We've been running with a modified version of this patch in HardenedBSD for a while now. It only applies to base and not ports, though we have some ports opting into RELRO + BIND_NOW. Would this be something that could be committed? Or are there still objections?
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
Mar 22 2016
Mar 11 2016
Mar 10 2016
Things that are missing from this patch to make this ASLR implementation complete:
Feb 23 2016
This has been tested successfully by a HardenedBSD user.
Jan 20 2016
You can add me to the list of people who have tested it. This works fine for me.
Dec 19 2015
Closing this revision. FreeBSD is free to pull from HardenedBSD.
Closing this revision. FreeBSD is free to pull from HardenedBSD.
Oct 31 2015
This update brings the patch current with latest FreeBSD HEAD. No other changes.
Sep 27 2015
In D3001#77165, @pfg wrote:I don't like this approach:
- First of all we don't want bindnow because it has many issues, it may be set conditionally but for now we can avoid it altogether.
Sep 8 2015
In D3565#74326, @kib wrote:Anything like this patch can only be considered if your 'aslr' implementation is ever found acceptable. Until it is not, the patch only adds bloat.
That said, and being whatever trivial, the patch has technical issues. The first and most obvious one is the fact that struct proc is the wrong location for the data you put into it. I argue that the locations of objects in the user address space is the property of the vmspace and not the process.
Second issue is less trivial. Right now, the data which you moved is located in the static (as in, not changing) struct sysentvec. In other words, after you have dereferenced sv = p->p_sysent, you know that you have a pointer to the stable and _consistent_ set of values like address of psstrings, address of signal trampoline, base of the shared page etc. With your patch, this property is lost. Now, you must guarantee that the operations which modify the user address space layout, like execve(), do not happen in parallel. I did not inspected your patch closely for the issue, but neither did you.
And, of course, the patch changes the ABI by making e.g. psstrings/sigtrampoline process-private, instead of all ABI-sharing processes sharing the psstrings/sigtramp value. I am certain that this e.g. breaks core dump analysis due to signal trampoline address change.
Sep 7 2015
Sep 4 2015
Aug 28 2015
In D3001#72044, @pfg wrote:Just an opinion ...
Going for the "partial" relro (without bindnow) seems like an obvious win.
Aug 5 2015
New update: I've found an issue with stack randomization on ARM64. We're working on fixing it right now. You can track the bug here: https://github.com/HardenedBSD/hardenedBSD/issues/154
Jul 28 2015
In D473#64973, @rwatson wrote:In D473#59442, @rwatson wrote:That seems a sensible strategy.
Any luck?
Jul 7 2015
In D473#59409, @rwatson wrote:Hi Shawn. Hope you are feeling better post-travel. Just wanted to check on the status of this patch -- will there be an updated version fixing the credential transition issue soon?
Jun 25 2015
Jun 14 2015
Jun 6 2015
I'm going to try to get some help with the credential changing stuff. That's an area that I'm not well versed in. If you have time to suggest how the credential change detection logic should like in code, I'd be happy to make that change. Ideally, we'd want all places that check for credential changing to be switched to that, but I'm not sure that's the job of an ASLR patch.
Thank you for taking the time to review our patch. I'll work to address your comments while I'm at BSDCan.
May 12 2015
Are there any updates since I last updated the patch nearly a month ago?
Apr 16 2015
This update fixes all the concerns Robert Watson brought up, with a few outstanding fixes that need to be addressed by Robert Watson (due to my comments the last 24 hours). If I have missed anything, please let me know and I'd be happy to take a look ASAP.
Apr 15 2015
Mar 31 2015
Just a little update. I worked on a new patch over the weekend and am almost ready with a new patch. I need to research how to create SDT probes and a few other tasks. I'm hoping to have an updated patch this weekend.
Mar 27 2015
Thanks for your thorough review! I hope to take a look at this over the weekend. I hope to have a new patch that addresses your concerns on Monday.
Mar 22 2015
Mar 21 2015
This update fixes the #endif typo and the rest of the concerns Warner Losh has. I decided not to remove the pax_aslr_init_prison and pax_aslr_init_prison32 macros since we have more features planned that will make use of it, as Oliver pointed out.
Mar 20 2015
This updated patch fully addresses Ed Maste's and Robert Watson's concerns.
Mar 19 2015
Whoops, sorry, looked at the wrong update. But the question still remains: what's preventing this from being committed?
It has been well over a month since this patch was updated to address all remaining concerns. Can this be committed?
Mar 1 2015
Due to prison0_init being created upstream, our patch as it stood would have created a merge conflict. This update simply fixes that to make FreeBSD's job easier in importing our ASLR work.
Feb 21 2015
Lots of manpage updates to resolve rwatson@'s and gjb@'s concerns.
Feb 1 2015
This update adds additional backported code.
Jan 31 2015
A few comments on the man page; I've not yet had a chance to look at the full contents of the patch.
This update addresses Robert Watson's concerns, improves stability, and increases the maximum bits that can can be set with the tunables.
Nov 3 2014
Nov 2 2014
New patch to address mjg's concerns.
Sep 29 2014
Thanks to Ilya Bakulin, ASLR is now fully functional and bug-free on ARM!
Sep 28 2014
Add extra security parameters around executing processes when ASLR has been disabled via ptrace. Only allow disabling ASLR via ptrace if securelevel <= 0.
Sep 26 2014
Add extra debugger functionality Ed Maste (emaste@) requested. New PTrace request: PT_PAX. Pass in PAX_NOTE_NOASLR to the data argument to ptrace(PT_PAX) after forking and before calling execve() to disable ASLR for to-be-debugged applications.
No technical change. Full context patch.
Sep 25 2014
Remove unneeded change to sys/kern/kern_sig.c
Style and performance changes made by Oliver Pinter.
Sep 5 2014
Make style changes requested by Robert Watson.
Aug 16 2014
Cleaned up a lot of code. Removed extra logging functionality. Fixed a few bugs and typos. Removed the ugly MAP_32BIT hack. Implemented more suggestions based on private and public comments.
Jul 24 2014
This patch implements the various suggestions made by the team. It has been compiled and tested successfully on amd64 both with ASLR enabled and disabled.