Date: Wed, 17 Nov 2021 00:40:34 -0500 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Kubilay Kocak <koobs@FreeBSD.org> Cc: Marcin Wojtas <mw@FreeBSD.org>, src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: b014e0f15bc7 - main - Enable ASLR by default for 64-bit executables Message-ID: <20211117054034.jr6wdl5o42dv2kb6@mutt-hbsd> In-Reply-To: <e07dce67-5aaa-a9ea-bfa4-941c01cdead8@FreeBSD.org> References: <202111162226.1AGMQg00099240@gitrepo.freebsd.org> <e07dce67-5aaa-a9ea-bfa4-941c01cdead8@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--yd54oiu2dteiihry Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 17, 2021 at 10:42:12AM +1100, Kubilay Kocak wrote: > On 17/11/2021 9:26 am, Marcin Wojtas wrote: > > The branch main has been updated by mw: > >=20 > > URL: https://cgit.FreeBSD.org/src/commit/?id=3Db014e0f15bc73d80ef49b64f= d1f8c29f469467cb > >=20 > > commit b014e0f15bc73d80ef49b64fd1f8c29f469467cb > > Author: Marcin Wojtas <mw@FreeBSD.org> > > AuthorDate: 2021-10-24 14:53:06 +0000 > > Commit: Marcin Wojtas <mw@FreeBSD.org> > > CommitDate: 2021-11-16 22:16:09 +0000 > >=20 > > Enable ASLR by default for 64-bit executables > > Address Space Layout Randomization (ASLR) is an exploit mitigation > > technique implemented in the majority of modern operating systems. > > It involves randomly positioning the base address of an executable > > and the position of libraries, heap, and stack, in a process's add= ress > > space. Although over the years ASLR proved to not guarantee full OS > > security on its own, this mechanism can make exploitation more dif= ficult. > > Tests on the tier 1 64-bit architectures demonstrated that the ASL= R is > > stable and does not result in noticeable performance degradation, > > therefore it should be safe to enable this mechanism by default. > > Moreover its effectiveness is increased for PIE (Position Independ= ent > > Executable) binaries. Thanks to commit 9a227a2fd642 ("Enable PIE by > > default on 64-bit architectures"), building from src is not necess= ary > > to have PIE binaries. It is enough to control usage of ASLR in the > > OS solely by setting the appropriate sysctls. > > This patch toggles the kernel settings to use address map randomiz= ation > > for PIE & non-PIE 64-bit binaries. It also disables SBRK, in order > > to allow utilization of the bss grow region for mappings. The latt= er > > has no effect if ASLR is disabled, so apply it to all architecture= s. > > As for the drawbacks, a consequence of using the ASLR is more > > significant VM fragmentation, hence the issues may be encountered > > in the systems with a limited address space in high memory consump= tion > > cases, such as buildworld. As a result, although the tests on 32-b= it > > architectures with ASLR enabled were mostly on par with what was > > observed on 64-bit ones, the defaults for the former are not chang= ed > > at this time. Also, for the sake of safety keep the feature disabl= ed > > for 32-bit executables on 64-bit machines, too. > > The committed change affects the overall OS operation, so the > > following should be taken into consideration: > > * Address space fragmentation. > > * A changed ABI due to modified layout of address space. > > * More complicated debugging due to: > > * Non-reproducible address space layout between runs. > > * Some debuggers automatically disable ASLR for spawned processe= s, > > making target's environment different between debug and > > non-debug runs. > > In order to confirm/rule-out the dependency of any encountered iss= ue > > on ASLR it is strongly advised to re-run the test with the feature > > disabled - it can be done by setting the following sysctls > > in the /etc/sysctl.conf file: > > kern.elf64.aslr.enable=3D0 > > kern.elf64.aslr.pie_enable=3D0 > > Co-developed by: Dawid Gorecki <dgr@semihalf.com> > > Reviewed by: emaste, kib > > Obtained from: Semihalf > > Sponsored by: Stormshield > > MFC after: 1 month > > Differential revision: https://reviews.freebsd.org/D27666 > > --- > > sys/kern/imgact_elf.c | 20 +++++++++++++++++--- > > 1 file changed, 17 insertions(+), 3 deletions(-) > >=20 > > diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c > > index 898f0f66a532..38ad61d8720b 100644 > > --- a/sys/kern/imgact_elf.c > > +++ b/sys/kern/imgact_elf.c > > @@ -161,19 +161,33 @@ SYSCTL_NODE(__CONCAT(_kern_elf, __ELF_WORD_SIZE),= OID_AUTO, aslr, > > ""); > > #define ASLR_NODE_OID __CONCAT(__CONCAT(_kern_elf, __ELF_WORD_SIZE), = _aslr) > > -static int __elfN(aslr_enabled) =3D 0; > > +/* > > + * While for 64-bit machines ASLR works properly, there are > > + * still some problems when using 32-bit architectures. For this > > + * reason ASLR is only enabled by default when running native > > + * 64-bit non-PIE executables. > > + */ > > +static int __elfN(aslr_enabled) =3D __ELF_WORD_SIZE =3D=3D 64; > > SYSCTL_INT(ASLR_NODE_OID, OID_AUTO, enable, CTLFLAG_RWTUN, > > &__elfN(aslr_enabled), 0, > > __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE)) > > ": enable address map randomization"); > > -static int __elfN(pie_aslr_enabled) =3D 0; > > +/* > > + * Enable ASLR only for 64-bit PIE binaries by default. > > + */ > > +static int __elfN(pie_aslr_enabled) =3D __ELF_WORD_SIZE =3D=3D 64; > > SYSCTL_INT(ASLR_NODE_OID, OID_AUTO, pie_enable, CTLFLAG_RWTUN, > > &__elfN(pie_aslr_enabled), 0, > > __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE)) > > ": enable address map randomization for PIE binaries"); >=20 > The current description seems ambiguous with respect to the added comment. > If the sysctl (=3D1) applies ASLR "only" for PIE binaries, where the =3D0 > (sysctl disabled) case applies it unconditionally, a better description > might be: >=20 > "Enable address map randomization only for PIE binaries" >=20 > What is the actual/correct behaviour of the control? It also doesn't make much sense to toggle AS{L}R for the different parts of an executable image. AS{L}R is an "all or nothing" thing. Really, there should be only a single toggle with four modes: 1. AS{L}R force disable 2. AS{L}R opt out 3. AS{L}R opt in 4. AS{L}R force enable HardenedBSD has found that users get confused or are unsure of having too many toggles. "What happens when I do <X>?" In this case, you'd probably have to have deeper knowledge of how FreeBSD's AS{L}R is implemented. Having a single sysctl knob makes life easier for users and reduces implementation complexity. Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --yd54oiu2dteiihry Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmGUldAACgkQ/y5nonf4 4fpd0w/+LO+NtrKFMuiImHMyT1OJukVAgJiFD2C6/uQSpPIy/g4geWuB16MaRHxM jnUOgpJjypfTo0ToiEs9Eh5q3EAIDqqbQR5AdFrycwdG+A1F/jZptWiqJWhZgmuI oD+caYuzVmen4dBPM5niMP/1pRatCSREZzfG+OQ/kXCN+5m0vMsDprpGFkzdP/+W +SlGtpiV8fRDj/FmVVF/XXq1IlM8dXgZOYCZw6dLatdIqBnn/lzSx9psBh/D0Ums V/E2WjIDZx9O4Tb5XmtkcV1VYiHGMBtpXCVn7gFtEokVo+o1/oeKrb9X7rXyeys7 tcKTtdvZFVy0/d9BMpUzO8nE6rzD0nblOS9iOFo9xr612ULNmHxBS5WkunOetcMP z3+aGx3IiqpexBmsFlva/BNssvRwZI+s5v4EiQFOJrpN9SrBzkifbQ6QWF0/wnia rBGSm+MQbSd/BJDPknbDioyjGT6P3ROGqRelrDgb9qOIr0N3xOiOJIp7NzBQhWzI BQIlvueqMAUdXE9KsLWkKKW8WQTZTlOPIrx/Y+JP4L5j1vrj8sSID8bPHNotYOlN xsMGrf3Y2mJi7vmai9mG3y095xSE8zunDzXl38NI6fEky9Db+hRwDDvhksvl79uW 3v/WapZZtpcwMERSYk6GE0igIaOqPZ026dhRSUO/h10vChb47lE= =+1cg -----END PGP SIGNATURE----- --yd54oiu2dteiihry--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20211117054034.jr6wdl5o42dv2kb6>