Shawn Webb
2014-May-14 13:58 UTC
[CFT] ASLR, PIE, and segvguard on 11-current and 10-stable
Hey All, [NOTE: crossposting between freebsd-current@, freebsd-security@, and freebsd-stable at . Please forgive me if crossposting is frowned upon.] Address Space Layout Randomization, or ASLR for short, is an exploit mitigation technology. It helps secure applications against low-level exploits. A popular secure implementation is known as PaX ASLR, which is a third-party patch for Linux. Our implementation is based off of PaX's. Oliver Pinter, Danilo Egea, and I have been working hard to bring more features and robust stability to our ASLR patches. We've done extensive testing on amd64. We'd like to get as many people testing these patches. Given the nature of them, we'd also like as many eyeballs reviewing the code as well. I have a Raspberry Pi and have noticed a few bugs. On ARM (at least, on the RPI), when a parent forks a child, and the child gracefully exits, the parent segfaults with the pc register pointing to 0xc0000000. That address is always the same, no matter the application. If anyone knows the ARM architecture well, and how FreeBSD ties into it, I'd like a little guidance. I also have a sparc64 box, but I'm having trouble getting a vanilla 11-current system to be stable on it. I ought to file a few PRs. You can find links to the patches below. Patch for 11-current: http://www.crysys.hu/~op/freebsd/patches/20140514091132-freebsd-current-aslr-segvguard-SNAPSHOT.diff Patch for 10-stable: http://www.crysys.hu/~op/freebsd/patches/20140514091132-freebsd-stable-10-aslr-segvguard-SNAPSHOT.diff Thanks, Shawn Webb -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 834 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20140514/44ee692e/attachment.sig>
Adrian Chadd
2014-May-14 17:02 UTC
[CFT] ASLR, PIE, and segvguard on 11-current and 10-stable
Hi! Cool! Does it run on MIPS? :P -a On 14 May 2014 06:58, Shawn Webb <lattera at gmail.com> wrote:> Hey All, > > [NOTE: crossposting between freebsd-current@, freebsd-security@, and > freebsd-stable at . Please forgive me if crossposting is frowned upon.] > > Address Space Layout Randomization, or ASLR for short, is an exploit > mitigation technology. It helps secure applications against low-level > exploits. A popular secure implementation is known as PaX ASLR, which is > a third-party patch for Linux. Our implementation is based off of PaX's. > > Oliver Pinter, Danilo Egea, and I have been working hard to bring more > features and robust stability to our ASLR patches. We've done extensive > testing on amd64. We'd like to get as many people testing these patches. > Given the nature of them, we'd also like as many eyeballs reviewing the > code as well. > > I have a Raspberry Pi and have noticed a few bugs. On ARM (at least, on > the RPI), when a parent forks a child, and the child gracefully exits, > the parent segfaults with the pc register pointing to 0xc0000000. That > address is always the same, no matter the application. If anyone knows > the ARM architecture well, and how FreeBSD ties into it, I'd like a > little guidance. > > I also have a sparc64 box, but I'm having trouble getting a vanilla > 11-current system to be stable on it. I ought to file a few PRs. > > You can find links to the patches below. > > Patch for 11-current: > http://www.crysys.hu/~op/freebsd/patches/20140514091132-freebsd-current-aslr-segvguard-SNAPSHOT.diff > > Patch for 10-stable: > http://www.crysys.hu/~op/freebsd/patches/20140514091132-freebsd-stable-10-aslr-segvguard-SNAPSHOT.diff > > Thanks, > > Shawn Webb
Wojciech A. Koszek
2014-May-23 19:53 UTC
[CFT] ASLR, PIE, and segvguard on 11-current and 10-stable
