From owner-freebsd-current@freebsd.org Sun Feb 28 14:40:56 2021 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 83E3656CD66 for ; Sun, 28 Feb 2021 14:40:56 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qk1-x72f.google.com (mail-qk1-x72f.google.com [IPv6:2607:f8b0:4864:20::72f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DpR082zgjz3vM9 for ; Sun, 28 Feb 2021 14:40:56 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qk1-x72f.google.com with SMTP id 204so14068509qke.11 for ; Sun, 28 Feb 2021 06:40:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=vHV9JcStcKhoT1aGLQgvchoV9ycTlvjBKtwWUjQZY88=; b=PWD1g3+OA/vaTl5nVeQKm6fgtpwig2OYCDdAmPL9D4frXw4us/OTBOodnHkeYxdWXr i6GbMO6vSa5cBF+e73010iAFZQWctl9cmPSx8c4C00NpfNAk09JFC6LhZ4y6s4BV+5Y6 QcTobmm1D67mrq29EvLYbzKLye61/4ip+4lJDV4aSwMev3PM9iXsGnEigRzMxFxMFwAK C1KjGcHOyp5yKuMJZ5OWN+4eh3PZWYC4+H6/x0ea8hqZuzM6KfmNgXjWCwZuTQdmDzd3 X/VBzesmp7sOMQl3gsOF9GL5UtpwN0k+DJt64pm71u34nK1QW2/4/ydvnTwJhRi6Bg1a Ntaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=vHV9JcStcKhoT1aGLQgvchoV9ycTlvjBKtwWUjQZY88=; b=l2IO/mGq14xh8E15MOIv8EOmQoh6yquNPUNfMTOAGrujkCozCpY7G/tRpvNJKkG4uR 9YretH7ObZ9oiP+6OOWcyv6Hdwtm0+BwEC2HTg2m9aDMHnPLEFZOvsLymx/SieFJNYqT PusuPtUlDWbzRwuFH4MOkl3yEn39R4oI20gcsT9wgtufxaxF2oeE0rcLriciZfoz1Y3s shK5BJ+Ow9gjvnpq5m3h9hU1x8wV9clDqtRDgB8Hef0D8M/coqIWC1lhzv3pBjSxWy7m 7b5RnmCpQ4+z4/DzL8dy64plMRFxoYIBf+6nf5rdKM1Knls3A5dfKLu9MpNTool/XBiD K5LA== X-Gm-Message-State: AOAM533eZgGc4CCmeQsuRIE/YFuyo5tA9jzrW6E5PEY0MjltUnFbxyQP ubrawK/riLzrkqgqkcIr5qQjgw== X-Google-Smtp-Source: ABdhPJxL75kdEj6WmL/7VguxcamgOk5QvmxJlEyqZ9DJzYSidE4h/lTRfVEgnEMNypbaRDan+II1TQ== X-Received: by 2002:a37:a350:: with SMTP id m77mr10507586qke.146.1614523255548; Sun, 28 Feb 2021 06:40:55 -0800 (PST) Received: from mutt-hbsd (pool-100-16-222-53.bltmmd.fios.verizon.net. [100.16.222.53]) by smtp.gmail.com with ESMTPSA id q186sm10608856qka.56.2021.02.28.06.40.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 28 Feb 2021 06:40:54 -0800 (PST) Date: Sun, 28 Feb 2021 09:40:54 -0500 From: Shawn Webb To: Warner Losh Cc: Ihor Antonov , FreeBSD Current , Gordon Bergling , Ed Maste Subject: Re: HEADS-UP: PIE enabled by default on main Message-ID: <20210228144054.urbtqudxjyzdkm7h@mutt-hbsd> X-Operating-System: FreeBSD mutt-hbsd 14.0-CURRENT-HBSD FreeBSD 14.0-CURRENT-HBSD X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0xFF2E67A277F8E1FA References: <20210228043411.mj7l5wkwj46neurv@localhost> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="os6r4uu742b5erpx" Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4DpR082zgjz3vM9 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Feb 2021 14:40:56 -0000 --os6r4uu742b5erpx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Feb 27, 2021 at 10:29:14PM -0700, Warner Losh wrote: > On Sat, Feb 27, 2021 at 9:34 PM Ihor Antonov wrote: >=20 > > > > > > But isn't it well-known that ASLR/ASR/any-related-buzzwork does not a= dd > > > any security, except imaginary? The only purpose of it is to have a > > > check-list item ticked green. > > > > I don't know if I should parse this as sarcasm (or any other form of > > "humor") or is a serious statement? But this does leave me with a whole > > bunch of questions.. > > > > If this is really how Konstantin is describing it then is it OK to say > > about this to the whole Internet? Why FreeBSD Foundation is paying for > > meaningless work then? Why