Date: Thu, 23 Apr 2020 15:38:35 +0000 From: Brooks Davis <brooks@freebsd.org> To: Marcin Wojtas <mw@semihalf.com> Cc: Ed Maste <emaste@freebsd.org>, freebsd-security@freebsd.org, Rafal Jaworowski <raj@semihalf.com> Subject: Re: ASLR/PIE status in FreeBSD HEAD Message-ID: <20200423153835.GF42225@spindle.one-eyed-alien.net> In-Reply-To: <CAPv3WKdQrS4oAcUcNn_mQOUJCmKm88LWhv62yf5B0BkmnyGpaA@mail.gmail.com> References: <CAPv3WKfYyVnfNDTPOEN6TF_GjJr=ThdNeB1yMtTEoQoxEdHMDg@mail.gmail.com> <CAPyFy2Cis6mKP%2BtRqEG8CwODgLXVBpQsxQ4FJX6wrpiPODr=Bg@mail.gmail.com> <CAPv3WKdQrS4oAcUcNn_mQOUJCmKm88LWhv62yf5B0BkmnyGpaA@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Mon, Apr 20, 2020 at 04:21:59PM +0200, Marcin Wojtas wrote: > Hi Ed, > > pt., 17 kwi 2020 o 15:52 Ed Maste <emaste@freebsd.org> napisa??(a): > > > > On Fri, 17 Apr 2020 at 08:58, Marcin Wojtas <mw@semihalf.com> wrote: > > > > > > Hi, > > > > > > Together with our customers, Semihalf is interested in improving the status > > > of security mitigations enablement in FreeBSD. > > > > Happy to hear that there's interest in this work! > > > > > 1. Are there any hard blockers, like missing features or bugs, that prevent > > > enabling ASLR by default in the kernel and building the base system with > > > -DWITH_PIE? > > > > I believe there are no showstopper issues but there are a some > > prerequisites. One is that there are some applications that may > > misbehave with randomization enabled. They would need to be > > identified, and tagged (with the elfctl tool now in the base system). > > I was thinking if it is possible to come up with such wide test > coverage to test every single application from the base system. Do you > think it is achievable or should we rather follow the approach to do > as many tests as possible, but rely on the community feedback to catch > the corner cases (like the ntpd issue mentioned in this thread)? > What about the ports? If we gate on full testing we'll never move forward. We had a GSoC project a few years ago to try to generate lame tests for each program, if someone picked that up, we could get better coverage fairly quickly, but it would still be far from complete. Our best bet is probably to make it easy for people to test and to try and recruit testers in the community (this is especially true for ports). -- Brooks [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJeobZ6AAoJEKzQXbSebgfA8bEH/2oHmEOqlyZkzVfCuSeW3d2x SitpiVCTpp040jO6eZG6d+vUlG2JydJSyO4cHvr32WLb8Mq9m1tc54PArrBrsS1d BxynlmntqU1lR0ulhTwBXyUezjqwrx8pRg32PfNbK5owU+pKAtcTwRRqqNmQr3vJ IAWe/54u2P9DUJkAUsrykc2Q4OpzSJYoTYJKnnxhN8tI1cPYuzaLmCVotmhBjX87 s+GXQWf/OuGqeM4NNj05+UIDrSuUfIOIAjDXgEwhfnN/DgxrsHv6DAiOfCXjrtSL qlYLNQrPl4ySV3HKMYr3570OSo05YQfMWzSCH6akPawCMTq5KFgi0VK3KYFRg8Y= =UUmC -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200423153835.GF42225>