From owner-freebsd-security@FreeBSD.ORG Tue Feb 24 13:37:52 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8014BEAD for ; Tue, 24 Feb 2015 13:37:52 +0000 (UTC) Received: from mail-qg0-f52.google.com (mail-qg0-f52.google.com [209.85.192.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 35A08A3E for ; Tue, 24 Feb 2015 13:37:51 +0000 (UTC) Received: by mail-qg0-f52.google.com with SMTP id h3so29721518qgf.11 for ; Tue, 24 Feb 2015 05:37:45 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:organization :user-agent:in-reply-to:references:mime-version:content-type; bh=bVHSys98oywng1Kza4Ymk8D1H3XojGhbFnFFZPkxZFw=; b=Bl3sdZ5w9hw+/9JOquZnu2MfiKuyx4RiCwW1eQk+zoChqWL+YlWI6yZBcgikLBpZtX LZnrEv4ikNo/+NJxMlj24iEdgifEaj7qgoyJGfCe+iC7OiVSq5nrl4CTExM/HG5O7lz0 Q9RUbPj6bIu5EAtZPtiHv9y4ozC7wmQ596kDdf1cVrv5lR32B5Db5uiggXpNNlnHkR6b zsBtRAkk/1Y9Y8FYpJ6+hGCBPaB3qmZFZpm+CqdQsoM188BULPbO+DDKyC3cfpamYtl5 AYICFv+OaGw7dAUT9xMfK659cElVj5JIwO4CnXxtdMNMShJ3W0JFecvnAWiIPdmO0Wqi uLjg== X-Gm-Message-State: ALoCoQk2jtZ79vJB5pX2IFZMdP01aBlKJeDqN4g+ubzCPVFCiwYARxvae9iTmDaGN5qB3bl0YgXy X-Received: by 10.140.217.200 with SMTP id n191mr36280062qhb.29.1424785065106; Tue, 24 Feb 2015 05:37:45 -0800 (PST) Received: from shawn-work-laptop.localnet ([2001:470:e4fc:1::1017]) by mx.google.com with ESMTPSA id 201sm3714838qhd.11.2015.02.24.05.37.43 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 24 Feb 2015 05:37:44 -0800 (PST) From: Shawn Webb To: Bartek Rutkowski Subject: Re: CFT: New ASLR Patch Date: Tue, 24 Feb 2015 08:37:39 -0500 Message-ID: <12077700.SpcsIGnYmK@shawn-work-laptop> Organization: HardenedBSD User-Agent: KMail/4.14.1 (Linux/3.16.0-30-generic; KDE/4.14.1; x86_64; ; ) In-Reply-To: References: <2473923.nPpcAzaekg@shawnwebb-laptop> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1478183.sokRFSvpuu"; micalg="pgp-sha1"; protocol="application/pgp-signature" Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2015 13:37:52 -0000 --nextPart1478183.sokRFSvpuu Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" On Tuesday, February 24, 2015 01:30:19 PM Bartek Rutkowski wrote: > On Sat, Feb 21, 2015 at 3:59 PM, Shawn Webb wrote: > > Hey All, > > > > It has been a long time since we sent out a call for testing request for > > our ASLR patch. We've been hard at work making our ASLR implementation as > > robust as possible. We'd like to invite all adventurous souls to test our > > ASLR implementation. Put it through the ringer. > > > > Since the patch is much too large to attach to an email, you can find our > > latest patch on FreeBSD's Phabricator: > > > > https://reviews.freebsd.org/D473 > > > > Or download the raw version of the patch: > > https://reviews.freebsd.org/D473?download=true > > > > Please let me know if you find any issues. > > > > Thanks, > > > > Shawn Webb > > HardenedBSD > > Hi, > > First of all, thanks a lot for your work on that, cant wait to see it > implemented in FreeBSD release! > > Could you perhaps update your call for testing with some instructions > for potential testers as to how to test (I assume this patch is agains > -CURRENT, but I could be wrong here, and other could make different > assumptions), is there anything else than applying patches, > compilation and reboot required (any configuration?), what to look at > when running on these patches, what are you interested in when > reporting any success/issues with them (any instructions for > generating a relevant problem report for you?) and so on? > > Kind regards, > Bartek Rutkowski Hey Bartek, Great questions which I should have answered in my original email. The patch is against HEAD (11-CURRENT). Here's how you can test it: 1) Download the patch 2) cd /usr/src && patch -p1 < /path/to/downloaded/patch 3) vim sys/amd64/conf/GENERIC 3.1) Find the line that has "#options PAX_ASLR" and uncomment it 3.2) Optionally uncomment the PAX_SYSCTLS kernel option as well 4) Build world and kernel 5) Install world and kernel 6) Reboot 7) Sit back, relax, and enjoy life Since FreeBSD's base doesn't support being compiled as Position-Independent Executables (PIEs), ASLR is only semi-applied. The base address of shared objects and anonymous mappings get randomized along with the stack. The base address of the executable itself does not. If FreeBSD had support for compiling base as PIEs, then you would see ASLR fully applied, including the base address of the application. Ideally, you should see no breakage in applications. Our implementation does provide per-jail granularity. So if an application does break with ASLR applied, you can simply run that application in a jail where ASLR is disabled for that jail only. You will need the PAX_SYSCTLS kernel option in this case. Thanks, Shawn --nextPart1478183.sokRFSvpuu Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABAgAGBQJU7H6mAAoJEGqEZY9SRW7ugpUQAKurQ+Ixoo8jKlQV/CNpUSwC WnVUqPN8lmu7sWhA2CI5X3/jt7vPCW63tPD6sCwomppmVBmCrtaXgh+HGdhorJ3f FAcjdCvyHt5h2s7t8CYJ66iGgYEPX0gxE7E0ve1Rp1EvVhwSxeLEfXDtjcXskgA4 Og0mDIzWLO3BOh7haRPWNjyY2SntP9po+p8LDGlSVeMAlw8j9b/BKR0xgjYJ6SMn ZC9DISrT9kKXJeqP9mp3DZZbCJv61a7sZPQ+/MQ/99qyknRgprl4aywaiz1Blofn +xcDjYvzg68Fy/ycKZx9e2+35U5gOCiVwlMfrl1xFuTE5V6nNmUZ902x3au0Xul5 +dedpr0biSz3JXMAcX0IppqaT5sF7DoxilMIMvOqips0jO+u667CSxbgNCUszf65 U4/jiTBlOS90NYgAQj/XSajIPIvCW3oopajFuDcpjPLLGtzuhwagcUGOasbqniXD ri+Umz47YOfUVXCEJ/vKYur/llQ0XKrjy3xLlmpRzrMVG6u8YPXJRu4ZQYvlMJSz 1KI2PYfeLN+QzsTAu1yMDIEdckhrgM0vEatI7em47QtBKHZnF3U6yoz+HY2ZpOjG rHc82fx/BP7ShXSboKpYb8U3ynvvNnNWoORbKzK2T1IHGOjEZ7T6FRU2AKCb9YUy +t073U+O5q8mdNkeOqw1 =NOKE -----END PGP SIGNATURE----- --nextPart1478183.sokRFSvpuu--