Changeset View
Standalone View
share/man/man4/aslr.4
- This file was added.
.\"- | |||||
.\" Copyright (c) 2014,2015 Shawn Webb <shawn.webb@hardenedbsd.org> | |||||
.\" All rights reserved. | |||||
rwatson: Sequential years in copyright strings should use "-" rather than ",". | |||||
.\" | |||||
.\" Redistribution and use in source and binary forms, with or without | |||||
.\" modification, are permitted provided that the following conditions | |||||
.\" are met: | |||||
.\" 1. Redistributions of source code must retain the above copyright | |||||
.\" notice, this list of conditions and the following disclaimer. | |||||
.\" 2. Redistributions in binary form must reproduce the above copyright | |||||
.\" notice, this list of conditions and the following disclaimer in the | |||||
.\" documentation and/or other materials provided with the distribution. | |||||
.\" | |||||
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND | |||||
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |||||
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |||||
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |||||
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |||||
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |||||
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |||||
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |||||
.\" SUCH DAMAGE. | |||||
.\" | |||||
.\" $FreeBSD$ | |||||
.\" | |||||
.Dd February 21, 2015 | |||||
.Dt ASLR 4 | |||||
.Os | |||||
.Sh NAME | |||||
.Nm aslr | |||||
.Nd Address Space Layout Randomization | |||||
.Sh SYNOPSIS | |||||
.In sys/types.h | |||||
.In sys/pax.h | |||||
.Pp | |||||
In the kernel configuration file: | |||||
.Cd "options PAX_ASLR" | |||||
.Sh DESCRIPTION | |||||
.Ss Introduction | |||||
Security in | |||||
Not Done Inline ActionsYou can simply remove this subsection heading -- .Sh DESCRIPTION is assumed to begin with an introduction. rwatson: You can simply remove this subsection heading -- .Sh DESCRIPTION is assumed to begin with an… | |||||
.Fx | |||||
Not Done Inline ActionsI'm not sure this introductory sentence is necessary. rwatson: I'm not sure this introductory sentence is necessary. | |||||
is based primarily in policy-based technologies. | |||||
Not Done Inline ActionsDon't use contractions in formal written text ("won't" -> "will not"). rwatson: Don't use contractions in formal written text ("won't" -> "will not"). | |||||
Existing tools such as | |||||
.Xr jail 4 , | |||||
.Xr capsicum 4 , | |||||
Not Done Inline ActionsShould PAX_ASLR be marked up as a kernel option? rwatson: Should PAX_ASLR be marked up as a kernel option? | |||||
.Xr VNET 9 , and the | |||||
.Xr mac 4 | |||||
Not Done Inline ActionsThis is likely invalid nroff -- "and the" should be on the next line. rwatson: This is likely invalid nroff -- "and the" should be on the next line. | |||||
framework can make | |||||
.Fx Ns -based systems quite resilient against | |||||
attacks. | |||||
Not Done Inline Actions"-based ..." should be on the next line. rwatson: "-based ..." should be on the next line. | |||||
FreeBSD lacks basic low-level exploit mitigation, such as Address | |||||
Space Layout Randomization (ASLR). | |||||
emasteUnsubmitted Not Done Inline ActionsThis is untrue, once this is committed. emaste: This is untrue, once this is committed. | |||||
lattera-gmail.comAuthorUnsubmitted Not Done Inline ActionsI thought I addressed this with the lastest patch. I must have missed it. I will fix this with the next patch (which I hope to submit tomorrow). lattera-gmail.com: I thought I addressed this with the lastest patch. I must have missed it. I will fix this with… | |||||
Not Done Inline Actions"Randomizes" should not be capitalised. rwatson: "Randomizes" should not be capitalised. | |||||
ASLR Randomizes the address space layout of an application, making | |||||
Not Done Inline ActionsExplain, briefly, why it makes exploitation more difficult for the attacker. rwatson: Explain, briefly, why it makes exploitation more difficult for the attacker. | |||||
exploitation difficult for an attacker. | |||||
Not Done Inline ActionsThis sentence is not necessary. We wouldn't include a feature if t weren't these things. rwatson: This sentence is not necessary. We wouldn't include a feature if t weren't these things. | |||||
This manual page and the associated implementation aim to | |||||
provide a secure, robust, extensible, and easily-managed form of ASLR | |||||
