Re: [CFT] ASLR and PIE on amd64
Updated aslr + segvguard SNAPSHOT patches, see the attachments. freebsd-stable-10-r265039-aslr-segvguard-SNAPSHOT.diff : against stable/10 @r265039 freebsd-current-r265046-aslr-segvguard-SNAPSHOT.diff : against current @r265046 To apply the patch, use this command: patch -p1 freebsd-stable-10-r265039-aslr-segvguard-SNAPSHOT.diff or patch -p1 freebsd-current-r265046-aslr-segvguard-SNAPSHOT.diff github: https://github.com/HardenedBSD/hardenedBSD/commits/hardened/10/aslr github: https://github.com/HardenedBSD/hardenedBSD/commits/hardened/current/aslr git: https://github.com/HardenedBSD/hardenedBSD.git ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: [CFT] ASLR and PIE on amd64
On 4/2/14, Shawn Webb latt...@gmail.com wrote: On Apr 02, 2014 04:54 PM +0200, Oliver Pinter wrote: On 4/2/14, Oliver Pinter oliver.p...@gmail.com wrote: On 3/31/14, Shawn Webb latt...@gmail.com wrote: On Mar 31, 2014 02:07 AM +0200, Oliver Pinter wrote: On 3/22/14, Shawn Webb latt...@gmail.com wrote: Hey All, First off, I hope that even as a non-committer, it's okay that I post a call for testing. If not, please excuse my newbishness in this process. This is my first time submitting a major patch upstream to FreeBSD. Over the past few months, I've had the opportunity and pleasure to enhance existing patches to FreeBSD that implement a common exploit mitigation technology called Address Space Layout Randomization (ASLR) along with support for Position Independent Executables (PIE). ASLR+PIE has been a long-requested feature by many people I've met on IRC. I've submitted my patch to PR kernel/181497. I'm currently in the process of adding PIE support to certain high-visibility applications in base (mainly network daemons). I've added a make.conf knob that's default to enabled (WITH_PIE=1). An application has to also explicitly support PIE as well by defining CAN_PIE in the Makefile prior to including bsd.prog.mk. After I get a decent amount of applications enabled with PIE support, I'll submit one last patch. The following sysctl's can be set with a kernel compiled with the PAX_ASLR option: security.pax.aslr.status: 1 security.pax.aslr.debug: 0 security.pax.aslr.mmap_len: 16 security.pax.aslr.stack_len: 12 security.pax.aslr.exec_len: 12 The security.pax.aslr.status sysctl enables and disables the ASLR system as a whole. The debug sysctl gives debugging output. The mmap_len sysctl tells the ASLR system how many bits to randomize with mmap() is called. The stack_len sysctl tells the ASLR system how many bits to randomize in the stack. The exec_len sysctl tells the ASLR system how many bits to randomize the execbase (this controls PIE). These sysctls can be set as a per-jail basis. If you have an application which doesn't support ASLR, yet you want ASLR enabled for everything else, you can simply place that misbehaving application in a jail with only that jail's ASLR settings turned off. Please let me know how your testing goes. I'm giving a presentation at BSDCan regarding this. If you want to keep tabs on my bleeding-edge development process, please follow my progress on GitHub: https://github.com/lattera/freebsd (branch: soldierx/lattera/aslr). Thank you very much, Hi! Please apply this patch. This fixed an issue with tunables. Patch merged successfully into my GitHub repo. Fixed with commit d2c0813. I'll include it in my next patch submission upstream when I submit my PIE work. Thanks! please see the attached patch, compile and boot tested on amd64 Some more patches, and one critical fix (0006-PAX-ASLR-use-the-right-sysent-before-this-commit-cal.patch). You are awesome. I'll integrate those patches today. In reviewing your patches, I noticed a few places where I'm keying off the local pax_aslr_debug variable. I ought to switch that to keying off the jail's pr_pax_aslr_debug variable. https://github.com/HardenedBSD/hardenedBSD/commits/hardened/10/aslr ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: [CFT] ASLR and PIE on amd64
On Apr 09, 2014 02:17 AM +0200, Oliver Pinter wrote: On 4/2/14, Shawn Webb latt...@gmail.com wrote: On Apr 02, 2014 04:54 PM +0200, Oliver Pinter wrote: On 4/2/14, Oliver Pinter oliver.p...@gmail.com wrote: On 3/31/14, Shawn Webb latt...@gmail.com wrote: On Mar 31, 2014 02:07 AM +0200, Oliver Pinter wrote: On 3/22/14, Shawn Webb latt...