On Wed, May 14, 2014 at 09:58:52AM -0400, Shawn Webb wrote:> Hey All, > > [NOTE: crossposting between freebsd-current@, freebsd-security@, and > freebsd-stable at . Please forgive me if crossposting is frowned upon.] > > Address Space Layout Randomization, or ASLR for short, is an exploit > mitigation technology. It helps secure applications against low-level > exploits. A popular secure implementation is known as PaX ASLR, which is > a third-party patch for Linux. Our implementation is based off of PaX's. > > Oliver Pinter, Danilo Egea, and I have been working hard to bring more > features and robust stability to our ASLR patches. We've done extensive > testing on amd64. We'd like to get as many people testing these patches. > Given the nature of them, we'd also like as many eyeballs reviewing the > code as well. > > I have a Raspberry Pi and have noticed a few bugs. On ARM (at least, on > the RPI), when a parent forks a child, and the child gracefully exits, > the parent segfaults with the pc register pointing to 0xc0000000. That > address is always the same, no matter the application. If anyone knows > the ARM architecture well, and how FreeBSD ties into it, I'd like a > little guidance. > > I also have a sparc64 box, but I'm having trouble getting a vanilla > 11-current system to be stable on it. I ought to file a few PRs. > > You can find links to the patches below. > > Patch for 11-current: > http://www.crysys.hu/~op/freebsd/patches/20140514091132-freebsd-current-aslr-segvguard-SNAPSHOT.diff > > Patch for 10-stable: > http://www.crysys.hu/~op/freebsd/patches/20140514091132-freebsd-stable-10-aslr-segvguard-SNAPSHOT.diff >Shawn I appreciate you working on this. We must have this in FreeBSD. I looked at the patch and I read, but not run it. Comments below. My personal opinion is that kern_pax.c should be compiled in by default. If it adds a lot of size, it'd be better to provide empty stub calls instead of #ifdef'ing everything. But security is very important especially in embeddded systems, so you can imagine you're writing the code that everybody wants and must have enabled for decent level of security. All modern systems run with ASLR turned on. I skipped user-space stuff. I don't think it's necessary in this commit and should be separated. There's a lot of lines of code for status showing. Not sure if we care that much: ASLR is either on or off. Not sure about more granularity. More below. Lots of files: You conditionally make .sv_pax_aslr_init method point to something else. I'd assume PAX function _pax_aslr_init32() always gets called and based on whether ASLR is on or not, it does something or not. This will simplify the code a lot, and the difference probably won't be measurable. You have: int a; int b; instead of: int a, b; And you miss spaces around "=" sometimes. kern_jail.c: something looks wrong here. Sounds like you need "pr->pax". But I don't understand why you need to have these pr_* values here. It seems unnecessary. kern_pax.c: I can't quickly tell what locking is using. Some ASSERTS() in pax_ function would help. pax_aslr_active(): I don't see why you need to pass "td" and "proc" (I looked at usage: you pass proc only once). I think you could always pass proc to it, with td->td_proc passed typically. kern_pax_*: There's so many SYSCTLs I think people will have problem configuring it. Pick reasonable value for all values and let users change them via SYSCTL_INT (static sysctls) only for debugging. I can imagine we won't want ASLR only temporarily, for ports which break and must be fixed. So we probably just need per-process ASLR on/off switch and a wrapper which could be used like: aslr off program .... The debug stuff I'd remove too. We could have additional CTR stubs used there, if necessary. segvguard part I didn't understand. Why do you keep a list of programs that failed? There was no ASSERTs, thus it was hard to understand the locking too. I'm trying to understand if randomization is done correctly. Do you think you could post the results? Program: http://pastebin.com/XTRHLhMg Results: cat > aslr.c <paste> gcc aslr.c -o aslr echo 1 2 3 4 5 | xargs -I % -n 1 echo "./aslr > aslr.%" | sh paste aslr.[12345] | column -t Linux with ASLR: http://pastebin.com/UuwW1JMN MacOSX: http://pastebin.com/kuQnYS4e Thanks, -- Wojciech A. Koszek wkoszek at FreeBSD.czest.pl http://FreeBSD.czest.pl/~wkoszek/
Oliver Pinter
2014-May-23 23:24 UTC
[CFT] ASLR, PIE, and segvguard on 11-current and 10-stable
