From owner-freebsd-current@FreeBSD.ORG Wed Apr 9 00:21:27 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2E629CC for ; Wed, 9 Apr 2014 00:21:27 +0000 (UTC) Received: from mail-qa0-x22a.google.com (mail-qa0-x22a.google.com [IPv6:2607:f8b0:400d:c00::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D7ED91BE9 for ; Wed, 9 Apr 2014 00:21:26 +0000 (UTC) Received: by mail-qa0-f42.google.com with SMTP id k15so1763701qaq.15 for ; Tue, 08 Apr 2014 17:21:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=9XlT/lyQ8A6+x4FswlZ7Sf/g6m8/EIqSpP0EQPkPIq0=; b=qmnLzxdHqi0j5Hks1Jnj72UNGR4g2Tah+DUJoKu7qLQ0lLBvF0oL/EUY7YmNndIj21 G8zveQOKiMGYcX99ZVwqvz4f3WBIxNPyvNBGrEd7FKFcj1Zd6UQ5dR4DINjF6Fc+BXv8 O+pLMrPxX8kcUpP6OSlmN4vyYxnrpIRka0x0/5zsw21cmCTVrahh40NAJiyRJm17fvhN ENmvvSYf4dU+d+rSXG+4TD2ERl7FiTBP/EZdWyzZzZpTDdokT5HVldUR4VZjBe0zbUmo 4Y7aSN7OKd1Kz967FjAYThJgAvbIg3WSswQmFgX+2y4QR8pw1u5Gzq4oJr8jbavR8C9Q xeVg== X-Received: by 10.140.51.161 with SMTP id u30mr8193998qga.69.1397002885988; Tue, 08 Apr 2014 17:21:25 -0700 (PDT) Received: from pwnie.vrt.sourcefire.com (moist.vrt.sourcefire.com. [198.148.79.134]) by mx.google.com with ESMTPSA id u15sm4864243qge.2.2014.04.08.17.21.23 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 08 Apr 2014 17:21:24 -0700 (PDT) Date: Tue, 8 Apr 2014 20:21:21 -0400 From: Shawn Webb To: Oliver Pinter Subject: Re: [CFT] ASLR and PIE on amd64 Message-ID: <20140409002121.GA15374@pwnie.vrt.sourcefire.com> References: <20140331002436.GB14025@pwnie.vrt.sourcefire.com> <20140402152232.GF20907@pwnie.vrt.sourcefire.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="zYM0uCDKw75PZbzx" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: Mutt/1.5.23 (2014-03-12) Cc: FreeBSD-current X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2014 00:21:27 -0000 --zYM0uCDKw75PZbzx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Apr 09, 2014 02:17 AM +0200, Oliver Pinter wrote: > On 4/2/14, Shawn Webb wrote: > > On Apr 02, 2014 04:54 PM +0200, Oliver Pinter wrote: > >> On 4/2/14, Oliver Pinter wrote: > >> > On 3/31/14, Shawn Webb wrote: > >> >> On Mar 31, 2014 02:07 AM +0200, Oliver Pinter wrote: > >> >>> On 3/22/14, Shawn Webb wrote: > >> >>> > Hey All, > >> >>> > > >> >>> > First off, I hope that even as a non-committer, it's okay that I > >> >>> > post > >> >>> > a call for testing. If not, please excuse my newbishness in this > >> >>> > process. This is my first time submitting a major patch upstream= to > >> >>> > FreeBSD. > >> >>> > > >> >>> > Over the past few months, I've had the opportunity and pleasure = to > >> >>> > enhance existing patches to FreeBSD that implement a common expl= oit > >> >>> > mitigation technology called Address Space Layout Randomization > >> >>> > (ASLR) > >> >>> > along with support for Position Independent Executables (PIE). > >> >>> > ASLR+PIE has been a long-requested feature by many people I've m= et > >> >>> > on > >> >>> > IRC. > >> >>> > > >> >>> > I've submitted my patch to PR kernel/181497. I'm currently in the > >> >>> > process of adding PIE support to certain high-visibility > >> >>> > applications > >> >>> > in base (mainly network daemons). I've added a make.conf knob > >> >>> > that's > >> >>> > default to enabled (WITH_PIE=3D1). An application has to also > >> >>> > explicitly > >> >>> > support PIE as well by defining CAN_PIE in the Makefile prior to > >> >>> > including bsd.prog.mk. After I get a decent amount of applicatio= ns > >> >>> > enabled with PIE support, I'll submit one last patch. > >> >>> > > >> >>> > The following sysctl's can be set with a kernel compiled with the > >> >>> > PAX_ASLR option: > >> >>> > > >> >>> > security.pax.aslr.status: 1 > >> >>> > security.pax.aslr.debug: 0 > >> >>> > security.pax.aslr.mmap_len: 16 > >> >>> > security.pax.aslr.stack_len: 12 > >> >>> > security.pax.aslr.exec_len: 12 > >> >>> > > >> >>> > The security.pax.aslr.status sysctl enables and disables the ASLR > >> >>> > system as a whole. The debug sysctl gives debugging output. The > >> >>> > mmap_len sysctl tells the ASLR system how many bits to randomize > >> >>> > with > >> >>> > mmap() is called. The stack_len sysctl tells the ASLR system how > >> >>> > many > >> >>> > bits to randomize in the stack. The exec_len sysctl tells the AS= LR > >> >>> > system how many bits to randomize the execbase (this controls PI= E). > >> >>> > These sysctls can be set as a per-jail basis. If you have an > >> >>> > application which doesn't support ASLR, yet you want ASLR enabled > >> >>> > for > >> >>> > everything else, you can simply place that misbehaving applicati= on > >> >>> > in > >> >>> > a jail with only that jail's ASLR settings turned off. > >> >>> > > >> >>> > Please let me know how your testing goes. I'm giving a presentat= ion > >> >>> > at > >> >>> > BSDCan regarding this. > >> >>> > > >> >>> > If you want to keep tabs on my bleeding-edge development process, > >> >>> > please follow my progress on GitHub: > >> >>> > https://github.com/lattera/freebsd (branch: soldierx/lattera/asl= r). > >> >>> > > >> >>> > Thank you very much, > >> >>> > >> >>> Hi! > >> >>> > >> >>> Please apply this patch. This fixed an issue with tunables. > >> >> > >> >> Patch merged successfully into my GitHub repo. Fixed with commit > >> >> d2c0813. I'll include it in my next patch submission upstream when I > >> >> submit my PIE work. Thanks! > >> > > >> > please see the attached patch, compile and boot tested on amd64 > >> > >> > >> Some more patches, and one critical fix > >> (0006-PAX-ASLR-use-the-right-sysent-before-this-commit-cal.patch). > > > > You are awesome. I'll integrate those patches today. In reviewing your > > patches, I noticed a few places where I'm keying off the local > > pax_aslr_debug variable. I ought to switch that to keying off the jail's > > pr_pax_aslr_debug variable. > > >=20 > https://github.com/HardenedBSD/hardenedBSD/commits/hardened/10/aslr And for anyone who's tracking HEAD (like me): https://github.com/HardenedBSD/hardenedBSD/commits/hardened/current/aslr --zYM0uCDKw75PZbzx Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBAgAGBQJTRJKBAAoJEGqEZY9SRW7u/s4P/3JOvCDbbc3y1Sa3nYUIeQfS rt8L7kn45BrOD7qIAnuzGBoFpChmib6glTwmTj7+vYtifK8uqCNHNiqkMrHd1wBt mJe/qN9tybnWaRGwGmt3gFBIVy44QXE3ze0vVSniYJ+UVIVYD+G3n0NbvqhfYOE0 e9nEpIc/Qi1RNWxbM4Ffk1Hw8TAvPKjxBu+J19lEXTNhVKjuJnl2DlXvsQQnFhTp gmuiRasIq2jsMXYvb3jdqmsJxYSU0GSH/8Jg+LMvQPa/a0bKDtRA16/88FU/FHUV 9Cq76bpUXxVLHAH4HAe3z2nf77QcPJIFKDrqPpHzpjYFZwnCzKf+QyR+97wB2iGb pExgInysE9IP767j+pTBMAdp6R6Qf8MiJcIFu8GOyNvAgbJYe/pzheCUuW2sliKe wdr0Pv8YdUqFREA5H4SR0LxTKDQf+ozEsP4wOyO65lwZGbsr7jGV8lMj77VrEkt6 d5lpcD1L7Wj4SYDuCBGnKffvy+jvG5CrDDOhDhpZq4AN1SX045hPWOYQZJBbIW6o eZmd0Qj5SzkVql6iWTk4xLlm08BbqZzKTLe2KBR/okYLvrM7wyXdR+HMqyBY+2d/ y7fgBXmOChOsCa2pYxEXPfv7bluEB+Lt/WU3O/8RtCiNr69fSDEfnUcCJRqHHt6e JFt20tCK70uiCI5nhfu9 =Xc+Z -----END PGP SIGNATURE----- --zYM0uCDKw75PZbzx--