Re: [CFT] ASLR and PIE on amd64
--nYySOmuH/HDX6pKp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Apr 02, 2014 04:54 PM +0200, Oliver Pinter wrote:
> On 4/2/14, Oliver Pinter <oliver.pntr@gmail.com> wrote:
> > On 3/31/14, Shawn Webb <lattera@gmail.com> wrote:
> >> On Mar 31, 2014 02:07 AM +0200, Oliver Pinter wrote:
> >>> On 3/22/14, Shawn Webb <lattera@gmail.com> wrote:
> >>> > Hey All,
> >>> >
> >>> > First off, I hope that even as a non-committer, it's okay that I po=
st
> >>> > a call for testing. If not, please excuse my newbishness in this
> >>> > process. This is my first time submitting a major patch upstream to
> >>> > FreeBSD.
> >>> >
> >>> > Over the past few months, I've had the opportunity and pleasure to
> >>> > enhance existing patches to FreeBSD that implement a common exploit
> >>> > mitigation technology called Address Space Layout Randomization (AS=
LR)
> >>> > along with support for Position Independent Executables (PIE).
> >>> > ASLR+PIE has been a long-requested feature by many people I've met =
on
> >>> > IRC.
> >>> >
> >>> > I've submitted my patch to PR kernel/181497. I'm currently in the
> >>> > process of adding PIE support to certain high-visibility applicatio=
ns
> >>> > in base (mainly network daemons). I've added a make.conf knob that's
> >>> > default to enabled (WITH_PIE=3D1). An application has to also expli=
citly
> >>> > support PIE as well by defining CAN_PIE in the Makefile prior to
> >>> > including bsd.prog.mk. After I get a decent amount of applications
> >>> > enabled with PIE support, I'll submit one last patch.
> >>> >
> >>> > The following sysctl's can be set with a kernel compiled with the
> >>> > PAX_ASLR option:
> >>> >
> >>> > security.pax.aslr.status: 1
> >>> > security.pax.aslr.debug: 0
> >>> > security.pax.aslr.mmap_len: 16
> >>> > security.pax.aslr.stack_len: 12
> >>> > security.pax.aslr.exec_len: 12
> >>> >
> >>> > The security.pax.aslr.status sysctl enables and disables the ASLR
> >>> > system as a whole. The debug sysctl gives debugging output. The
> >>> > mmap_len sysctl tells the ASLR system how many bits to randomize wi=
th
> >>> > mmap() is called. The stack_len sysctl tells the ASLR system how ma=
ny
> >>> > bits to randomize in the stack. The exec_len sysctl tells the ASLR
> >>> > system how many bits to randomize the execbase (this controls PIE).
> >>> > These sysctls can be set as a per-jail basis. If you have an
> >>> > application which doesn't support ASLR, yet you want ASLR enabled f=
or
> >>> > everything else, you can simply place that misbehaving application =
in
> >>> > a jail with only that jail's ASLR settings turned off.
> >>> >
> >>> > Please let me know how your testing goes. I'm giving a presentation=
at
> >>> > BSDCan regarding this.
> >>> >
> >>> > If you want to keep tabs on my bleeding-edge development process,
> >>> > please follow my progress on GitHub:
> >>> > https://github.com/lattera/freebsd (branch: soldierx/lattera/aslr).
> >>> >
> >>> > Thank you very much,
> >>>
> >>> Hi!
> >>>
> >>> Please apply this patch. This fixed an issue with tunables.
> >>
> >> Patch merged successfully into my GitHub repo. Fixed with commit
> >> d2c0813. I'll include it in my next patch submission upstream when I
> >> submit my PIE work. Thanks!
> >
> > please see the attached patch, compile and boot tested on amd64
>=20
>=20
> Some more patches, and one critical fix
> (0006-PAX-ASLR-use-the-right-sysent-before-this-commit-cal.patch).
You are awesome. I'll integrate those patches today. In reviewing your
patches, I noticed a few places where I'm keying off the local
pax_aslr_debug variable. I ought to switch that to keying off the jail's
pr_pax_aslr_debug variable.
--nYySOmuH/HDX6pKp
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBAgAGBQJTPCs4AAoJEGqEZY9SRW7uuywP/Rfmo7sBoJil2wVXCKKVCB5r
NhvnQ3FKItUqj3S1iz/VJFEPo69CyfQedaQSut1i59faznEWF4kul7yUlHFcacjq
bulg3ES91ZnbBSQuU8gNwNX4MQYAgamfRltIlGppNhLJqOTfuu2SfTEIbWS4lAKa
+AjxPKs2IFbMmHTUDj/8siMISk3mGhePM2S8iZOiGsY6emBjMkOGMPghjI2B+Vsf
oW6wtV2zhFcVlPLJFhaCX5dKL0pG3OxLLpFglsvmj0qcvQ19VnTylC/9GuP8D7ts
/bxXtU25KZCVLetpS4SJd13axFUdQaauWMMM0WqaiNFA2a0SLO7xoyMC5/wb0V53
PaB+LqwTIIQ+HoxVfs55+d6kG/vvBMGird9E5ldRSD/MioDx4Ngnv6dWLZIFgdui
NxBaPmtiFZuXZIkN4UmwYm8eIQW4fptS4jKylHH4pC0obYZU4SN/Uqr6BbNZKGKp
6lDjFD5FtF8XQigrmlrFbu+vjQqbG9gaNiO4pSO5mtZ9s2rjD+/UZfpv8dVxrsne
NkezaRxwLvh1Kdc7sCSyKFEFVEMbe69Wf2Y9NGq0rJlddGVhwf2Iwp+QJHSzSAaq
+HXfdJTj1ZKbqwqvuevW9nTUjZ5WdGHGE6LqnVM2Qj+JUaXRiVhjzvJj38KVBZHT
59O63scsVvsRqwRM2rOa
=heSp
-----END PGP SIGNATURE-----
--nYySOmuH/HDX6pKp--
討論串 (同標題文章)
完整討論串 (本文為第 7 之 10 篇):