fit for production use in | |||||
.Fx Ns . | |||||
.Ss General Overview | |||||
When compiled with the PAX_ASLR option, systems will have ASLR | |||||
enabled. | |||||
For systems with that kernel option enabled, if a user wants | |||||
Not Done Inline Actionss/force/configure/? rwatson: s/force/configure/? | |||||
to disable ASLR for a given application, the user must force that | |||||
application to opt-out. | |||||
HardenedBSD has a special application called secadm for opting | |||||
applications in to or out of exploit mitigation features such as ASLR. | |||||
emasteUnsubmitted Not Done Inline ActionsThis isn't relevant to FreeBSD users as-is. It might be relevant in CAVEATS or BUGS, if there's additional functionality that needs to be implemented later. emaste: This isn't relevant to FreeBSD users as-is. It might be relevant in CAVEATS or BUGS, if there's… | |||||
lattera-gmail.comAuthorUnsubmitted Not Done Inline ActionsI can remove this. lattera-gmail.com: I can remove this. | |||||
.Pp | |||||
Another kernel option, | |||||
.Cd PAX_SYSCTLS , | |||||
exposes additional | |||||
Not Done Inline ActionsUse suitable markup for "sysctl" and also for the sysctl name. rwatson: Use suitable markup for "sysctl" and also for the sysctl name. | |||||
.Xr sysctl 8 | |||||
tunables, allowing ASLR behavior control without requiring a reboot. | |||||
Not Done Inline ActionsUse markup for the option name. rwatson: Use markup for the option name. | |||||
By default, the sysctl hardening.pax.aslr.status can only be changed | |||||
Not Done Inline ActionsUse markup for the sysctl name. rwatson: Use markup for the sysctl name. | |||||
at boot time via /boot/loader.conf. | |||||
Enabling the PAX_SYSCTLS kernel option allows a root user to modify | |||||
hardening.pax.aslr.status. | |||||
Not Done Inline ActionsXref jail here instead? rwatson: Xref jail here instead? | |||||
See Appendix A for a list of all the tunables. | |||||
.Pp | |||||
ASLR tunables are per-jail and each jail inherits its parent jail's | |||||
settings. | |||||
Having per-jail tunables allows more flexibility in shared-hosting | |||||
environments. | |||||
This structure also allows a user to selectively disable ASLR for | |||||
applications that misbehave. | |||||
Not Done Inline ActionsPerhaps these details belong in comments in the kernel? rwatson: Perhaps these details belong in comments in the kernel? | |||||
ASLR-disabled applications will still have policy-based security | |||||
Not Done Inline ActionsUse markup for both sysinit and SI_SUB_PAX. rwatson: Use markup for both sysinit and SI_SUB_PAX. | |||||
applied to it by virtue of being jailed. | |||||
.Ss Implementation Details | |||||
Not Done Inline ActionsUse markup for the path name. Xref a suitable man page. rwatson: Use markup for the path name. Xref a suitable man page. | |||||
A new sysinit subroutine ID, SI_SUB_PAX, initializes ASLR system | |||||
variables. | |||||
Upon system boot, tunables from /boot/loader.conf are checked for | |||||
validity. | |||||
Any invalid values generate a warning message to the console and the | |||||
tunable is set to a sensible default. | |||||
.Pp | |||||
For the sake of performance, the ASLR system relies on per-process | |||||
deltas rather than calling | |||||
.Xr arc4random 3 | |||||
for each mapping. | |||||
Not Done Inline ActionsLine break after comma. rwatson: Line break after comma. | |||||
When a process calls | |||||
.Xr execve 2 | |||||
.Ns , the ASLR deltas are initialized. | |||||
Not Done Inline ActionsLine break after comma. rwatson: Line break after comma. | |||||
Deltas are randomly generated for the execution base, | |||||
.Xr mmap 2 | |||||
.Ns , and stack addresses. | |||||
Only the execution base of applications compiled as Position | |||||
Independent Executables (PIEs) is randomized. | |||||
The execution base of non-PIE applications is not modified. | |||||
The mappings of shared objects are randomized for both PIE and non-PIE | |||||
applications. | |||||
.Pp | |||||
The deltas are used as a hint to the Virtual Memory (VM) system. | |||||
The VM system may modify the hint to make a better fit for superpages | |||||
and other alignment constraints. | |||||
.Pp | |||||
The delta applied to the PIE execbase is different than the delta | |||||
applied to the base address of shared objects. | |||||
Not Done Inline ActionsMark up sysctl name. rwatson: Mark up sysctl name.
Mark up "et_dyn_addr". | |||||
In the Executable and Linkable File (ELF) image handler, the | |||||
Not Done Inline ActionsMark up ET_DYN_LOAD_ADDR. rwatson: Mark up ET_DYN_LOAD_ADDR. | |||||
execution base of PIE applications is randomized by adding the delta | |||||
controlled by the hardening.pax.aslr.exec_len tunable to et_dyn_addr, | |||||
which is initialized to be ET_DYN_LOAD_ADDR (an architecture- | |||||
dependent macro). | |||||
Not Done Inline ActionsMark up sysctl name. rwatson: Mark up sysctl name. | |||||
The base address of shared objects loaded by the dynamic linker are | |||||
randomized by applying the delta controlled by the | |||||
Not Done Inline ActionsPossibly, in this context, it should be marked up as a mmap(2) Xref not sys_mmap()? The latter is part of the implementation, but the former is about the API/service. rwatson: Possibly, in this context, it should be marked up as a mmap(2) Xref not sys_mmap()? The latter… | |||||
hardening.pax.aslr.mmap_len tunable in | |||||
.Fn sys_mmap | |||||
.Ns . | |||||
Stack randomization is implemented using a stack gap. | |||||
On executable image activation, the stack delta is computed and | |||||
subtracted from the top of the stack. | |||||
.Ss APPENDIX A | |||||
NOTE: All tunables can only be changed during boot-time via | |||||
.Fa /boot/loader.conf | |||||
unless the kernel has been compiled with | |||||
.Cd PAX_SYSCTLS | |||||
.Ns . | |||||
.Bl -bullet | |||||
.It | |||||
hardening.pax.aslr.status | |||||
.Bl -dash -compact | |||||
.It | |||||
Type: integer | |||||
.It | |||||
Description: Toggle system-wide ASLR protection. | |||||
.It | |||||
Values: | |||||
.br | |||||
0 - ASLR disabled system-wide. Individual applications may | |||||
Not Done Inline ActionsThere is probably more suitable markup for this -- e.g., a definition list sort of thing? rwatson: There is probably more suitable markup for this -- e.g., a definition list sort of thing? | |||||
.Em NOT | |||||
opt in. | |||||
.br | |||||
1 - ASLR disabled but applications may opt in. | |||||
.br | |||||
2 - ASLR enabled and applications may opt out. | |||||
.br | |||||
3 - ASLR enabled for all applications. Applications may not opt out. | |||||
.It | |||||
Default: 2 | |||||
.El | |||||
.It | |||||
hardening.pax.aslr.exec_len | |||||
.Bl -dash -compact | |||||
.It | |||||
Type: integer | |||||
.It | |||||
Description: Set the number of bits to be randomized for the PIE | |||||
execbase. | |||||
.It | |||||
Not Done Inline ActionsHard sentence break required. rwatson: Hard sentence break required. | |||||
Values: | |||||
.br | |||||
For 32-bit systems, minimum of 8, maximum of 21. For 64-bit systems, | |||||
minimum of 16, maximum of 42. | |||||
.It | |||||
Default: For 32-bit systems: 14. For 64-bit systems: 16. | |||||
.El | |||||
.It | |||||
hardening.pax.aslr.mmap_len | |||||
.Bl -dash -compact | |||||
.It | |||||
Type: integer | |||||
.It | |||||
Description: Set the number of bits to be randomized for | |||||
.Xr mmap 2 | |||||
calls. | |||||
.It | |||||
Not Done Inline ActionsHard sentence break required. rwatson: Hard sentence break required. | |||||
Values: | |||||
.br | |||||
For 32-bit systems, minimum of 8, maximum of 21. For 64-bit systems, | |||||
Not Done Inline ActionsHard sentence break required. rwatson: Hard sentence break required. | |||||
minimum of 16, maximum of 42. | |||||
.It | |||||
Default: For 32-bit systems: 14. For 64-bit systems: 21. | |||||
Not Done Inline ActionsMarkup sysctl name. rwatson: Markup sysctl name. | |||||
.El | |||||
.It | |||||
hardening.pax.aslr.stack_len | |||||
.Bl -dash -compact | |||||
.It | |||||
Type: integer | |||||
.It | |||||
Description: Set the number of bits to be randomized for the stack. | |||||
.It | |||||
Values: | |||||
.br | |||||
For 32-bit systems, minimum of 8, maximum of 21. For 64-bit systems, | |||||
Not Done Inline ActionsHard sentence break required. rwatson: Hard sentence break required. | |||||
minimum of 16, maximum of 42. | |||||
.It | |||||
Default: For 32-bit systems: 8. For 64-bit systems: 16. | |||||
Not Done Inline ActionsThis list of xrefs doesn't match the ones in the document -- synchronise. rwatson: This list of xrefs doesn't match the ones in the document -- synchronise. | |||||
.El | |||||
.El | |||||
.Sh SEE ALSO | |||||
.Xr mmap 2 , | |||||
.Xr elf 3 , | |||||
.Xr mac 4 | |||||
.Rs | |||||
.%T "PaX ASLR" | |||||
.%U http://pax.grsecurity.net/docs/aslr.txt | |||||
