheF9hc2xyLCBPSURf QVVUTywgc3RhY2tfbGVuLAogICAgIENUTFRZUEVfSU5UfENUTEZMQUdfUld8Q1RMRkxBR19UVU58 Q1RMRkxBR19QUklTT04sCiAgICAgTlVMTCwgMCwgc3lzY3RsX3BheF9hc2xyX3N0YWNrLCAiSSIs CiAgICAgIk51bWJlciBvZiBiaXRzIHJhbmRvbWl6ZWQgZm9yIHRoZSBzdGFjay4gIgogICAgICIz MiBiaXQ6IFs2LDEyXSA2NCBiaXQ6IFsxMiwyMV0iKTsKLVRVTkFCTEVfSU5UKCJzZWN1cml0eS5w YXguYXNsci5zdGFjayIsICZwYXhfYXNscl9zdGFja19sZW4pOworVFVOQUJMRV9JTlQoInNlY3Vy aXR5LnBheC5hc2xyLnN0YWNrX2xlbiIsICZwYXhfYXNscl9zdGFja19sZW4pOwogCiBTWVNDVExf UFJPQyhfc2VjdXJpdHlfcGF4X2FzbHIsIE9JRF9BVVRPLCBleGVjX2xlbiwKICAgICBDVExUWVBF X0lOVHxDVExGTEFHX1JXfENUTEZMQUdfVFVOfENUTEZMQUdfUFJJU09OLAogICAgIE5VTEwsIDAs IHN5c2N0bF9wYXhfYXNscl9leGVjLCAiSSIsCiAgICAgIk51bWJlciBvZiBiaXRzIHJhbmRvbWl6 ZWQgZm9yIHRoZSBQSUUgZXhlYyBiYXNlLiAiCiAgICAgIjMyIGJpdDogWzYsMTJdIDY0IGJpdDog WzEyLDIxXSIpOwotVFVOQUJMRV9JTlQoInNlY3VyaXR5LnBheC5hc2xyLnN0YWNrIiwgJnBheF9h c2xyX2V4ZWNfbGVuKTsKK1RVTkFCTEVfSU5UKCJzZWN1cml0eS5wYXguYXNsci5leGVjX2xlbiIs ICZwYXhfYXNscl9leGVjX2xlbik7CiAKIHN0YXRpYyBpbnQKIHN5c2N0bF9wYXhfYXNscl9zdGF0 dXMoU1lTQ1RMX0hBTkRMRVJfQVJHUykKLS0gCjEuOS4wCgo= --089e015380bab16b1604f5dbd4e0--