From owner-freebsd-security@freebsd.org Fri Apr 17 13:13:12 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 430F42B9206 for ; Fri, 17 Apr 2020 13:13:12 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-wm1-x344.google.com (mail-wm1-x344.google.com [IPv6:2a00:1450:4864:20::344]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 493c3B4NJkz3PDQ for ; Fri, 17 Apr 2020 13:13:10 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-wm1-x344.google.com with SMTP id z6so2950196wml.2 for ; Fri, 17 Apr 2020 06:13:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=Pw3luhP2tc3Usdqn7Zx0VCOvxSeGywP412gV1pxmq3A=; b=eer0P45bIGsDkNRJbPg80g8pWcmXPzO4C8pECEON6P2Ki+gZcO/+tU7CtR6+wYWY/p eks2fch8vwaDWC/8xyL1gLntd0UWtK3AeEoCNo3YlqzeF9ejYjsK7QwTqH4xIXrur1P0 ox2nfx+Zinw2947XmM0q9oe1DCaQQ9OHyzN4ZAOMX6tzOtYMsWCjWHIUlJ+3JsWAE+KB tcfvZkWPvsCvy4lnWkSiVA3g55v7cBAVxnGqNscuubkkxwkkY35yYGfOtaffIypSkvCu sFJPkJ6cytJpLU6s+lkAgxrILtjRGTOOxMnKxHl4iyHGxQtULLVKi/tHfb039b4Ykjli xBFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=Pw3luhP2tc3Usdqn7Zx0VCOvxSeGywP412gV1pxmq3A=; b=CpWLInyz5Nrv2Qx3TwuN7vpbkblfqGTIMnXwvvUzonoSFzbfcW5WI0xhc/5lNg2Wqt ztI8o9DIu5vOsdPOjtYOmmMHVDPmjmXifGnmy7+IAG+KQ9PgAgJ1acED+3Uf0MQpCWwz A6kUcJYT871TW5wl/xDA1EXKpdtQRPGQI3YfGYDzgAW1rPIqdajtyVBDvh7SGnu6vCSO zjxayN5IWioJOQGkFPTnMQY9Pc1t0UPjSC0tfeF8PqHyYuCi3ZjOMxa7id8wVDZ9Bte1 tbSYBXyJnzSFejl2Wao4UxFpjdauK504298qLbezLo1PynsCUN+2ZZV+gP/hKMESf28b EpoA== X-Gm-Message-State: AGi0PuazwkG/+UqNql5S8db9j/cz2eCrfehvCVOWUUicW9iu4JeMgdrT cPQFqECYSfzkvK64oSZ+nAL7oVIOO47P3Dcv X-Google-Smtp-Source: APiQypI7tnzBPjxTxBph1CtU1LMMIPJcpFxRwz5F1EnT7pEQvjtx4BbD+cD+rq204OTNFG+1mgMjVw== X-Received: by 2002:a1c:668a:: with SMTP id a132mr3502558wmc.46.1587128814575; Fri, 17 Apr 2020 06:06:54 -0700 (PDT) Received: from mutt-hbsd ([62.102.148.68]) by smtp.gmail.com with ESMTPSA id m15sm7351353wmc.35.2020.04.17.06.06.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Apr 2020 06:06:53 -0700 (PDT) Date: Fri, 17 Apr 2020 09:06:58 -0400 From: Shawn Webb To: Marcin Wojtas Cc: freebsd-security@freebsd.org, Rafal Jaworowski Subject: Re: ASLR/PIE status in FreeBSD HEAD Message-ID: <20200417130658.wijvhim5ylvgptub@mutt-hbsd> X-Operating-System: FreeBSD mutt-hbsd 13.0-CURRENT-HBSD FreeBSD 13.0-CURRENT-HBSD X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0xFF2E67A277F8E1FA References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="wxvo2txspfvpizzm" Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 493c3B4NJkz3PDQ X-Spamd-Bar: ++++++++ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=hardenedbsd.org header.s=google header.b=eer0P45b; dmarc=none; spf=pass (mx1.freebsd.org: domain of shawn.webb@hardenedbsd.org designates 2a00:1450:4864:20::344 as permitted sender) smtp.mailfrom=shawn.webb@hardenedbsd.org X-Spamd-Result: default: False [8.32 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(0.00)[+ip6:2a00:1450:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[hardenedbsd.org:+]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; IP_SCORE(-0.06)[ip: (2.52), ipnet: 2a00:1450::/32(-2.35), asn: 15169(-0.43), country: US(-0.05)]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; ARC_NA(0.00)[]; RECEIVED_SPAMHAUS_XBL(5.00)[68.148.102.62.