Re: git: b014e0f15bc7 - main - Enable ASLR by default for 64-bit executables

From: Shawn Webb <shawn.webb_at_hardenedbsd.org>
Date: Wed, 17 Nov 2021 05:40:34 UTC
On Wed, Nov 17, 2021 at 10:42:12AM +1100, Kubilay Kocak wrote:
> On 17/11/2021 9:26 am, Marcin Wojtas wrote:
> > The branch main has been updated by mw:
> > 
> > URL: https://cgit.FreeBSD.org/src/commit/?id=b014e0f15bc73d80ef49b64fd1f8c29f469467cb
> > 
> > commit b014e0f15bc73d80ef49b64fd1f8c29f469467cb
> > Author:     Marcin Wojtas <mw@FreeBSD.org>
> > AuthorDate: 2021-10-24 14:53:06 +0000
> > Commit:     Marcin Wojtas <mw@FreeBSD.org>
> > CommitDate: 2021-11-16 22:16:09 +0000
> > 
> >      Enable ASLR by default for 64-bit executables
> >      Address Space Layout Randomization (ASLR) is an exploit mitigation
> >      technique implemented in the majority of modern operating systems.
> >      It involves randomly positioning the base address of an executable
> >      and the position of libraries, heap, and stack, in a process's address
> >      space. Although over the years ASLR proved to not guarantee full OS
> >      security on its own, this mechanism can make exploitation more difficult.
> >      Tests on the tier 1 64-bit architectures demonstrated that the ASLR is
> >      stable and does not result in noticeable performance degradation,
> >      therefore it should be safe to enable this mechanism by default.
> >      Moreover its effectiveness is increased for PIE (Position Independent
> >      Executable) binaries. Thanks to commit 9a227a2fd642 ("Enable PIE by
> >      default on 64-bit architectures"), building from src is not necessary
> >      to have PIE binaries. It is enough to control usage of ASLR in the
> >      OS solely by setting the appropriate sysctls.
> >      This patch toggles the kernel settings to use address map randomization
> >      for PIE & non-PIE 64-bit binaries. It also disables SBRK, in order
> >      to allow utilization of the bss grow region for mappings. The latter
> >      has no effect if ASLR is disabled, so apply it to all architectures.
> >      As for the drawbacks, a consequence of using the ASLR is more
> >      significant VM fragmentation, hence the issues may be encountered
> >      in the systems with a limited address space in high memory consumption
> >      cases, such as buildworld. As a result, although the tests on 32-bit
> >      architectures with ASLR enabled were mostly on par with what was
> >      observed on 64-bit ones, the defaults for the former are not changed
> >      at this time. Also, for the sake of safety keep the feature disabled
> >      for 32-bit executables on 64-bit machines, too.
> >      The committed change affects the overall OS operation, so the
> >      following should be taken into consideration:
> >      * Address space fragmentation.
> >      * A changed ABI due to modified layout of address space.
> >      * More complicated debugging due to:
> >        * Non-reproducible address space layout between runs.
> >        * Some debuggers automatically disable ASLR for spawned processes,
> >          making target's environment different between debug and
> >          non-debug runs.
> >      In order to confirm/rule-out the dependency of any encountered issue
> >      on ASLR it is strongly advised to re-run the test with the feature
> >      disabled - it can be done by setting the following sysctls
> >      in the /etc/sysctl.conf file:
> >      kern.elf64.aslr.enable=0
> >      kern.elf64.aslr.pie_enable=0
> >      Co-developed by: Dawid Gorecki <dgr@semihalf.com>
> >      Reviewed by: emaste, kib
> >      Obtained from: Semihalf
> >      Sponsored by: Stormshield
> >      MFC after: 1 month
> >      Differential revision: https://reviews.freebsd.org/D27666
> > ---
> >   sys/kern/imgact_elf.c | 20 +++++++++++++++++---
> >   1 file changed, 17 insertions(+), 3 deletions(-)
> > 
> > diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c
> > index 898f0f66a532..38ad61d8720b 100644
> > --- a/sys/kern/imgact_elf.c
> > +++ b/sys/kern/imgact_elf.c
> > @@ -161,19 +161,33 @@ SYSCTL_NODE(__CONCAT(_kern_elf, __ELF_WORD_SIZE), OID_AUTO, aslr,
> >       "");
> >   #define	ASLR_NODE_OID	__CONCAT(__CONCAT(_kern_elf, __ELF_WORD_SIZE), _aslr)
> > -static int __elfN(aslr_enabled) = 0;
> > +/*
> > + * While for 64-bit machines ASLR works properly, there are
> > + * still some problems when using 32-bit architectures. For this
> > + * reason ASLR is only enabled by default when running native
> > + * 64-bit non-PIE executables.
> > + */
> > +static int __elfN(aslr_enabled) = __ELF_WORD_SIZE == 64;
> >   SYSCTL_INT(ASLR_NODE_OID, OID_AUTO, enable, CTLFLAG_RWTUN,
> >       &__elfN(aslr_enabled), 0,
> >       __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE))
> >       ": enable address map randomization");
> > -static int __elfN(pie_aslr_enabled) = 0;
> > +/*
> > + * Enable ASLR only for 64-bit PIE binaries by default.
> > + */
> > +static int __elfN(pie_aslr_enabled) = __ELF_WORD_SIZE == 64;
> >   SYSCTL_INT(ASLR_NODE_OID, OID_AUTO, pie_enable, CTLFLAG_RWTUN,
> >       &__elfN(pie_aslr_enabled), 0,
> >       __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE))
> >       ": enable address map randomization for PIE binaries");
> 
> The current description seems ambiguous with respect to the added comment.
> If the sysctl (=1) applies ASLR "only" for PIE binaries, where the =0
> (sysctl disabled) case applies it unconditionally, a better description
> might be:
> 
> "Enable address map randomization only for PIE binaries"
> 
> What is the actual/correct behaviour of the control?

It also doesn't make much sense to toggle AS{L}R for the different
parts of an executable image. AS{L}R is an "all or nothing" thing.
Really, there should be only a single toggle with four modes:

1. AS{L}R force disable
2. AS{L}R opt out
3. AS{L}R opt in
4. AS{L}R force enable

HardenedBSD has found that users get confused or are unsure of having
too many toggles. "What happens when I do <X>?" In this case, you'd
probably have to have deeper knowledge of how FreeBSD's AS{L}R is
implemented. Having a single sysctl knob makes life easier for users
and reduces implementation complexity.

Thanks,

-- 
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc