Date: Tue, 24 Feb 2015 08:37:39 -0500 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Bartek Rutkowski <robak@freebsd.org> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: CFT: New ASLR Patch Message-ID: <12077700.SpcsIGnYmK@shawn-work-laptop> In-Reply-To: <CAHcXP%2Bfv6fxtXTB9gYdi%2BcdiF-E-0==gc95CsZiQzuyye4T1=Q@mail.gmail.com> References: <2473923.nPpcAzaekg@shawnwebb-laptop> <CAHcXP%2Bfv6fxtXTB9gYdi%2BcdiF-E-0==gc95CsZiQzuyye4T1=Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1478183.sokRFSvpuu Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" On Tuesday, February 24, 2015 01:30:19 PM Bartek Rutkowski wrote: > On Sat, Feb 21, 2015 at 3:59 PM, Shawn Webb <shawn.webb@hardenedbsd.org> wrote: > > Hey All, > > > > It has been a long time since we sent out a call for testing request for > > our ASLR patch. We've been hard at work making our ASLR implementation as > > robust as possible. We'd like to invite all adventurous souls to test our > > ASLR implementation. Put it through the ringer. > > > > Since the patch is much too large to attach to an email, you can find our > > latest patch on FreeBSD's Phabricator: > > > > https://reviews.freebsd.org/D473 > > > > Or download the raw version of the patch: > > https://reviews.freebsd.org/D473?download=true > > > > Please let me know if you find any issues. > > > > Thanks, > > > > Shawn Webb > > HardenedBSD > > Hi, > > First of all, thanks a lot for your work on that, cant wait to see it > implemented in FreeBSD release! > > Could you perhaps update your call for testing with some instructions > for potential testers as to how to test (I assume this patch is agains > -CURRENT, but I could be wrong here, and other could make different > assumptions), is there anything else than applying patches, > compilation and reboot required (any configuration?), what to look at > when running on these patches, what are you interested in when > reporting any success/issues with them (any instructions for > generating a relevant problem report for you?) and so on? > > Kind regards, > Bartek Rutkowski Hey Bartek, Great questions which I should have answered in my original email. The patch is against HEAD (11-CURRENT). Here's how you can test it: 1) Download the patch 2) cd /usr/src && patch -p1 < /path/to/downloaded/patch 3) vim sys/amd64/conf/GENERIC 3.1) Find the line that has "#options PAX_ASLR" and uncomment it 3.2) Optionally uncomment the PAX_SYSCTLS kernel option as well 4) Build world and kernel 5) Install world and kernel 6) Reboot 7) Sit back, relax, and enjoy life Since FreeBSD's base doesn't support being compiled as Position-Independent Executables (PIEs), ASLR is only semi-applied. The base address of shared objects and anonymous mappings get randomized along with the stack. The base address of the executable itself does not. If FreeBSD had support for compiling base as PIEs, then you would see ASLR fully applied, including the base address of the application. Ideally, you should see no breakage in applications. Our implementation does provide per-jail granularity. So if an application does break with ASLR applied, you can simply run that application in a jail where ASLR is disabled for that jail only. You will need the PAX_SYSCTLS kernel option in this case. Thanks, Shawn --nextPart1478183.sokRFSvpuu Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABAgAGBQJU7H6mAAoJEGqEZY9SRW7ugpUQAKurQ+Ixoo8jKlQV/CNpUSwC WnVUqPN8lmu7sWhA2CI5X3/jt7vPCW63tPD6sCwomppmVBmCrtaXgh+HGdhorJ3f FAcjdCvyHt5h2s7t8CYJ66iGgYEPX0gxE7E0ve1Rp1EvVhwSxeLEfXDtjcXskgA4 Og0mDIzWLO3BOh7haRPWNjyY2SntP9po+p8LDGlSVeMAlw8j9b/BKR0xgjYJ6SMn ZC9DISrT9kKXJeqP9mp3DZZbCJv61a7sZPQ+/MQ/99qyknRgprl4aywaiz1Blofn +xcDjYvzg68Fy/ycKZx9e2+35U5gOCiVwlMfrl1xFuTE5V6nNmUZ902x3au0Xul5 +dedpr0biSz3JXMAcX0IppqaT5sF7DoxilMIMvOqips0jO+u667CSxbgNCUszf65 U4/jiTBlOS90NYgAQj/XSajIPIvCW3oopajFuDcpjPLLGtzuhwagcUGOasbqniXD ri+Umz47YOfUVXCEJ/vKYur/llQ0XKrjy3xLlmpRzrMVG6u8YPXJRu4ZQYvlMJSz 1KI2PYfeLN+QzsTAu1yMDIEdckhrgM0vEatI7em47QtBKHZnF3U6yoz+HY2ZpOjG rHc82fx/BP7ShXSboKpYb8U3ynvvNnNWoORbKzK2T1IHGOjEZ7T6FRU2AKCb9YUy +t073U+O5q8mdNkeOqw1 =NOKE -----END PGP SIGNATURE----- --nextPart1478183.sokRFSvpuu--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?12077700.SpcsIGnYmK>