From owner-freebsd-current@FreeBSD.ORG Mon Mar 31 00:24:45 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5265C2B9 for ; Mon, 31 Mar 2014 00:24:45 +0000 (UTC) Received: from mail-qa0-x229.google.com (mail-qa0-x229.google.com [IPv6:2607:f8b0:400d:c00::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0C242D7C for ; Mon, 31 Mar 2014 00:24:44 +0000 (UTC) Received: by mail-qa0-f41.google.com with SMTP id j5so7478387qaq.14 for ; Sun, 30 Mar 2014 17:24:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=lroM2bmbrCoCgapaSZptHxWEr5YGDP7pmbBSKGcZDgA=; b=Gn6yVi/K/ArNZxLyA+ILd+7LqxqMk51ZmffHKKR5ZF0WMlflEEaPC0EjWPfa5GdC7j axlyJHIZCc/gWfhrd4ck1lfwotmw1urIpv7ZR99Ex4sy88bIcMVGdzBNbDy1MZFUcF1k t/NmBY8FMoQVq3sCKhOxQ4ZFEhw+Zw52Nvjf9wZHVNRbK64PaTNlZd38sGVMeL3mlAR8 xABES5YXYA4TtGWFdaBA3/cEUNy0M/BzwvkpdAKZFXq8rxTUrq71KlHxEwSo9JD9dumd 0CNixfql5t8DlRQ+pbfonnmzKspZWtSh561XHddtf/nz3fEVh2xQvLKoKUCyFlrdpBJ+ je8w== X-Received: by 10.140.100.205 with SMTP id s71mr48424qge.106.1396225484164; Sun, 30 Mar 2014 17:24:44 -0700 (PDT) Received: from pwnie.vrt.sourcefire.com (moist.vrt.sourcefire.com. [198.148.79.134]) by mx.google.com with ESMTPSA id y9sm25160047qai.13.2014.03.30.17.24.42 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 30 Mar 2014 17:24:42 -0700 (PDT) Date: Sun, 30 Mar 2014 20:24:36 -0400 From: Shawn Webb To: Oliver Pinter Subject: Re: [CFT] ASLR and PIE on amd64 Message-ID: <20140331002436.GB14025@pwnie.vrt.sourcefire.com> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="5I6of5zJg18YgZEa" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: Mutt/1.5.23 (2014-03-12) Cc: FreeBSD-current X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2014 00:24:45 -0000 --5I6of5zJg18YgZEa Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mar 31, 2014 02:07 AM +0200, Oliver Pinter wrote: > On 3/22/14, Shawn Webb wrote: > > Hey All, > > > > First off, I hope that even as a non-committer, it's okay that I post > > a call for testing. If not, please excuse my newbishness in this > > process. This is my first time submitting a major patch upstream to > > FreeBSD. > > > > Over the past few months, I've had the opportunity and pleasure to > > enhance existing patches to FreeBSD that implement a common exploit > > mitigation technology called Address Space Layout Randomization (ASLR) > > along with support for Position Independent Executables (PIE). > > ASLR+PIE has been a long-requested feature by many people I've met on > > IRC. > > > > I've submitted my patch to PR kernel/181497. I'm currently in the > > process of adding PIE support to certain high-visibility applications > > in base (mainly network daemons). I've added a make.conf knob that's > > default to enabled (WITH_PIE=3D1). An application has to also explicitly > > support PIE as well by defining CAN_PIE in the Makefile prior to > > including bsd.prog.mk. After I get a decent amount of applications > > enabled with PIE support, I'll submit one last patch. > > > > The following sysctl's can be set with a kernel compiled with the > > PAX_ASLR option: > > > > security.pax.aslr.status: 1 > > security.pax.aslr.debug: 0 > > security.pax.aslr.mmap_len: 16 > > security.pax.aslr.stack_len: 12 > > security.pax.aslr.exec_len: 12 > > > > The security.pax.aslr.status sysctl enables and disables the ASLR > > system as a whole. The debug sysctl gives debugging output. The > > mmap_len sysctl tells the ASLR system how many bits to randomize with > > mmap() is called. The stack_len sysctl tells the ASLR system how many > > bits to randomize in the stack. The exec_len sysctl tells the ASLR > > system how many bits to randomize the execbase (this controls PIE). > > These sysctls can be set as a per-jail basis. If you have an > > application which doesn't support ASLR, yet you want ASLR enabled for > > everything else, you can simply place that misbehaving application in > > a jail with only that jail's ASLR settings turned off. > > > > Please let me know how your testing goes. I'm giving a presentation at > > BSDCan regarding this. > > > > If you want to keep tabs on my bleeding-edge development process, > > please follow my progress on GitHub: > > https://github.com/lattera/freebsd (branch: soldierx/lattera/aslr). > > > > Thank you very much, >=20 > Hi! >=20 > Please apply this patch. This fixed an issue with tunables. Patch merged successfully into my GitHub repo. Fixed with commit d2c0813. I'll include it in my next patch submission upstream when I submit my PIE work. Thanks! --5I6of5zJg18YgZEa Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBAgAGBQJTOLXEAAoJEGqEZY9SRW7u4+0QAIgtzmf65wTk3l/EdUhdKKVj WODd3XFnSSMHOYB7jFzWZ1rh8xEVB0FL63mlA2DQvOSGKXea8TJALeQLP3/WaMEW ryDii4hCnlbUnwWYtFzTQikHmt6FRIQQh67k23FcwUgN4V3MW54xI2rzkZY3vRQO sZDrTqpKIL7rz8wkmYNGbMz7Y7Q4qACChnRu+HyMiZZD9XwT1AybIm5sTU5XoZGQ nFqEfWyhEfupkvDlNnb02apfu78b31mKbyV6mf0LDOZs/LEu+Cn5/Y5/AzgO61Td HOJTGFUgNrAqKX3X1MJWkdSjuODhnds5HRbv/RRY7atW10Sk08nsazvwAgeuBNHo WTrWIl1YTD0UatvW9o4jh0BODLrJLLo4FnTiYpUop5tfoWog8J5EhJftxGajFrMb JTZIBibIMdE9vtkbg05n0JKsGh1OKBMmFOC/K8mgfD+TvT77VqqxRVpE4iUmQqUI XaES7I9syLOyEM1K9rV/mpnX3r/sb2ELSnKvCLfcMQKiewsS/b97opfPKhhXJ14p q3yi2IibBGc+pg4f+/86AGUqd8gfeJ7Gc3HwfMCJVaeeRv2EUdncX6CLfEWxtTo8 n2yp5YEm2TydbfFnjanmnktjTuTn6iopRasBt1FmkK3WA8P4LLhNx0rTG+Mx8WU+ uX8BnV7ecrruGTaOc9Ip =av/O -----END PGP SIGNATURE----- --5I6of5zJg18YgZEa--