From nobody Wed Nov 17 20:17:51 2021 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C8BA81851910 for ; Wed, 17 Nov 2021 20:18:03 +0000 (UTC) (envelope-from mw@semihalf.com) Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HvZ4C50Zdz4p47 for ; Wed, 17 Nov 2021 20:18:03 +0000 (UTC) (envelope-from mw@semihalf.com) Received: by mail-lf1-x131.google.com with SMTP id bi37so14263810lfb.5 for ; Wed, 17 Nov 2021 12:18:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semihalf-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=5rw6P1RfbBgDaUtUsqc8ozYyaIm5KorLPBjSlDVeFK4=; b=tBwFPEDkGqHDJiUbg7XWz0fBMtONcKdCYoBTKPCX9L3RiSE+Y9/C35tGN7gOw+aQHr W2CJ6I4lVty14LFMUp1hWy551kDhaL0YD4In0kLUxKjjJnU3QRXl7TUTTU3V4xZnrQAT DqAoBaeH6WKX3zJbOaq+86KU6EuO5H0KvHuRAniRUPooqDY3ByGjRQRl7sM0wyHsgAjA s/Rs2an0uXoXXus+uSQDKlZaixGkvtGLebZCORWGKXqfqMH8ozcH2SZ+vgHIhmjhxv5o /FZEoGSJhZb26gy3Xm2KDvnrEV9NpMgeq4rXNhBPXcykkpa6zgGm8N4qwQ1j+50nWT2B bFGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=5rw6P1RfbBgDaUtUsqc8ozYyaIm5KorLPBjSlDVeFK4=; b=uBckbQlVzMOgCunOGLM1tE9+l76PctJ2Q57KyWq/xfI3ciJFZjxiXYPcmQUPmx9ltu rY66nuzU78hnCOa+qU9ql1rIyr/WZNFDwN1qocozDcMwH8xZ2JSJviuggN5DvMwFvFDH Nk/WUhZVfBGL6tIw0T7s2z82ozWe8s/Od2ht05GEm2IpthKzisPMSLeJChK5MlfejBWX CJ6VC76xeLmYLXXdbZuKBEm+xwduvQ0xhUkdN5bmY7ZsSjGsNknVaNLtpl7PWYVl3J3e RGCgTov3yzhxYXPVXi7v3Pm4xODo6vbRI0R30fHPXT5VPGd5hsYpXtmO6lzkRTXYe7ji wYkw== X-Gm-Message-State: AOAM531w2iuUjYsnXYnd6sOG/hBnBSRdGCgIBrf4MnWjWyVRg04P8jMa KZ+WElmtc2J5YjzvN+K8evSdomzTmk3IT0bLyCG8xQ== X-Google-Smtp-Source: ABdhPJyaDgBMYArEFttQ4a4DKrOmM/NSzmtoNV42g0zX16iYxsYp9oahyAdR8PM7xTrd9vbwlHgm5zCvHOc6H2Od1I0= X-Received: by 2002:a05:6512:2348:: with SMTP id p8mr18693719lfu.428.1637180282322; Wed, 17 Nov 2021 12:18:02 -0800 (PST) List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 References: <202111162226.1AGMQg00099240@gitrepo.freebsd.org> In-Reply-To: From: Marcin Wojtas Date: Wed, 17 Nov 2021 21:17:51 +0100 Message-ID: Subject: Re: git: b014e0f15bc7 - main - Enable ASLR by default for 64-bit executables To: Kubilay Kocak Cc: Marcin Wojtas , src-committers , dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4HvZ4C50Zdz4p47 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N Hi, =C5=9Br., 17 lis 2021 o 00:42 Kubilay Kocak napisa=C5= =82(a): > > On 17/11/2021 9:26 am, Marcin Wojtas wrote: > > The branch main has been updated by mw: > > > > URL: https://cgit.FreeBSD.org/src/commit/?id=3Db014e0f15bc73d80ef49b64f= d1f8c29f469467cb > > > > commit b014e0f15bc73d80ef49b64fd1f8c29f469467cb > > Author: Marcin Wojtas > > AuthorDate: 2021-10-24 14:53:06 +0000 > > Commit: Marcin Wojtas > > CommitDate: 2021-11-16 22:16:09 +0000 > > > > Enable ASLR by default for 64-bit executables > > > > Address Space Layout Randomization (ASLR) is an exploit mitigation > > technique implemented in the majority of modern operating systems. > > It involves randomly positioning the base address of an executable > > and the position of libraries, heap, and stack, in a process's add= ress > > space. Although over the years ASLR proved to not guarantee full O= S > > security on its own, this mechanism can make exploitation more dif= ficult. > > > > Tests on the tier 1 64-bit architectures demonstrated that the ASL= R is > > stable and does not result in noticeable performance degradation, > > therefore it should be safe to enable this mechanism by default. > > Moreover its effectiveness is increased for PIE (Position Independ= ent > > Executable) binaries. Thanks to commit 9a227a2fd642 ("Enable PIE b= y > > default on 64-bit architectures"), building from src is not necess= ary > > to have PIE binaries. It is enough to control usage of ASLR in the > > OS solely by setting the appropriate sysctls. > > > > This patch toggles the kernel settings to use address map randomiz= ation > > for PIE & non-PIE 64-bit binaries. It also disables SBRK, in order > > to allow utilization of the bss grow region for mappings. The latt= er > > has no effect if ASLR is disabled, so apply it to all architecture= s. > > > > As for the drawbacks, a consequence of using the ASLR is more > > significant VM fragmentation, hence the issues may be encountered > > in the systems with a limited address space in high memory consump= tion > > cases, such as buildworld. As a result, although the tests on 32-b= it > > architectures with ASLR enabled were mostly on par with what was > > observed on 64-bit ones, the defaults for the former