CFT: New ASLR Patch

Shawn Webb shawn.webb at hardenedbsd.org
Tue Feb 24 13:37:52 UTC 2015 

On Tuesday, February 24, 2015 01:30:19 PM Bartek Rutkowski wrote:
> On Sat, Feb 21, 2015 at 3:59 PM, Shawn Webb <shawn.webb at hardenedbsd.org> 
wrote:
> > Hey All,
> > 
> > It has been a long time since we sent out a call for testing request for
> > our ASLR patch. We've been hard at work making our ASLR implementation as
> > robust as possible. We'd like to invite all adventurous souls to test our
> > ASLR implementation. Put it through the ringer.
> > 
> > Since the patch is much too large to attach to an email, you can find our
> > latest patch on FreeBSD's Phabricator:
> > 
> > https://reviews.freebsd.org/D473
> > 
> > Or download the raw version of the patch:
> > https://reviews.freebsd.org/D473?download=true
> > 
> > Please let me know if you find any issues.
> > 
> > Thanks,
> > 
> > Shawn Webb
> > HardenedBSD
> 
> Hi,
> 
> First of all, thanks a lot for your work on that, cant wait to see it
> implemented in FreeBSD release!
> 
> Could you perhaps update your call for testing with some instructions
> for potential testers as to how to test (I assume this patch is agains
> -CURRENT, but I could be wrong here, and other could make different
> assumptions), is there anything else than applying patches,
> compilation and reboot required (any configuration?), what to look at
> when running on these patches, what are you interested in when
> reporting any success/issues with them (any instructions for
> generating a relevant problem report for you?) and so on?
> 
> Kind regards,
> Bartek Rutkowski

Hey Bartek,

Great questions which I should have answered in my original email. The patch 
is against HEAD (11-CURRENT).

Here's how you can test it:
1) Download the patch
2) cd /usr/src && patch -p1 < /path/to/downloaded/patch
3) vim sys/amd64/conf/GENERIC
    3.1) Find the line that has "#options PAX_ASLR" and uncomment it
    3.2) Optionally uncomment the PAX_SYSCTLS kernel option as well
4) Build world and kernel
5) Install world and kernel
6) Reboot
7) Sit back, relax, and enjoy life

Since FreeBSD's base doesn't support being compiled as Position-Independent 
Executables (PIEs), ASLR is only semi-applied. The base address of shared 
objects and anonymous mappings get randomized along with the stack. The base 
address of the executable itself does not. If FreeBSD had support for 
compiling base as PIEs, then you would see ASLR fully applied, including the 
base address of the application.

Ideally, you should see no breakage in applications. Our implementation does 
provide per-jail granularity. So if an application does break with ASLR 
applied, you can simply run that application in a jail where ASLR is disabled 
for that jail only. You will need the PAX_SYSCTLS kernel option in this case.

Thanks,

Shawn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20150224/f26d48db/attachment.sig>

More information about the freebsd-security mailing list