From nobody Sat Nov 20 02:32:22 2021 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 5E6A118A8F8E for ; Sat, 20 Nov 2021 02:32:28 +0000 (UTC) (envelope-from kp@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HwyHJ2DWHz4t1k; Sat, 20 Nov 2021 02:32:28 +0000 (UTC) (envelope-from kp@freebsd.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 17C96A166; Sat, 20 Nov 2021 02:32:28 +0000 (UTC) (envelope-from kp@freebsd.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id AEB702DE73; Sat, 20 Nov 2021 03:32:25 +0100 (CET) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Kristof Provost List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org Mime-Version: 1.0 (1.0) Subject: Re: HEADS-UP: ASLR for 64-bit executables enabled by default on main Date: Fri, 19 Nov 2021 19:32:22 -0700 Message-Id: References: Cc: Li-Wen Hsu , freebsd-current , Fabien Thomas , MARECHAL Boris , Rafal Jaworowski , Damien DEVILLE In-Reply-To: To: Marcin Wojtas X-Mailer: iPhone Mail (19B74) X-ThisMailContainsUnwantedMimeParts: N > On 18 Nov 2021, at 11:43, Marcin Wojtas wrote: > czw., 18 lis 2021 o 19:07 Li-Wen Hsu napisa=C5=82(a): >>=20 >>> On Wed, Nov 17, 2021 at 6:30 AM Marcin Wojtas wrote: >>>=20 >>> As of b014e0f15bc7 the ASLR (Address Space Layout >>> Randomization) feature becomes enabled for the all 64-bit >>> binaries by default. >>>=20 >>> Address Space Layout Randomization (ASLR) is an exploit mitigation >>> technique implemented in the majority of modern operating systems. >>> It involves randomly positioning the base address of an executable >>> and the position of libraries, heap, and stack, in a process's address >>> space. Although over the years ASLR proved to not guarantee full OS >>> security on its own, this mechanism can make exploitation more difficult= >>> (especially when combined with other methods, such as W^X). >>>=20 >>> Tests on the tier 1 64-bit architectures demonstrated that the ASLR is >>> stable and does not result in noticeable performance degradation, >>> therefore it is considered safe to enable this mechanism by default. >>> Moreover its effectiveness is increased for PIE (Position Independent >>> Executable) binaries. Thanks to commit 9a227a2fd642 ("Enable PIE by >>> default on 64-bit architectures"), building from src is not necessary >>> to have PIE binaries and it is enough to control usage of ASLR in the >>> OS solely by setting the appropriate sysctls. The defaults were toggled >>> for the 64-bit PIE and non-PIE executables. >>>=20 >>> As for the drawbacks, a consequence of using the ASLR is more >>> significant VM fragmentation, hence the issues may be encountered >>> in the systems with a limited address space in high memory consumption >>> cases, such as buildworld. As a result, although the tests on 32-bit >>> architectures with ASLR enabled were mostly on par with what was >>> observed on 64-bit ones, the defaults for the former are not changed >>> at this time. Also, for the sake of safety the feature remains disabled >>> for 32-bit executables on 64-bit machines, too. >>>=20 >>> The committed change affects the overall OS operation, so the >>> following should be taken into consideration: >>> * Address space fragmentation. >>> * A changed ABI due to modified layout of address space. >>> * More complicated debugging due to: >>> * Non-reproducible address space layout between runs. >>> * Some debuggers automatically disable ASLR for spawned processes, >>> making target's environment different between debug and >>> non-debug runs. >>>=20 >>> The known issues (such as PR239873 or PR253208) have been fixed in >>> HEAD up front, however please pay attention to the system behavior after= >>> upgrading the kernel to the newest revisions. >>> In order to confirm/rule-out the dependency of any encountered issue >>> on ASLR it is strongly advised to re-run the test with the feature >>> disabled - it can be done by setting the following sysctls >>> in the /etc/sysctl.conf file: >>> kern.elf64.aslr.enable=3D0 >>> kern.elf64.aslr.pie_enable=3D0 >>>=20 >>> The change is a result of combined efforts under the auspices >>> of the FreeBSD Foundation and the Semihalf team sponsored >>> by Stormshield. >>>=20 >>> Best regards, >>> Marcin >>=20 >> Thanks very much for working on this. FYI, there are some test cases >> seem to be affected by this: >>=20 >> https://ci.freebsd.org/job/FreeBSD-main-amd64-test/19828/testReport/ >>=20 >> The mkimg ones are a bit tricky, it seems the output is changed in >> each run. We may need a way to generate reproducible results.. >>=20 >> I'm still checking them, but hope more people can join and fix them. >>=20 >=20 > Thanks for bringing this up! Apart from > sys.netpfil.common.dummynet.pf_nat other are 23 are new. I=E2=80=99ve just managed to reproduce that one locally (it only happens if i= pfw is also loaded) and will dig in soon. It=E2=80=99s not going to be aslr r= elated. You can ignore that failure.=20 Kristof=20