Re: [CFT] ASLR and PIE on amd64
--zYM0uCDKw75PZbzx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Apr 09, 2014 02:17 AM +0200, Oliver Pinter wrote:
> On 4/2/14, Shawn Webb <lattera@gmail.com> wrote:
> > On Apr 02, 2014 04:54 PM +0200, Oliver Pinter wrote:
> >> On 4/2/14, Oliver Pinter <oliver.pntr@gmail.com> wrote:
> >> > On 3/31/14, Shawn Webb <lattera@gmail.com> wrote:
> >> >> On Mar 31, 2014 02:07 AM +0200, Oliver Pinter wrote:
> >> >>> On 3/22/14, Shawn Webb <lattera@gmail.com> wrote:
> >> >>> > Hey All,
> >> >>> >
> >> >>> > First off, I hope that even as a non-committer, it's okay that I
> >> >>> > post
> >> >>> > a call for testing. If not, please excuse my newbishness in this
> >> >>> > process. This is my first time submitting a major patch upstream=
to
> >> >>> > FreeBSD.
> >> >>> >
> >> >>> > Over the past few months, I've had the opportunity and pleasure =
to
> >> >>> > enhance existing patches to FreeBSD that implement a common expl=
oit
> >> >>> > mitigation technology called Address Space Layout Randomization
> >> >>> > (ASLR)
> >> >>> > along with support for Position Independent Executables (PIE).
> >> >>> > ASLR+PIE has been a long-requested feature by many people I've m=
et
> >> >>> > on
> >> >>> > IRC.
> >> >>> >
> >> >>> > I've submitted my patch to PR kernel/181497. I'm currently in the
> >> >>> > process of adding PIE support to certain high-visibility
> >> >>> > applications
> >> >>> > in base (mainly network daemons). I've added a make.conf knob
> >> >>> > that's
> >> >>> > default to enabled (WITH_PIE=3D1). An application has to also
> >> >>> > explicitly
> >> >>> > support PIE as well by defining CAN_PIE in the Makefile prior to
> >> >>> > including bsd.prog.mk. After I get a decent amount of applicatio=
ns
> >> >>> > enabled with PIE support, I'll submit one last patch.
> >> >>> >
> >> >>> > The following sysctl's can be set with a kernel compiled with the
> >> >>> > PAX_ASLR option:
> >> >>> >
> >> >>> > security.pax.aslr.status: 1
> >> >>> > security.pax.aslr.debug: 0
> >> >>> > security.pax.aslr.mmap_len: 16
> >> >>> > security.pax.aslr.stack_len: 12
> >> >>> > security.pax.aslr.exec_len: 12
> >> >>> >
> >> >>> > The security.pax.aslr.status sysctl enables and disables the ASLR
> >> >>> > system as a whole. The debug sysctl gives debugging output. The
> >> >>> > mmap_len sysctl tells the ASLR system how many bits to randomize
> >> >>> > with
> >> >>> > mmap() is called. The stack_len sysctl tells the ASLR system how
> >> >>> > many
> >> >>> > bits to randomize in the stack. The exec_len sysctl tells the AS=
LR
> >> >>> > system how many bits to randomize the execbase (this controls PI=
E).
> >> >>> > These sysctls can be set as a per-jail basis. If you have an
> >> >>> > application which doesn't support ASLR, yet you want ASLR enabled
> >> >>> > for
> >> >>> > everything else, you can simply place that misbehaving applicati=
on
> >> >>> > in
> >> >>> > a jail with only that jail's ASLR settings turned off.
> >> >>> >
> >> >>> > Please let me know how your testing goes. I'm giving a presentat=
ion
> >> >>> > at
> >> >>> > BSDCan regarding this.
> >> >>> >
> >> >>> > If you want to keep tabs on my bleeding-edge development process,
> >> >>> > please follow my progress on GitHub:
> >> >>> > https://github.com/lattera/freebsd (branch: soldierx/lattera/asl=
r).
> >> >>> >
> >> >>> > Thank you very much,
> >> >>>
> >> >>> Hi!
> >> >>>
> >> >>> Please apply this patch. This fixed an issue with tunables.
> >> >>
> >> >> Patch merged successfully into my GitHub repo. Fixed with commit
> >> >> d2c0813. I'll include it in my next patch submission upstream when I
> >> >> submit my PIE work. Thanks!
> >> >
> >> > please see the attached patch, compile and boot tested on amd64
> >>
> >>
> >> Some more patches, and one critical fix
> >> (0006-PAX-ASLR-use-the-right-sysent-before-this-commit-cal.patch).
> >
> > You are awesome. I'll integrate those patches today. In reviewing your
> > patches, I noticed a few places where I'm keying off the local
> > pax_aslr_debug variable. I ought to switch that to keying off the jail's
> > pr_pax_aslr_debug variable.
> >
>=20
> https://github.com/HardenedBSD/hardenedBSD/commits/hardened/10/aslr
And for anyone who's tracking HEAD (like me):
https://github.com/HardenedBSD/hardenedBSD/commits/hardened/current/aslr
--zYM0uCDKw75PZbzx
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBAgAGBQJTRJKBAAoJEGqEZY9SRW7u/s4P/3JOvCDbbc3y1Sa3nYUIeQfS
rt8L7kn45BrOD7qIAnuzGBoFpChmib6glTwmTj7+vYtifK8uqCNHNiqkMrHd1wBt
mJe/qN9tybnWaRGwGmt3gFBIVy44QXE3ze0vVSniYJ+UVIVYD+G3n0NbvqhfYOE0
e9nEpIc/Qi1RNWxbM4Ffk1Hw8TAvPKjxBu+J19lEXTNhVKjuJnl2DlXvsQQnFhTp
gmuiRasIq2jsMXYvb3jdqmsJxYSU0GSH/8Jg+LMvQPa/a0bKDtRA16/88FU/FHUV
9Cq76bpUXxVLHAH4HAe3z2nf77QcPJIFKDrqPpHzpjYFZwnCzKf+QyR+97wB2iGb
pExgInysE9IP767j+pTBMAdp6R6Qf8MiJcIFu8GOyNvAgbJYe/pzheCUuW2sliKe
wdr0Pv8YdUqFREA5H4SR0LxTKDQf+ozEsP4wOyO65lwZGbsr7jGV8lMj77VrEkt6
d5lpcD1L7Wj4SYDuCBGnKffvy+jvG5CrDDOhDhpZq4AN1SX045hPWOYQZJBbIW6o
eZmd0Qj5SzkVql6iWTk4xLlm08BbqZzKTLe2KBR/okYLvrM7wyXdR+HMqyBY+2d/
y7fgBXmOChOsCa2pYxEXPfv7bluEB+Lt/WU3O/8RtCiNr69fSDEfnUcCJRqHHt6e
JFt20tCK70uiCI5nhfu9
=Xc+Z
-----END PGP SIGNATURE-----
--zYM0uCDKw75PZbzx--
討論串 (同標題文章)
完整討論串 (本文為第 9 之 10 篇):