Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 17 Apr 2020 14:58:06 +0200
From:      Marcin Wojtas <mw@semihalf.com>
To:        freebsd-security@freebsd.org
Cc:        Rafal Jaworowski <raj@semihalf.com>
Subject:   ASLR/PIE status in FreeBSD HEAD
Message-ID:  <CAPv3WKfYyVnfNDTPOEN6TF_GjJr=ThdNeB1yMtTEoQoxEdHMDg@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
Hi,

Together with our customers, Semihalf is interested in improving the status
of security mitigations enablement in FreeBSD. To start with, based on our
initial research it seems that after 2019 enhancements the ASLR/PIE
features are in pretty much ready state.

Building the world using the 'WITH_PIE' flag produced proper binaries and
the sanity showed no obvious degradations. Additionally, for the ASLR we
performed a comparison of the pax tests (
https://github.com/opntr/paxtest-freebsd) for amd64/arm64 and they indicate
the feature is working fine after setting the according sysctl knobs. I'd
be happy to present the results and discuss the details, but firstly I'd
like to ask more general questions:

1. Are there any hard blockers, like missing features or bugs, that prevent
enabling ASLR by default in the kernel and building the base system with
-DWITH_PIE?

2. In case the enablement becomes eventually approved, will it be better to
do it for all archs or focus only on the selected ones?

3. IMO it may be worth to benchmark/stress the system for the stability
verification and perf comparison purpose. Do you think it may be reasonable
to create a kind of reference matrix (archs vs tests)? Those could be done
to evaluate the current state of the OS, but also for validating each
proposed feature. I also think engaging the FreeBSD CI might be a huge help
in such an effort. BTW, any particular tests / benchmarks come to your mind
as useful in this case?

I'd appreciate any feedback.

Best regards,
Marcin Wojtas (mw@)



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPv3WKfYyVnfNDTPOEN6TF_GjJr=ThdNeB1yMtTEoQoxEdHMDg>