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.4]; R_DKIM_ALLOW(0.00)[hardenedbsd.org:s=google]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; SH_AUTHBL_RECEIVED(4.00)[68.148.102.62.khpj7ygk5idzvmvt5x4ziurxhy.authbl.dq.spamhaus.net : 127.0.0.20]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[hardenedbsd.org]; NEURAL_SPAM_MEDIUM(0.86)[0.860,0]; BAD_REP_POLICIES(0.10)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(0.12)[0.124,0]; RCVD_IN_DNSWL_NONE(0.00)[4.4.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; MID_RHS_NOT_FQDN(0.50)[]; GREYLIST(0.00)[pass,body]; RCVD_TLS_ALL(0.00)[] X-Spam: Yes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Apr 2020 13:13:12 -0000 --wxvo2txspfvpizzm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 17, 2020 at 02:58:06PM +0200, Marcin Wojtas wrote: > Hi, >=20 > Together with our customers, Semihalf is interested in improving the stat= us > of security mitigations enablement in FreeBSD. To start with, based on our > initial research it seems that after 2019 enhancements the ASLR/PIE > features are in pretty much ready state. >=20 > Building the world using the 'WITH_PIE' flag produced proper binaries and > the sanity showed no obvious degradations. Additionally, for the ASLR we > performed a comparison of the pax tests ( > https://github.com/opntr/paxtest-freebsd) for amd64/arm64 and they indica= te > the feature is working fine after setting the according sysctl knobs. I'd > be happy to present the results and discuss the details, but firstly I'd > like to ask more general questions: Quick note: paxtest's algorithms for measuring ASLR was meant to test ASLR, not FreeBSD's ASR implementation. Thus, paxtest results for FreeBSD's ASR are moot. Link to the relevant discussion, as pointed out by the dude who coined the term ASLR: https://reviews.freebsd.org/D5603#120017 Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Sha= wn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --wxvo2txspfvpizzm Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAl6ZqewACgkQ/y5nonf4 4fqoEA/9ExvDuYFF8TxdyAV4ESl9c8Qn5splrgOrjJayesO0mgcHkvUJlgbvZlLc O7es95PD+pIm0lYzIqp/q/KA06eaE8dGovynG6s4gfiy/RLVzvc1HWcTKa/BQINA jm7TwBzMQCu45UcWC+ocXS6guXy1EIoL5ujxXsk8ORMY3THDX757o2UifJBPYBcB V8k91JSiQtAO1qLRm3P0523VLXMdq7PBjBR8a3XN0M3yAt54sLl8A9wGsWKITAk8 LejrHLsMQBtvVM8Ox/y564fNPs3GB0cP4t9WL8KMJnZ/NiLTguJ2vTpZEo1xEOeg 5HkeVRkeWVBPbaUPvoqUMYjQaTA/FaiD8TtP0mlayS+jxXUTCXvnpdRhQNKjLVan fwUiSCfu5sLHuYFJjYzEQzPdDqsfjRl+MPv1d9qSMy2AuqpoLoH+LmPoXb3CWZA8 Zc9nrqGEwCwsQHCDSOkvGqD6sAhtNq7vXIhyJ4WSvpoAQgC0DcApZ58L9SvFOJnB mhaaKSWjvA8IqJglQ0/2lt496oJC/Sg9fBX3QlWS/0loVsvbfDYxx24p70sDFA4b HulgSfqy4FoLNg0nNyA5V4fdSVgyyx02LJng08X9aqSdUiru7x09y5J3V/P6GH4Y l7T3Mb0TsARmL4Xedsq6HPElXAWOpU1uVHLA9QOWuihWlyXhaCo= =dO2N -----END PGP SIGNATURE----- --wxvo2txspfvpizzm--