@gmail.com wrote: Hey All, First off, I hope that even as a non-committer, it's okay that I post a call for testing. If not, please excuse my newbishness in this process. This is my first time submitting a major patch upstream to FreeBSD. Over the past few months, I've had the opportunity and pleasure to enhance existing patches to FreeBSD that implement a common exploit mitigation technology called Address Space Layout Randomization (ASLR) along with support for Position Independent Executables (PIE). ASLR+PIE has been a long-requested feature by many people I've met on IRC. I've submitted my patch to PR kernel/181497. I'm currently in the process of adding PIE support to certain high-visibility applications in base (mainly network daemons). I've added a make.conf knob that's default to enabled (WITH_PIE=1). An application has to also explicitly support PIE as well by defining CAN_PIE in the Makefile prior to including bsd.prog.mk. After I get a decent amount of applications enabled with PIE support, I'll submit one last patch. The following sysctl's can be set with a kernel compiled with the PAX_ASLR option: security.pax.aslr.status: 1 security.pax.aslr.debug: 0 security.pax.aslr.mmap_len: 16 security.pax.aslr.stack_len: 12 security.pax.aslr.exec_len: 12 The security.pax.aslr.status sysctl enables and disables the ASLR system as a whole. The debug sysctl gives debugging output. The mmap_len sysctl tells the ASLR system how many bits to randomize with mmap() is called. The stack_len sysctl tells the ASLR system how many bits to randomize in the stack. The exec_len sysctl tells the ASLR system how many bits to randomize the execbase (this controls PIE). These sysctls can be set as a per-jail basis. If you have an application which doesn't support ASLR, yet you want ASLR enabled for everything else, you can simply place that misbehaving application in a jail with only that jail's ASLR settings turned off. Please let me know how your testing goes. I'm giving a presentation at BSDCan regarding this. If you want to keep tabs on my bleeding-edge development process, please follow my progress on GitHub: https://github.com/lattera/freebsd (branch: soldierx/lattera/aslr). Thank you very much, Hi! Please apply this patch. This fixed an issue with tunables. Patch merged successfully into my GitHub repo. Fixed with commit d2c0813. I'll include it in my next patch submission upstream when I submit my PIE work. Thanks! please see the attached patch, compile and boot tested on amd64 Some more patches, and one critical fix (0006-PAX-ASLR-use-the-right-sysent-before-this-commit-cal.patch). You are awesome. I'll integrate those patches today. In reviewing your patches, I noticed a few places where I'm keying off the local pax_aslr_debug variable. I ought to switch that to keying off the jail's pr_pax_aslr_debug variable. https://github.com/HardenedBSD/hardenedBSD/commits/hardened/10/aslr And for anyone who's tracking HEAD (like me): https://github.com/HardenedBSD/hardenedBSD/commits/hardened/current/aslr pgpxHOeRmSC1p.pgp Description: PGP signature
Re: [CFT] ASLR and PIE on amd64
On 4/2/14, Oliver Pinter oliver.p...@gmail.com wrote: On 3/31/14, Shawn Webb latt...@gmail.com wrote: On Mar 31, 2014 02:07 AM +0200, Oliver Pinter wrote: On 3/22/14, Shawn Webb latt...@gmail.com wrote: Hey All, First off, I hope that even as a non-committer, it's okay that I post a call for testing. If not, please excuse my newbishness in this process. This is my first time submitting a major patch upstream to FreeBSD. Over the past few months, I've had the opportunity and pleasure to enhance existing patches to FreeBSD that implement a common exploit mitigation technology called Address Space Layout Randomization (ASLR) along with support for Position Independent Executables (PIE). ASLR+PIE has been a long-requested feature by many people I've met on IRC. I've submitted my patch to PR kernel/181497. I'm currently in the process of adding PIE support to certain high-visibility applications in base (mainly network daemons). I've added a make.conf knob that's default to enabled (WITH_PIE=1). An application has to also explicitly support PIE as well by defining CAN_PIE in the Makefile prior to including bsd.prog.mk. After I get a decent amount of applications enabled with PIE support, I'll submit one last patch. The following sysctl's can be set with a kernel compiled with the PAX_ASLR option: security.pax.aslr.status: 1 security.pax.aslr.debug: 0 security.pax.aslr.mmap_len: 16 security.pax.aslr.stack_len: 12 security.pax.aslr.exec_len: 12 The security.pax.aslr.status sysctl enables and disables the ASLR system as a whole. The debug sysctl gives debugging output. The mmap_len sysctl tells the ASLR system how many bits to randomize with mmap() is called. The stack_len sysctl tells the ASLR system how many bits to randomize in the stack. The exec_len sysctl tells the ASLR system how many bits to randomize the execbase (this controls PIE). These sysctls can be set as a per-jail basis. If you have an application which doesn't support ASLR, yet you want ASLR enabled for everything else, you can simply place that misbehaving application in a jail with only that jail's ASLR settings turned off. Please let me know how your testing goes. I'm giving a presentation at BSDCan regarding this. If you want to keep tabs on my bleeding-edge development process, please follow my progress on GitHub: https://github.com/lattera/freebsd (branch: soldierx/lattera/aslr). Thank you very much, Hi! Please apply this patch. This fixed an issue with tunables. Patch merged successfully into my GitHub repo. Fixed with commit d2c0813. I'll include it in my next patch submission upstream when I submit my PIE work. Thanks! please see the attached patch, compile and boot tested on amd64 Some more patches, and one critical fix (0006-PAX-ASLR-use-the-right-sysent-before-this-commit-cal.patch). 