ASLR/PIE status in FreeBSD HEAD

Wed May 20 07:20:05 UTC 2020

Hi everyone,

This a very good news. Thanks to Semihalf to their commitment on this subject.
At Stormshield as a security vendor using FreeBSD we are highly interested in all subjects that enhance the security level of FreeBSD.
What is your target in term of timing ? Are there any plans to work on other hardening subjects (like for example improving W^X) ? Do you have any roadmap in terms of features and deadlines ?

We would be interested to take part to live discussions as a vendor if some are planned.

Internally we have some plans to work on this subject with deadlines by the end of the year.

Thanks to all of you for working on this subject,
Damien

--
Damien Deville
IPS Technical Leader
http://www.stormshield.eu

Stormshield
2/6 Avenue de l'Horizon, Bat. 6 - FR 59650 Villeneuve d'Ascq

----- Le 14 Mai 20, à 10:00, Marcin Wojtas mw at semihalf.com a écrit :

| Hi,
| 
| wt., 5 maj 2020 o 12:03 Marcin Wojtas <mw at semihalf.com> napisał(a):
|>
|> pon., 4 maj 2020 o 17:24 Ed Maste <emaste at freebsd.org> napisał(a):
|> >
|> > On Mon, 20 Apr 2020 at 10:22, Marcin Wojtas <mw at semihalf.com> wrote:
|> > >
|> > > Indeed I thought of kyua and measuring buildworld execution time for
|> > > stressing the DUT and having the first comparison numbers for the low
|> > > price.
|> > >
|> > > Do you think it is possible to get help here, i.e. is there a FreeBSD
|> > > devops team, maintaining the Jenkins CI whose spare cycles could be
|> > > used for this purpose? Or is this a field requiring external help from
|> > > interested parties?
|> >
|> > There aren't a lot of spare cycles to go around, but putting
|> > automation in place so that tests like this can easily be performed is
|> > certainly something that's in the Jenkins team's domain.
|>
|> Of course the available bandwidth is a limitation, but IMO we should
|> start with defining the requirements so that eventually it could be
|> added to the backlog.
|>
|> >
|> > > Yes, making use of something actively maintained would be great. Do
|> > > you see a need for IO stressing/benchmarking for the discussed cases?
|> >
|> > In the fullness of time I think it's important, but my opinion is that
|> > it's really functional tests that we need, for enabling features in
|> > -CURRENT; we can work on benchmarking before and after changing a
|> > default.
|>
|> Understood. Since there seem to be no blockers / major objections at
|> this point, how do you suggest proceed with the topic? How about
|> having a live discussion with interested parties, so that we can
|> establish at least a rough plan allowing to achieve the enablement of
|> this (and possibly other) feature in a foreseeable perspective?
|>
| 
| Any thoughts about having a live discussion on the ALSR/PIE enablement topic?
| 
| Best regards,
| Marcin
| _______________________________________________
| freebsd-security at freebsd.org mailing list
| https://lists.freebsd.org/mailman/listinfo/freebsd-security
| To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"