[CFT] ASLR and PIE on amd64

Shawn Webb lattera at gmail.com
Sat Mar 22 01:13:45 UTC 2014 

Hey All,

First off, I hope that even as a non-committer, it's okay that I post
a call for testing. If not, please excuse my newbishness in this
process. This is my first time submitting a major patch upstream to
FreeBSD.

Over the past few months, I've had the opportunity and pleasure to
enhance existing patches to FreeBSD that implement a common exploit
mitigation technology called Address Space Layout Randomization (ASLR)
along with support for Position Independent Executables (PIE).
ASLR+PIE has been a long-requested feature by many people I've met on
IRC.

I've submitted my patch to PR kernel/181497. I'm currently in the
process of adding PIE support to certain high-visibility applications
in base (mainly network daemons). I've added a make.conf knob that's
default to enabled (WITH_PIE=1). An application has to also explicitly
support PIE as well by defining CAN_PIE in the Makefile prior to
including bsd.prog.mk. After I get a decent amount of applications
enabled with PIE support, I'll submit one last patch.

The following sysctl's can be set with a kernel compiled with the
PAX_ASLR option:

security.pax.aslr.status: 1
security.pax.aslr.debug: 0
security.pax.aslr.mmap_len: 16
security.pax.aslr.stack_len: 12
security.pax.aslr.exec_len: 12

The security.pax.aslr.status sysctl enables and disables the ASLR
system as a whole. The debug sysctl gives debugging output. The
mmap_len sysctl tells the ASLR system how many bits to randomize with
mmap() is called. The stack_len sysctl tells the ASLR system how many
bits to randomize in the stack. The exec_len sysctl tells the ASLR
system how many bits to randomize the execbase (this controls PIE).
These sysctls can be set as a per-jail basis. If you have an
application which doesn't support ASLR, yet you want ASLR enabled for
everything else, you can simply place that misbehaving application in
a jail with only that jail's ASLR settings turned off.

Please let me know how your testing goes. I'm giving a presentation at
BSDCan regarding this.

If you want to keep tabs on my bleeding-edge development process,
please follow my progress on GitHub:
https://github.com/lattera/freebsd (branch: soldierx/lattera/aslr).

Thank you very much,

Shawn Webb

More information about the freebsd-current mailing list