0001-PAX-ASLR-remove-dirty-hack-to-determine-which-pax_in.patch Description: Binary data 0002-PAX-ASLR-updated-debug-messages.patch Description: Binary data 0003-PAX-ASLR-removed-unused-variable.patch Description: Binary data 0004-PaX-ASLR-added-more-debug-messages.patch Description: Binary data 0005-PAX-ASLR-fix-debug-messages-added-new-line.patch Description: Binary data 0006-PAX-ASLR-use-the-right-sysent-before-this-commit-cal.patch Description: Binary data ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: [CFT] ASLR and PIE on amd64
On Apr 02, 2014 04:54 PM +0200, Oliver Pinter wrote: On 4/2/14, Oliver Pinter oliver.p...@gmail.com wrote: On 3/31/14, Shawn Webb latt...@gmail.com wrote: On Mar 31, 2014 02:07 AM +0200, Oliver Pinter wrote: On 3/22/14, Shawn Webb latt...@gmail.com wrote: Hey All, First off, I hope that even as a non-committer, it's okay that I post a call for testing. If not, please excuse my newbishness in this process. This is my first time submitting a major patch upstream to FreeBSD. Over the past few months, I've had the opportunity and pleasure to enhance existing patches to FreeBSD that implement a common exploit mitigation technology called Address Space Layout Randomization (ASLR) along with support for Position Independent Executables (PIE). ASLR+PIE has been a long-requested feature by many people I've met on IRC. I've submitted my patch to PR kernel/181497. I'm currently in the process of adding PIE support to certain high-visibility applications in base (mainly network daemons). I've added a make.conf knob that's default to enabled (WITH_PIE=1). An application has to also explicitly support PIE as well by defining CAN_PIE in the Makefile prior to including bsd.prog.mk. After I get a decent amount of applications enabled with PIE support, I'll submit one last patch. The following sysctl's can be set with a kernel compiled with the PAX_ASLR option: security.pax.aslr.status: 1 security.pax.aslr.debug: 0 security.pax.aslr.mmap_len: 16 security.pax.aslr.stack_len: 12 security.pax.aslr.exec_len: 12 The security.pax.aslr.status sysctl enables and disables the ASLR system as a whole. The debug sysctl gives debugging output. The mmap_len sysctl tells the ASLR system how many bits to randomize with mmap() is called. The stack_len sysctl tells the ASLR system how many bits to randomize in the stack. The exec_len sysctl tells the ASLR system how many bits to randomize the execbase (this controls PIE). These sysctls can be set as a per-jail basis. If you have an application which doesn't support ASLR, yet you want ASLR enabled for everything else, you can simply place that misbehaving application in a jail with only that jail's ASLR settings turned off. Please let me know how your testing goes. I'm giving a presentation at BSDCan regarding this. If you want to keep tabs on my bleeding-edge development process, please follow my progress on GitHub: https://github.com/lattera/freebsd (branch: soldierx/lattera/aslr). Thank you very much, Hi! Please apply this patch. This fixed an issue with tunables. Patch merged successfully into my GitHub repo. Fixed with commit d2c0813. I'll include it in my next patch submission upstream when I submit my PIE work. Thanks! please see the attached patch, compile and boot tested on amd64 Some more patches, and one critical fix (0006-PAX-ASLR-use-the-right-sysent-before-this-commit-cal.patch). You are awesome. I'll integrate those patches today. In reviewing your patches, I noticed a few places where I'm keying off the local pax_aslr_debug variable. I ought to switch that to keying off the jail's pr_pax_aslr_debug variable. pgp_l2AgaRe3M.pgp Description: PGP signature
Re: [CFT] ASLR and PIE on amd64