On 5/14/14, Shawn Webb <lattera at gmail.com> wrote:> Hey All, > > [NOTE: crossposting between freebsd-current@, freebsd-security@, and > freebsd-stable at . Please forgive me if crossposting is frowned upon.] > > Address Space Layout Randomization, or ASLR for short, is an exploit > mitigation technology. It helps secure applications against low-level > exploits. A popular secure implementation is known as PaX ASLR, which is > a third-party patch for Linux. Our implementation is based off of PaX's. > > Oliver Pinter, Danilo Egea, and I have been working hard to bring more > features and robust stability to our ASLR patches. We've done extensive > testing on amd64. We'd like to get as many people testing these patches. > Given the nature of them, we'd also like as many eyeballs reviewing the > code as well. > > I have a Raspberry Pi and have noticed a few bugs. On ARM (at least, on > the RPI), when a parent forks a child, and the child gracefully exits, > the parent segfaults with the pc register pointing to 0xc0000000. That > address is always the same, no matter the application. If anyone knows > the ARM architecture well, and how FreeBSD ties into it, I'd like a > little guidance. > > I also have a sparc64 box, but I'm having trouble getting a vanilla > 11-current system to be stable on it. I ought to file a few PRs. > > You can find links to the patches below. > > Patch for 11-current: > http://www.crysys.hu/~op/freebsd/patches/20140514091132-freebsd-current-aslr-segvguard-SNAPSHOT.diff > > Patch for 10-stable: > http://www.crysys.hu/~op/freebsd/patches/20140514091132-freebsd-stable-10-aslr-segvguard-SNAPSHOT.diff > > Thanks, > > Shawn Webb >New round of patches are there: 11-CURRENT: http://www.crysys.hu/~op/freebsd/patches/20140524011327-freebsd-current-aslr-segvguard-SNAPSHOT.diff 10-STABLE: http://www.crysys.hu/~op/freebsd/patches/20140524011327-freebsd-stable-10-aslr-segvguard-SNAPSHOT.diff What's changed related to previous tag: 11-CURRENT: Oliver Pinter (17): PAX ASLR: update license in kern_pax_aslr.c PAX: update license in kern_pax.c PAX SEGVGUARD: update license in kern_pax_segvguard.c PAX: update license in pax.h PAX ASLR: remove unneeded parameter from pax_aslr_stack function PAX LOG: implement new logging subsystem PAX LOG: fix pax_ulog_segvguard PAX LOG: added sysctl's and tunables PAX ASLR: use PAX LOG PAX LOG: fix pax_ulog_##name() PAX LOG: fix prison init PAX LOG: fixed log and ulog sysctl PAX ASLR: fixed debug sysctl PAX: blacklist clang and related binaries from PIE support PAX ASLR: make ASLR by default opt-out Merge remote-tracking branch 'freebsd/master' into hardened/current/aslr Merge branch 'hardened/current/aslr' of github.com:HardenedBSD/hardenedBSD into hardened/current/aslr Shawn Webb (10): Remove CAN_PIE in preparation for NO_PIE Merge remote-tracking branch 'upstream/master' into hardened/current/aslr PAX ASLR: Blacklist the applications that don't support being built as a position-independent executable Merge remote-tracking branch 'upstream/master' into hardened/current/aslr Disable PAX_SEGVGUARD in LATT-ASLR kernel PAX ASLR: Lock the jail when initializing PAX per-jail PAX settings PAX ASLR: Fix bug with pax_aslr_active() PAX ASLR: Use a full kernel config for LATT-ASLR Revert "PAX: blacklist clang and related binaries from PIE support" Revert "Revert "PAX: blacklist clang and related binaries from PIE support"" 10-STABLE: Oliver Pinter (20): PAX ASLR: update license in kern_pax_aslr.c PAX: update license in kern_pax.c PAX SEGVGUARD: update license in kern_pax_segvguard.c PAX: update license in pax.h PAX ASLR: remove unneeded parameter from pax_aslr_stack function PAX LOG: implement new logging subsystem PAX LOG: fix pax_ulog_segvguard PAX LOG: added sysctl's and tunables PAX ASLR: use PAX LOG PAX LOG: fix pax_ulog_##name() PAX LOG: fix prison init PAX LOG: fixed log and ulog sysctl PAX ASLR: fixed debug sysctl Merge remote-tracking branch 'freebsd/stable/10' into hardened/10/aslr Merge remote-tracking branch 'freebsd/stable/10' into hardened/10/aslr added OPN-ASLR kernel config PAX: Remove CAN_PIE in preparation for NO_PIE from /bin/sh PAX: blacklist clang and related binaries from PIE support PAX ASLR: make ASLR by default opt-out Merge remote-tracking branch 'freebsd/stable/10' into hardened/10/aslr Shawn Webb (4): PAX: Remove CAN_PIE in preparation for NO_PIE PAX ASLR: Blacklist the applications that don't support being built as a position-independent executable PAX ASLR: Lock the jail when initializing PAX per-jail PAX settings PAX ASLR: Fix bug with pax_aslr_active()