are not chang= ed > > at this time. Also, for the sake of safety keep the feature disabl= ed > > for 32-bit executables on 64-bit machines, too. > > > > The committed change affects the overall OS operation, so the > > following should be taken into consideration: > > * Address space fragmentation. > > * A changed ABI due to modified layout of address space. > > * More complicated debugging due to: > > * Non-reproducible address space layout between runs. > > * Some debuggers automatically disable ASLR for spawned processe= s, > > making target's environment different between debug and > > non-debug runs. > > > > In order to confirm/rule-out the dependency of any encountered iss= ue > > on ASLR it is strongly advised to re-run the test with the feature > > disabled - it can be done by setting the following sysctls > > in the /etc/sysctl.conf file: > > kern.elf64.aslr.enable=3D0 > > kern.elf64.aslr.pie_enable=3D0 > > > > Co-developed by: Dawid Gorecki > > Reviewed by: emaste, kib > > Obtained from: Semihalf > > Sponsored by: Stormshield > > MFC after: 1 month > > Differential revision: https://reviews.freebsd.org/D27666 > > --- > > sys/kern/imgact_elf.c | 20 +++++++++++++++++--- > > 1 file changed, 17 insertions(+), 3 deletions(-) > > > > diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c > > index 898f0f66a532..38ad61d8720b 100644 > > --- a/sys/kern/imgact_elf.c > > +++ b/sys/kern/imgact_elf.c > > @@ -161,19 +161,33 @@ SYSCTL_NODE(__CONCAT(_kern_elf, __ELF_WORD_SIZE),= OID_AUTO, aslr, > > ""); > > #define ASLR_NODE_OID __CONCAT(__CONCAT(_kern_elf, __ELF_WORD_S= IZE), _aslr) > > > > -static int __elfN(aslr_enabled) =3D 0; > > +/* > > + * While for 64-bit machines ASLR works properly, there are > > + * still some problems when using 32-bit architectures. For this > > + * reason ASLR is only enabled by default when running native > > + * 64-bit non-PIE executables. > > + */ > > +static int __elfN(aslr_enabled) =3D __ELF_WORD_SIZE =3D=3D 64; > > SYSCTL_INT(ASLR_NODE_OID, OID_AUTO, enable, CTLFLAG_RWTUN, > > &__elfN(aslr_enabled), 0, > > __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE)) > > ": enable address map randomization"); > > > > -static int __elfN(pie_aslr_enabled) =3D 0; > > +/* > > + * Enable ASLR only for 64-bit PIE binaries by default. > > + */ > > +static int __elfN(pie_aslr_enabled) =3D __ELF_WORD_SIZE =3D=3D 64; > > SYSCTL_INT(ASLR_NODE_OID, OID_AUTO, pie_enable, CTLFLAG_RWTUN, > > &__elfN(pie_aslr_enabled), 0, > > __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE)) > > ": enable address map randomization for PIE binaries"); > > The current description seems ambiguous with respect to the added > comment. If the sysctl (=3D1) applies ASLR "only" for PIE binaries, where > the =3D0 (sysctl disabled) case applies it unconditionally, a better > description might be: > > "Enable address map randomization only for PIE binaries" > > What is the actual/correct behaviour of the control? > The lower comment gets probably more context when read read together with the one preceding `aslr_enabled` variable. According to `man security`: kern.elf64.aslr.enable 64bit binaries ASLR control. kern.elf64.aslr.pie_enable 64bit PIE binaries ASLR control. So both are enabled by setting to 1 and responsible for the different kind of binaries. > Might aslr_enabled_pie_only also be a better OID name? Perhaps not worth > the churn, but long term it would be great if OID names reflected what > they are/do, rather than what they're not/don't do. > I agree that aslr_enable + pie_aslr_enable is somewhat confusing. And if it's confusing for the kernel developers, we cannot expect it's easier for the end users. > > -static int __elfN(aslr_honor_sbrk) =3D 1; > > +/* > > + * Sbrk is now deprecated and it can be assumed, that in most > > + * cases it will not be used anyway. This setting is valid only > > + * for the ASLR enabled and allows for utilizing the bss grow region. > > + */ > > +static int __elfN(aslr_honor_sbrk) =3D 0; > > SYSCTL_INT(ASLR_NODE_OID, OID_AUTO, honor_sbrk, CTLFLAG_RW, > > &__elfN(aslr_honor_sbrk), 0, > > __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE)) ": assume sbrk is used"= ); > > > > Can we add (DEPRECATED) to the control description, and/or otherwise > mark the control as deprecated if the sysctl framework supports an > attribute marking them as such? > Do you mean the SBRK is deprecated or the tunable itself? Best regards, Marcin