From owner-freebsd-current@FreeBSD.ORG Wed Apr 9 00:17:49 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 16835ED8 for ; Wed, 9 Apr 2014 00:17:49 +0000 (UTC) Received: from mail-ob0-x22e.google.com (mail-ob0-x22e.google.com [IPv6:2607:f8b0:4003:c01::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D1F851B3B for ; Wed, 9 Apr 2014 00:17:48 +0000 (UTC) Received: by mail-ob0-f174.google.com with SMTP id wo20so1895571obc.33 for ; Tue, 08 Apr 2014 17:17:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=HD6GzYVQfObHswuNmf2vBt3fcPSzBovxp3rKCdqcTdU=; b=hGLl6C4JPczdTfRDM5pGI5rXv4/dRAAhCybJmQtTfFD9P+ivGHtXGjmScGgPgfx8jb xr2WcAsH38Iu+GxXvXWXGp4Wpma5h02vtgJ3iCm+u4eQavHGk7yeZWZi9L2+PqVIOc4d PD2cfPexUkmG7eLnykHx7Y5gpR+qgxa26XBreJBYseHUyogjiy15nOsyuVmg24pMxT3Q UYtECHr+BcVte1bJnm8I4KNYlrSDq4u1RjXLiB4nY+FJROAA8T4Kj6VjUZ3zxts5pbYE dJhKkU637KtQAM12NyE4ZePrFifAUXINDSdecsIVzBno82KqZ7519hLLR2nVfuvQ7keP 93EQ== MIME-Version: 1.0 X-Received: by 10.182.85.193 with SMTP id j1mr5929411obz.52.1397002668159; Tue, 08 Apr 2014 17:17:48 -0700 (PDT) Received: by 10.182.80.7 with HTTP; Tue, 8 Apr 2014 17:17:48 -0700 (PDT) In-Reply-To: <20140402152232.GF20907@pwnie.vrt.sourcefire.com> References: <20140331002436.GB14025@pwnie.vrt.sourcefire.com> <20140402152232.GF20907@pwnie.vrt.sourcefire.com> Date: Wed, 9 Apr 2014 02:17:48 +0200 Message-ID: Subject: Re: [CFT] ASLR and PIE on amd64 From: Oliver Pinter To: FreeBSD-current Content-Type: text/plain; charset=ISO-8859-1 Cc: Shawn Webb X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2014 00:17:49 -0000 On 4/2/14, Shawn Webb wrote: > On Apr 02, 2014 04:54 PM +0200, Oliver Pinter wrote: >> On 4/2/14, Oliver Pinter wrote: >> > On 3/31/14, Shawn Webb wrote: >> >> On Mar 31, 2014 02:07 AM +0200, Oliver Pinter wrote: >> >>> On 3/22/14, Shawn Webb wrote: >> >>> > Hey All, >> >>> > >> >>> > First off, I hope that even as a non-committer, it's okay that I >> >>> > post >> >>> > a call for testing. If not, please excuse my newbishness in this >> >>> > process. This is my first time submitting a major patch upstream to >> >>> > FreeBSD. >> >>> > >> >>> > Over the past few months, I've had the opportunity and pleasure to >> >>> > enhance existing patches to FreeBSD that implement a common exploit >> >>> > mitigation technology called Address Space Layout Randomization >> >>> > (ASLR) >> >>> > along with support for Position Independent Executables (PIE). >> >>> > ASLR+PIE has been a long-requested feature by many people I've met >> >>> > on >> >>> > IRC. >> >>> > >> >>> > I've submitted my patch to PR kernel/181497. I'm currently in the >> >>> > process of adding PIE support to certain high-visibility >> >>> > applications >> >>> > in base (mainly network daemons). I've added a make.conf knob >> >>> > that's >> >>> > default to enabled (WITH_PIE=1). An application has to also >> >>> > explicitly >> >>> > support PIE as well by defining CAN_PIE in the Makefile prior to >> >>> > including bsd.prog.mk. After I get a decent amount of applications >> >>> > enabled with PIE support, I'll submit one last patch. >> >>> > >> >>> > The following sysctl's can be set with a kernel compiled with the >> >>> > PAX_ASLR option: >> >>> > >> >>> > security.pax.aslr.status: 1 >> >>> > security.pax.aslr.debug: 0 >> >>> > security.pax.aslr.mmap_len: 16 >> >>> > security.pax.aslr.stack_len: 12 >> >>> > security.pax.aslr.exec_len: 12 >> >>> > >> >>> > The security.pax.aslr.status sysctl enables and disables the ASLR >> >>> > system as a whole. The debug sysctl gives debugging output. The >> >>> > mmap_len sysctl tells the ASLR system how many bits to randomize >> >>> > with >> >>> > mmap() is called. The stack_len sysctl tells the ASLR system how >> >>> > many >> >>> > bits to randomize in the stack. The exec_len sysctl tells the ASLR >> >>> > system how many bits to randomize the execbase (this controls PIE). >> >>> > These sysctls can be set as a per-jail basis. If you have an >> >>> > application which doesn't support ASLR, yet you want ASLR enabled >> >>> > for >> >>> > everything else, you can simply place that misbehaving application >> >>> > in >> >>> > a jail with only that jail's ASLR settings turned off. >> >>> > >> >>> > Please let me know how your testing goes. I'm giving a presentation >> >>> > at >> >>> > BSDCan regarding this. >> >>> > >> >>> > If you want to keep tabs on my bleeding-edge development process, >> >>> > please follow my progress on GitHub: >> >>> > https://github.com/lattera/freebsd (branch: soldierx/lattera/aslr). >> >>> > >> >>> > Thank you very much, >> >>> >> >>> Hi! >> >>> >> >>> Please apply this patch. This fixed an issue with tunables. >> >> >> >> Patch merged successfully into my GitHub repo. Fixed with commit >> >> d2c0813. I'll include it in my next patch submission upstream when I >> >> submit my PIE work. Thanks! >> > >> > please see the attached patch, compile and boot tested on amd64 >> >> >> Some more patches, and one critical fix >> (0006-PAX-ASLR-use-the-right-sysent-before-this-commit-cal.patch). > > You are awesome. I'll integrate those patches today. In reviewing your > patches, I noticed a few places where I'm keying off the local > pax_aslr_debug variable. I ought to switch that to keying off the jail's > pr_pax_aslr_debug variable. > https://github.com/HardenedBSD/hardenedBSD/commits/hardened/10/aslr