PIE/PIC support on base
David Carlier
david.carlier at hardenedbsd.org
Wed Oct 15 07:46:22 UTC 2014
In first place, we might consider the usual attack targets :
/bin/(c)sh
/sbin/sendmail
/bin/ntp
/sbin/dhclient
/secure/usr.sbin/sshd .... sendmail, ntp, sshd etc ... are quite sensitive
and popular services, hence applying PIE (+ ASLR) will prevent attacks by
this bias.
/sbin/casperd (hence lib/libcapsicum|libcasper with pic ...) ... as FreeBSD
is getting more popularity, such specific FreeBSD's security components
might become an appealing target attack.
I may have other suggestions in mind (like /sbin/(jail|jexec ... etc) but
these are the first step stones.
Kind regards.
On Wed, Oct 15, 2014 at 7:10 AM, Baptiste Daroussin <bapt at freebsd.org>
wrote:
> On Mon, Oct 13, 2014 at 11:02:27PM +0100, David Carlier wrote:
> > Hi all,
> >
> > HardenedBSD plans to add PIE support on base in various place.
> >
> > These are B. Drewery suggestions :
> >
> > The _pic ones are not needed. The main lib file just needs
> > INSTALL_PIC_ARCHIVE=yes.
> >
> > Modifying CFLAGS in every Makefile is not right, just add a USE_PIE or
> > something to pull in common logic from share/mk.
> >
> > Also I know that, at least for a start, it wished to be applied in some
> few
> > places, like tcpdump/traceroute, sendmail ... shells ... I thought about
> > also casper/capsicum ... ntp ... jail
> >
> What would probably be interesting is to list binary by binary on which
> one you
> do want to add the USE_PIE, and with rational explaining why.
>
> On some OS you often can see ssh(1) not being PIE while sshd(8) have PIE. I
> think cherry-picking what should be PIE is the right
>
> regards,
> Bapt
>
More information about the freebsd-arch
mailing list