On 3/31/14, Shawn Webb <lattera_at_gmail.com> wrote: > On Mar 31, 2014 02:07 AM +0200, Oliver Pinter wrote: >> On 3/22/14, Shawn Webb <lattera_at_gmail.com> wrote: >> > Hey All, >> > >> > First off, I hope that even as a non-committer, it's okay that I post >> > a call for testing. If not, please excuse my newbishness in this >> > process. This is my first time submitting a major patch upstream to >> > FreeBSD. >> > >> > Over the past few months, I've had the opportunity and pleasure to >> > enhance existing patches to FreeBSD that implement a common exploit >> > mitigation technology called Address Space Layout Randomization (ASLR) >> > along with support for Position Independent Executables (PIE). >> > ASLR+PIE has been a long-requested feature by many people I've met on >> > IRC. >> > >> > I've submitted my patch to PR kernel/181497. I'm currently in the >> > process of adding PIE support to certain high-visibility applications >> > in base (mainly network daemons). I've added a make.conf knob that's >> > default to enabled (WITH_PIE=1). An application has to also explicitly >> > support PIE as well by defining CAN_PIE in the Makefile prior to >> > including bsd.prog.mk. After I get a decent amount of applications >> > enabled with PIE support, I'll submit one last patch. >> > >> > The following sysctl's can be set with a kernel compiled with the >> > PAX_ASLR option: >> > >> > security.pax.aslr.status: 1 >> > security.pax.aslr.debug: 0 >> > security.pax.aslr.mmap_len: 16 >> > security.pax.aslr.stack_len: 12 >> > security.pax.aslr.exec_len: 12 >> > >> > The security.pax.aslr.status sysctl enables and disables the ASLR >> > system as a whole. The debug sysctl gives debugging output. The >> > mmap_len sysctl tells the ASLR system how many bits to randomize with >> > mmap() is called. The stack_len sysctl tells the ASLR system how many >> > bits to randomize in the stack. The exec_len sysctl tells the ASLR >> > system how many bits to randomize the execbase (this controls PIE). >> > These sysctls can be set as a per-jail basis. If you have an >> > application which doesn't support ASLR, yet you want ASLR enabled for >> > everything else, you can simply place that misbehaving application in >> > a jail with only that jail's ASLR settings turned off. >> > >> > Please let me know how your testing goes. I'm giving a presentation at >> > BSDCan regarding this. >> > >> > If you want to keep tabs on my bleeding-edge development process, >> > please follow my progress on GitHub: >> > https://github.com/lattera/freebsd (branch: soldierx/lattera/aslr). >> > >> > Thank you very much, >> >> Hi! >> >> Please apply this patch. This fixed an issue with tunables. > > Patch merged successfully into my GitHub repo. Fixed with commit > d2c0813. I'll include it in my next patch submission upstream when I > submit my PIE work. Thanks! please see the attached patch, compile and boot tested on amd64 >
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:48 UTC