On 3/31/14, Shawn Webb latt...@gmail.com wrote: On Mar 31, 2014 02:07 AM +0200, Oliver Pinter wrote: On 3/22/14, Shawn Webb latt...@gmail.com wrote: Hey All, First off, I hope that even as a non-committer, it's okay that I post a call for testing. If not, please excuse my newbishness in this process. This is my first time submitting a major patch upstream to FreeBSD. Over the past few months, I've had the opportunity and pleasure to enhance existing patches to FreeBSD that implement a common exploit mitigation technology called Address Space Layout Randomization (ASLR) along with support for Position Independent Executables (PIE). ASLR+PIE has been a long-requested feature by many people I've met on IRC. I've submitted my patch to PR kernel/181497. I'm currently in the process of adding PIE support to certain high-visibility applications in base (mainly network daemons). I've added a make.conf knob that's default to enabled (WITH_PIE=1). An application has to also explicitly support PIE as well by defining CAN_PIE in the Makefile prior to including bsd.prog.mk. After I get a decent amount of applications enabled with PIE support, I'll submit one last patch. The following sysctl's can be set with a kernel compiled with the PAX_ASLR option: security.pax.aslr.status: 1 security.pax.aslr.debug: 0 security.pax.aslr.mmap_len: 16 security.pax.aslr.stack_len: 12 security.pax.aslr.exec_len: 12 The security.pax.aslr.status sysctl enables and disables the ASLR system as a whole. The debug sysctl gives debugging output. The mmap_len sysctl tells the ASLR system how many bits to randomize with mmap() is called. The stack_len sysctl tells the ASLR system how many bits to randomize in the stack. The exec_len sysctl tells the ASLR system how many bits to randomize the execbase (this controls PIE). These sysctls can be set as a per-jail basis. If you have an application which doesn't support ASLR, yet you want ASLR enabled for everything else, you can simply place that misbehaving application in a jail with only that jail's ASLR settings turned off. Please let me know how your testing goes. I'm giving a presentation at BSDCan regarding this. If you want to keep tabs on my bleeding-edge development process, please follow my progress on GitHub: https://github.com/lattera/freebsd (branch: soldierx/lattera/aslr). Thank you very much, Hi! Please apply this patch. This fixed an issue with tunables. Patch merged successfully into my GitHub repo. Fixed with commit d2c0813. I'll include it in my next patch submission upstream when I submit my PIE work. Thanks! please see the attached patch, compile and boot tested on amd64 0001-PAX-ASLR-remove-dirty-hack-to-determine-which-pax_in.patch Description: Binary data ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: [CFT] ASLR and PIE on amd64
On 3/22/14, Shawn Webb latt...@gmail.com wrote: Hey All, First off, I hope that even as a non-committer, it's okay that I post a call for testing. If not, please excuse my newbishness in this process. This is my first time submitting a major patch upstream to FreeBSD. Over the past few months, I've had the opportunity and pleasure to enhance existing patches to FreeBSD that implement a common exploit mitigation technology called Address Space Layout Randomization (ASLR) along with support for Position Independent Executables (PIE). ASLR+PIE has been a long-requested feature by many people I've met on IRC. I've submitted my patch to PR kernel/181497. I'm currently in the process of adding PIE support to certain high-visibility applications in base (mainly network daemons). I've added a make.conf knob that's default to enabled (WITH_PIE=1). An application has to also explicitly support PIE as well by defining CAN_PIE in the Makefile prior to including bsd.prog.mk. After I get a decent amount of applications enabled with PIE support, I'll submit one last patch. The following sysctl's can be set with a kernel compiled with the PAX_ASLR option: security.pax.aslr.status: 1 security.pax.aslr.debug: 0 security.pax.aslr.mmap_len: 16 security.pax.aslr.stack_len: 12 security.pax.aslr.exec_len: 12 The security.pax.aslr.status sysctl enables and disables the ASLR system as a whole. The debug sysctl gives debugging output. The mmap_len sysctl tells the ASLR system how many bits to randomize with mmap() is called. The stack_len sysctl tells the ASLR system how many bits to randomize in the stack. The exec_len sysctl tells the ASLR system how many bits to randomize the execbase (this controls PIE). These sysctls can be set as a per-jail basis. If you have an application which doesn't support ASLR, yet you want ASLR enabled for everything else, you can simply place that misbehaving application in a jail with only that jail's ASLR settings turned off. Please let me know how your testing goes. I'm giving a presentation at BSDCan regarding this. If you want to keep tabs on my bleeding-edge development process, please follow my progress on GitHub: https://github.com/lattera/freebsd (branch: soldierx/lattera/aslr). Thank you very much, Hi! Please apply this patch. This fixed an issue with tunables. Shawn Webb ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org 0001-PaX-ASLR-fixed-tunables-in-kern_pax.c.patch Description: Binary data ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: [CFT] ASLR and PIE on amd64
