From nobody Thu Nov 18 18:07:19 2021 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 6B6A5189408C for ; Thu, 18 Nov 2021 18:07:32 +0000 (UTC) (envelope-from lwhsu@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Hw7782cZnz3CY9 for ; Thu, 18 Nov 2021 18:07:32 +0000 (UTC) (envelope-from lwhsu@freebsd.org) Received: from mail-ed1-f50.google.com (mail-ed1-f50.google.com [209.85.208.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) (Authenticated sender: lwhsu/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 3449C2A152 for ; Thu, 18 Nov 2021 18:07:32 +0000 (UTC) (envelope-from lwhsu@freebsd.org) Received: by mail-ed1-f50.google.com with SMTP id w1so30724915edd.10 for ; Thu, 18 Nov 2021 10:07:32 -0800 (PST) X-Gm-Message-State: AOAM532m2CHOoGR0LEuXBJu30tQkK2slFodZqMZX+BPL7b2gbfavWmgH rBh7N/zC48BytUD2ORVOgwoNGVKt1b+F4AK3Dfw= X-Google-Smtp-Source: ABdhPJwMufpXNvKvr3sjEHJK1JpWXziBpVgi1wmVq3g8mgJ8y4T7pEzdzih9OmOZUh88VZDChuqIAmTX+8/wLam9DZY= X-Received: by 2002:a50:955c:: with SMTP id v28mr13614280eda.293.1637258851062; Thu, 18 Nov 2021 10:07:31 -0800 (PST) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Li-Wen Hsu Date: Fri, 19 Nov 2021 02:07:19 +0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: HEADS-UP: ASLR for 64-bit executables enabled by default on main To: Marcin Wojtas Cc: freebsd-current , Fabien Thomas , MARECHAL Boris , Rafal Jaworowski , Damien DEVILLE Content-Type: text/plain; charset="UTF-8" X-ThisMailContainsUnwantedMimeParts: N On Wed, Nov 17, 2021 at 6:30 AM Marcin Wojtas wrote: > > As of b014e0f15bc7 the ASLR (Address Space Layout > Randomization) feature becomes enabled for the all 64-bit > binaries by default. > > Address Space Layout Randomization (ASLR) is an exploit mitigation > technique implemented in the majority of modern operating systems. > It involves randomly positioning the base address of an executable > and the position of libraries, heap, and stack, in a process's address > space. Although over the years ASLR proved to not guarantee full OS > security on its own, this mechanism can make exploitation more difficult > (especially when combined with other methods, such as W^X). > > Tests on the tier 1 64-bit architectures demonstrated that the ASLR is > stable and does not result in noticeable performance degradation, > therefore it is considered safe to enable this mechanism by default. > Moreover its effectiveness is increased for PIE (Position Independent > Executable) binaries. Thanks to commit 9a227a2fd642 ("Enable PIE by > default on 64-bit architectures"), building from src is not necessary > to have PIE binaries and it is enough to control usage of ASLR in the > OS solely by setting the appropriate sysctls. The defaults were toggled > for the 64-bit PIE and non-PIE executables. > > As for the drawbacks, a consequence of using the ASLR is more > significant VM fragmentation, hence the issues may be encountered > in the systems with a limited address space in high memory consumption > cases, such as buildworld. As a result, although the tests on 32-bit > architectures with ASLR enabled were mostly on par with what was > observed on 64-bit ones, the defaults for the former are not changed > at this time. Also, for the sake of safety the feature remains disabled > for 32-bit executables on 64-bit machines, too. > > The committed change affects the overall OS operation, so the > following should be taken into consideration: > * Address space fragmentation. > * A changed ABI due to modified layout of address space. > * More complicated debugging due to: > * Non-reproducible address space layout between runs. > * Some debuggers automatically disable ASLR for spawned processes, > making target's environment different between debug and > non-debug runs. > > The known issues (such as PR239873 or PR253208) have been fixed in > HEAD up front, however please pay attention to the system behavior after > upgrading the kernel to the newest revisions. > In order to confirm/rule-out the dependency of any encountered issue > on ASLR it is strongly advised to re-run the test with the feature > disabled - it can be done by setting the following sysctls > in the /etc/sysctl.conf file: > kern.elf64.aslr.enable=0 > kern.elf64.aslr.pie_enable=0 > > The change is a result of combined efforts under the auspices > of the FreeBSD Foundation and the Semihalf team sponsored > by Stormshield. > > Best regards, > Marcin Thanks very much for working on this. FYI, there are some test cases seem to be affected by this: https://ci.freebsd.org/job/FreeBSD-main-amd64-test/19828/testReport/ The mkimg ones are a bit tricky, it seems the output is changed in each run. We may need a way to generate reproducible results.. I'm still checking them, but hope more people can join and fix them. Best, Li-Wen