Not Done Inline ActionsThis list now seems incomplete -- jail, etc? rwatson: This list now seems incomplete -- jail, etc? | |||||
.Re | |||||
Not Done Inline ActionsIt's not clear why this should appear in the man page. rwatson: It's not clear why this should appear in the man page. | |||||
.Rs | |||||
.%T "FreeBSD ASLR Bug Report" | |||||
.%U https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=181497 | |||||
.Re | |||||
.Rs | |||||
.%T "HardenedBSD" | |||||
.%U http://hardenedbsd.org/ | |||||
.Re | |||||
.Rs | |||||
.%T "secadm" | |||||
.%U https://github.com/HardenedBSD/secadm | |||||
.Re | |||||
.Sh HISTORY | |||||
On 14 May 2013, Oliver Pinter published to GitHub an initial patch to | |||||
implement ASLR. | |||||
Not Done Inline ActionsI wonder if the "and" should go on the next line -- I never remember with .An. rwatson: I wonder if the "and" should go on the next line -- I never remember with .An. | |||||
His work was inspired by Elad Efrat's work in NetBSD. | |||||
The patch was submitted to FreeBSD as a bug report on 24 Aug 2013. | |||||
Independenty of Oliver's work, Shawn Webb posted to his tech blog that | |||||
Not Done Inline ActionsExplain why. rwatson: Explain why. | |||||
he was interested in implementing ASLR for FreeBSD. | |||||
Oliver found his post and suggested that he and Shawn work together. | |||||
On June 08, 2014, preparatory work was committed to FreeBSD, adding | |||||
Position-Independent Executable (PIE) support in base. PIE support | |||||
Not Done Inline ActionsThis comma belongs on the previous line ... but "will..." shouldn't be. rwatson: This comma belongs on the previous line ... but "will..." shouldn't be. | |||||
was removed sometime later. | |||||
On 07 Apr 2014, SoldierX agreed to sponsor the project and donated a | |||||
sparc64 machine and a BeagleBone Black to Shawn Webb. This hardware | |||||
is used for testing and debugging ASLR. | |||||
emasteUnsubmitted Not Done Inline ActionsThis information isn't useful in the man page. A brief history of its development makes sense, but minutiae about the dates where parts were committed or reverted isn't something that helps FreeBSD users make use of it. emaste: This information isn't useful in the man page. A brief history of its development makes sense… | |||||
lattera-gmail.comAuthorUnsubmitted Not Done Inline ActionsI'll remove this. lattera-gmail.com: I'll remove this. | |||||
ASLR was first introduced in HardenedBSD and later upstreamed to | |||||
Not Done Inline ActionsI naively believe that many newer programs will use the sysctl instead of the hard-coded C constant. rwatson: I naively believe that many newer programs will use the sysctl instead of the hard-coded C… | |||||
.Fx 11.0-CURRENT. | |||||
Not Done Inline ActionsExplain why. rwatson: Explain why. | |||||
.Sh AUTHORS | |||||
This manual page was written by | |||||
.An -nosplit | |||||
.An Shawn Webb . | |||||
The ASLR implementation was written by | |||||
.An Oliver Pinter and | |||||
.An Shawn Webb . | |||||
.Sh BUGS | |||||
Not Done Inline ActionsI don't think this applies to the commit candidate, so likely this sentence should be removed. rwatson: I don't think this applies to the commit candidate, so likely this sentence should be removed. | |||||
The existing gap-based stack randomization is not optimal. | |||||
Mapping-base stack randomization is more robust, but hard-coded kernel | |||||
structures and addresses, especially | |||||
.Va PS_STRINGS | |||||
, will need to be | |||||
modified. | |||||
The required changes to | |||||
.Va PS_STRINGS | |||||
are major and will likely touch | |||||
userland along with the kernel. | |||||
emasteUnsubmitted Not Done Inline ActionsShould not have blank line - please check with igor(1), I believe it will complain about this. emaste: Should not have blank line - please check with igor(1), I believe it will complain about this. | |||||
lattera-gmail.comAuthorUnsubmitted Not Done Inline ActionsI'll remove this. lattera-gmail.com: I'll remove this. | |||||
The original PaX implementation, from which the | |||||
.Fx | |||||
implementation is inspired, uses a special ELF process header which | |||||
requires modification of executable files. | |||||
The authors of the | |||||
.Fx | |||||
implementation have deliberately chosen to go a different route based | |||||
on the | |||||
.Xr mac 4 | |||||
framework. | |||||
Support for filesystem extended attributes will be added at a later | |||||
time. |
Sequential years in copyright strings should use "-" rather than ",".