On Mar 31, 2014 02:07 AM +0200, Oliver Pinter wrote: On 3/22/14, Shawn Webb latt...@gmail.com wrote: Hey All, First off, I hope that even as a non-committer, it's okay that I post a call for testing. If not, please excuse my newbishness in this process. This is my first time submitting a major patch upstream to FreeBSD. Over the past few months, I've had the opportunity and pleasure to enhance existing patches to FreeBSD that implement a common exploit mitigation technology called Address Space Layout Randomization (ASLR) along with support for Position Independent Executables (PIE). ASLR+PIE has been a long-requested feature by many people I've met on IRC. I've submitted my patch to PR kernel/181497. I'm currently in the process of adding PIE support to certain high-visibility applications in base (mainly network daemons). I've added a make.conf knob that's default to enabled (WITH_PIE=1). An application has to also explicitly support PIE as well by defining CAN_PIE in the Makefile prior to including bsd.prog.mk. After I get a decent amount of applications enabled with PIE support, I'll submit one last patch. The following sysctl's can be set with a kernel compiled with the PAX_ASLR option: security.pax.aslr.status: 1 security.pax.aslr.debug: 0 security.pax.aslr.mmap_len: 16 security.pax.aslr.stack_len: 12 security.pax.aslr.exec_len: 12 The security.pax.aslr.status sysctl enables and disables the ASLR system as a whole. The debug sysctl gives debugging output. The mmap_len sysctl tells the ASLR system how many bits to randomize with mmap() is called. The stack_len sysctl tells the ASLR system how many bits to randomize in the stack. The exec_len sysctl tells the ASLR system how many bits to randomize the execbase (this controls PIE). These sysctls can be set as a per-jail basis. If you have an application which doesn't support ASLR, yet you want ASLR enabled for everything else, you can simply place that misbehaving application in a jail with only that jail's ASLR settings turned off. Please let me know how your testing goes. I'm giving a presentation at BSDCan regarding this. If you want to keep tabs on my bleeding-edge development process, please follow my progress on GitHub: https://github.com/lattera/freebsd (branch: soldierx/lattera/aslr). Thank you very much, Hi! Please apply this patch. This fixed an issue with tunables. Patch merged successfully into my GitHub repo. Fixed with commit d2c0813. I'll include it in my next patch submission upstream when I submit my PIE work. Thanks! pgpcK7WD3olj8.pgp Description: PGP signature
[CFT] ASLR and PIE on amd64
Hey All, First off, I hope that even as a non-committer, it's okay that I post a call for testing. If not, please excuse my newbishness in this process. This is my first time submitting a major patch upstream to FreeBSD. Over the past few months, I've had the opportunity and pleasure to enhance existing patches to FreeBSD that implement a common exploit mitigation technology called Address Space Layout Randomization (ASLR) along with support for Position Independent Executables (PIE). ASLR+PIE has been a long-requested feature by many people I've met on IRC. I've submitted my patch to PR kernel/181497. I'm currently in the process of adding PIE support to certain high-visibility applications in base (mainly network daemons). I've added a make.conf knob that's default to enabled (WITH_PIE=1). An application has to also explicitly support PIE as well by defining CAN_PIE in the Makefile prior to including bsd.prog.mk. After I get a decent amount of applications enabled with PIE support, I'll submit one last patch. The following sysctl's can be set with a kernel compiled with the PAX_ASLR option: security.pax.aslr.status: 1 security.pax.aslr.debug: 0 security.pax.aslr.mmap_len: 16 security.pax.aslr.stack_len: 12 security.pax.aslr.exec_len: 12 The security.pax.aslr.status sysctl enables and disables the ASLR system as a whole. The debug sysctl gives debugging output. The mmap_len sysctl tells the ASLR system how many bits to randomize with mmap() is called. The stack_len sysctl tells the ASLR system how many bits to randomize in the stack. The exec_len sysctl tells the ASLR system how many bits to randomize the execbase (this controls PIE). These sysctls can be set as a per-jail basis. If you have an application which doesn't support ASLR, yet you want ASLR enabled for everything else, you can simply place that misbehaving application in a jail with only that jail's ASLR settings turned off. Please let me know how your testing goes. I'm giving a presentation at BSDCan regarding this. If you want to keep tabs on my bleeding-edge development process, please follow my progress on GitHub: https://github.com/lattera/freebsd (branch: soldierx/lattera/aslr). Thank you very much, Shawn Webb ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org