Date: Fri, 17 Apr 2020 09:06:58 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Marcin Wojtas <mw@semihalf.com> Cc: freebsd-security@freebsd.org, Rafal Jaworowski <raj@semihalf.com> Subject: Re: ASLR/PIE status in FreeBSD HEAD Message-ID: <20200417130658.wijvhim5ylvgptub@mutt-hbsd> In-Reply-To: <CAPv3WKfYyVnfNDTPOEN6TF_GjJr=ThdNeB1yMtTEoQoxEdHMDg@mail.gmail.com> References: <CAPv3WKfYyVnfNDTPOEN6TF_GjJr=ThdNeB1yMtTEoQoxEdHMDg@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Fri, Apr 17, 2020 at 02:58:06PM +0200, Marcin Wojtas wrote: > Hi, > > Together with our customers, Semihalf is interested in improving the status > of security mitigations enablement in FreeBSD. To start with, based on our > initial research it seems that after 2019 enhancements the ASLR/PIE > features are in pretty much ready state. > > Building the world using the 'WITH_PIE' flag produced proper binaries and > the sanity showed no obvious degradations. Additionally, for the ASLR we > performed a comparison of the pax tests ( > https://github.com/opntr/paxtest-freebsd) for amd64/arm64 and they indicate > the feature is working fine after setting the according sysctl knobs. I'd > be happy to present the results and discuss the details, but firstly I'd > like to ask more general questions: Quick note: paxtest's algorithms for measuring ASLR was meant to test ASLR, not FreeBSD's ASR implementation. Thus, paxtest results for FreeBSD's ASR are moot. Link to the relevant discussion, as pointed out by the dude who coined the term ASLR: https://reviews.freebsd.org/D5603#120017 Thanks, -- Shawn Webb Cofounder / Security Engineer HardenedBSD GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAl6ZqewACgkQ/y5nonf4 4fqoEA/9ExvDuYFF8TxdyAV4ESl9c8Qn5splrgOrjJayesO0mgcHkvUJlgbvZlLc O7es95PD+pIm0lYzIqp/q/KA06eaE8dGovynG6s4gfiy/RLVzvc1HWcTKa/BQINA jm7TwBzMQCu45UcWC+ocXS6guXy1EIoL5ujxXsk8ORMY3THDX757o2UifJBPYBcB V8k91JSiQtAO1qLRm3P0523VLXMdq7PBjBR8a3XN0M3yAt54sLl8A9wGsWKITAk8 LejrHLsMQBtvVM8Ox/y564fNPs3GB0cP4t9WL8KMJnZ/NiLTguJ2vTpZEo1xEOeg 5HkeVRkeWVBPbaUPvoqUMYjQaTA/FaiD8TtP0mlayS+jxXUTCXvnpdRhQNKjLVan fwUiSCfu5sLHuYFJjYzEQzPdDqsfjRl+MPv1d9qSMy2AuqpoLoH+LmPoXb3CWZA8 Zc9nrqGEwCwsQHCDSOkvGqD6sAhtNq7vXIhyJ4WSvpoAQgC0DcApZ58L9SvFOJnB mhaaKSWjvA8IqJglQ0/2lt496oJC/Sg9fBX3QlWS/0loVsvbfDYxx24p70sDFA4b HulgSfqy4FoLNg0nNyA5V4fdSVgyyx02LJng08X9aqSdUiru7x09y5J3V/P6GH4Y l7T3Mb0TsARmL4Xedsq6HPElXAWOpU1uVHLA9QOWuihWlyXhaCo= =dO2N -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200417130658.wijvhim5ylvgptub>