On Apr 09, 2014 02:17 AM +0200, Oliver Pinter wrote: > On 4/2/14, Shawn Webb <lattera_at_gmail.com> wrote: > > On Apr 02, 2014 04:54 PM +0200, Oliver Pinter wrote: > >> On 4/2/14, Oliver Pinter <oliver.pntr_at_gmail.com> wrote: > >> > On 3/31/14, Shawn Webb <lattera_at_gmail.com> wrote: > >> >> On Mar 31, 2014 02:07 AM +0200, Oliver Pinter wrote: > >> >>> On 3/22/14, Shawn Webb <lattera_at_gmail.com> wrote: > >> >>> > Hey All, > >> >>> > > >> >>> > First off, I hope that even as a non-committer, it's okay that I > >> >>> > post > >> >>> > a call for testing. If not, please excuse my newbishness in this > >> >>> > process. This is my first time submitting a major patch upstream to > >> >>> > FreeBSD. > >> >>> > > >> >>> > Over the past few months, I've had the opportunity and pleasure to > >> >>> > enhance existing patches to FreeBSD that implement a common exploit > >> >>> > mitigation technology called Address Space Layout Randomization > >> >>> > (ASLR) > >> >>> > along with support for Position Independent Executables (PIE). > >> >>> > ASLR+PIE has been a long-requested feature by many people I've met > >> >>> > on > >> >>> > IRC. > >> >>> > > >> >>> > I've submitted my patch to PR kernel/181497. I'm currently in the > >> >>> > process of adding PIE support to certain high-visibility > >> >>> > applications > >> >>> > in base (mainly network daemons). I've added a make.conf knob > >> >>> > that's > >> >>> > default to enabled (WITH_PIE=1). An application has to also > >> >>> > explicitly > >> >>> > support PIE as well by defining CAN_PIE in the Makefile prior to > >> >>> > including bsd.prog.mk. After I get a decent amount of applications > >> >>> > enabled with PIE support, I'll submit one last patch. > >> >>> > > >> >>> > The following sysctl's can be set with a kernel compiled with the > >> >>> > PAX_ASLR option: > >> >>> > > >> >>> > security.pax.aslr.status: 1 > >> >>> > security.pax.aslr.debug: 0 > >> >>> > security.pax.aslr.mmap_len: 16 > >> >>> > security.pax.aslr.stack_len: 12 > >> >>> > security.pax.aslr.exec_len: 12 > >> >>> > > >> >>> > The security.pax.aslr.status sysctl enables and disables the ASLR > >> >>> > system as a whole. The debug sysctl gives debugging output. The > >> >>> > mmap_len sysctl tells the ASLR system how many bits to randomize > >> >>> > with > >> >>> > mmap() is called. The stack_len sysctl tells the ASLR system how > >> >>> > many > >> >>> > bits to randomize in the stack. The exec_len sysctl tells the ASLR > >> >>> > system how many bits to randomize the execbase (this controls PIE). > >> >>> > These sysctls can be set as a per-jail basis. If you have an > >> >>> > application which doesn't support ASLR, yet you want ASLR enabled > >> >>> > for > >> >>> > everything else, you can simply place that misbehaving application > >> >>> > in > >> >>> > a jail with only that jail's ASLR settings turned off. > >> >>> > > >> >>> > Please let me know how your testing goes. I'm giving a presentation > >> >>> > at > >> >>> > BSDCan regarding this. > >> >>> > > >> >>> > If you want to keep tabs on my bleeding-edge development process, > >> >>> > please follow my progress on GitHub: > >> >>> > https://github.com/lattera/freebsd (branch: soldierx/lattera/aslr). > >> >>> > > >> >>> > Thank you very much, > >> >>> > >> >>> Hi! > >> >>> > >> >>> Please apply this patch. This fixed an issue with tunables. > >> >> > >> >> Patch merged successfully into my GitHub repo. Fixed with commit > >> >> d2c0813. I'll include it in my next patch submission upstream when I > >> >> submit my PIE work. Thanks! > >> > > >> > please see the attached patch, compile and boot tested on amd64 > >> > >> > >> Some more patches, and one critical fix > >> (0006-PAX-ASLR-use-the-right-sysent-before-this-commit-cal.patch). > > > > You are awesome. I'll integrate those patches today. In reviewing your > > patches, I noticed a few places where I'm keying off the local > > pax_aslr_debug variable. I ought to switch that to keying off the jail's > > pr_pax_aslr_debug variable. > > > > https://github.com/HardenedBSD/hardenedBSD/commits/hardened/10/aslr And for anyone who's tracking HEAD (like me): https://github.com/HardenedBSD/hardenedBSD/commits/hardened/current/aslr
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:48 UTC