Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 16 Nov 2021 23:30:19 +0100
From:      Marcin Wojtas <mw@semihalf.com>
To:        freebsd-current@freebsd.org
Cc:        Fabien Thomas <fabien.thomas@stormshield.eu>,  MARECHAL Boris <boris.marechal@stormshield.eu>, Rafal Jaworowski <raj@semihalf.com>,  Damien DEVILLE <damien.deville@stormshield.eu>
Subject:   HEADS-UP: ASLR for 64-bit executables enabled by default on main
Message-ID:  <CAPv3WKc=DUK8ukdqcYNgjxy96CN5kG40-ZO1SxTepUEZDavwpg@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
As of b014e0f15bc7 the ASLR (Address Space Layout
Randomization) feature becomes enabled for the all 64-bit
binaries by default.

Address Space Layout Randomization (ASLR) is an exploit mitigation
technique implemented in the majority of modern operating systems.
It involves randomly positioning the base address of an executable
and the position of libraries, heap, and stack, in a process's address
space. Although over the years ASLR proved to not guarantee full OS
security on its own, this mechanism can make exploitation more difficult
(especially when combined with other methods, such as W^X).

Tests on the tier 1 64-bit architectures demonstrated that the ASLR is
stable and does not result in noticeable performance degradation,
therefore it is considered safe to enable this mechanism by default.
Moreover its effectiveness is increased for PIE (Position Independent
Executable) binaries. Thanks to commit 9a227a2fd642 ("Enable PIE by
default on 64-bit architectures"), building from src is not necessary
to have PIE binaries and it is enough to control usage of ASLR in the
OS solely by setting the appropriate sysctls. The defaults were toggled
for the 64-bit PIE and non-PIE executables.

As for the drawbacks, a consequence of using the ASLR is more
significant VM fragmentation, hence the issues may be encountered
in the systems with a limited address space in high memory consumption
cases, such as buildworld. As a result, although the tests on 32-bit
architectures with ASLR enabled were mostly on par with what was
observed on 64-bit ones, the defaults for the former are not changed
at this time. Also, for the sake of safety the feature remains disabled
for 32-bit executables on 64-bit machines, too.

The committed change affects the overall OS operation, so the
following should be taken into consideration:
* Address space fragmentation.
* A changed ABI due to modified layout of address space.
* More complicated debugging due to:
  * Non-reproducible address space layout between runs.
  * Some debuggers automatically disable ASLR for spawned processes,
    making target's environment different between debug and
    non-debug runs.

The known issues (such as PR239873 or PR253208) have been fixed in
HEAD up front, however please pay attention to the system behavior after
upgrading the kernel to the newest revisions.
In order to confirm/rule-out the dependency of any encountered issue
on ASLR it is strongly advised to re-run the test with the feature
disabled - it can be done by setting the following sysctls
in the /etc/sysctl.conf file:
kern.elf64.aslr.enable=0
kern.elf64.aslr.pie_enable=0

The change is a result of combined efforts under the auspices
of the FreeBSD Foundation and the Semihalf team sponsored
by Stormshield.

Best regards,
Marcin



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPv3WKc=DUK8ukdqcYNgjxy96CN5kG40-ZO1SxTepUEZDavwpg>