members of the Core team do this work? Does > > this mean that FreeBSD is working to satisfy the silly needs of some fat > > customer? What about project independence and not being controlled by > > big money? > > > > Where can I read about ASLR and security myths? >=20 > Why not spend time and explain why this does not work? > > >=20 > Not to rise to the baitiness of all these leading questions (they really > are quite contrary to how our community usually comports itself, but for > the sake of civil discourse, I'll ignore).... >=20 > I'll bet it has something to do with the many known ASLR attacks. One is > chronicled in https://www.vusec.net/projects/anc/ and elsewhere, which sh= ow > how MMU side channels can defeat ASLR. Or maybe he's familiar with the > offset2lib attack against Linux 64-bit ASLR documented in this paper > https://cybersecurity.upv.es/attacks/offset2lib/offset2lib-paper.pdf. > There's many others as well that show the shortcomings of ASLR and disclo= se > ways to defeat it using various clever means. Problem with these papers is that they put ASLR on a pedestal it doesn't deserve. If you take a look at PaX's original ASLR paper, you'll learn that ASLR was not designed to protect against local attacks. You'll also learn that the infoleak weakness was already postulated, even in its initial design and implementation. Attacks against the MMU require local code execution--for example, javascript in a browser. ASLR was never meant to protect against such a case. We must take the original design into account when discussing ASLR's valid shortcomings. The point of ASLR is to combine it with W^X. Without W^X, ASLR makes no sense. FreeBSD recently gained a W^X implementation that requires opt-in. When combined with W^X, exploit authors must chain together multiple vulnerabilities in order to successfully exploit. The combination of ASLR and W^X have forever changed the very foundation of exploitation. Both, when combined, do their job well--that of raising the economic cost of successful remote exploitation. Now that FreeBSD has both a form of ASLR known as ASR and a W^X implementation, FreeBSD can move on to other exploit mitigations, such as CFI and SafeStack (both of which are already integrated in some form in HardenedBSD.) This is likely to be my only response to this thread as I'm incredibly tired of rehashing the same arguments, especiall with regards to kib@, over the span of many years. Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Sha= wn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --os6r4uu742b5erpx Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmA7q3MACgkQ/y5nonf4 4fo4Mg/+JrblJ0imth7bSd0dE6eumIBUjdpfYKXSYMvfPoZ/TxMT+oNGr6KAeCpd n7g8yZiF5IZt47a8JF+TPma4shDX8tib12wln+Fo7oLM/3An4jhTux9YcQtBlDES jT373BPw/CEUTETy+wDBAgToNoYg2LdY2tXMx3GwRfDLOZ/IqNHPuXAH5JHJK48b SbIvfFgKWUfKZpBw38FVk60rZ0qBS8D1kzQlpuGkcvyeOqnUAnehLcE70+A29Pir 1svKapUXyDrnuMBwTsgPjdW4fjIj8Spv4g/jL0dQS7wQkTN3fPCQzB0cHnTBuokz c137nx22FPSJc5d1nyWLS/z1mFXbmGrWphzZzdM4bcXU4A6WVdtQxSDuc6lUqDz4 VeHFSg90ss6OtJv2Hkxp4SxC5k7JRGttjieT9PpTepaZdo0c2VaG5wcDbTjo1Xvh f7gQJSVKAzYQZZk26HYufeMopMiT0FxP62p8/PFgSRJqTXF2muwGEfIdU9Rrfn0w 1+cLAazIdM4hzVupGTtcovxImTAbeBPNr+p/LJdQ3PzJkq85sL5uWFeE0dvKvB1g yhK2TZOCu0Re/M7y/aymEdyiVjpOB92BUV7K1FvjDPXxMhK3CcjOUVe813/7PPY1 irNgGXU/6gaANXY5UKwUFGMacUCCCMDvDV3y4b2VKNw0FdiYirQ= =lNZp -----END PGP SIGNATURE----- --os6r4uu742b5erpx--