[CFT] ASLR, PIE, and segvguard on 11-current and 10-stable

Oliver Pinter oliver.pntr at gmail.com
Fri May 23 23:24:31 UTC 2014 

On 5/14/14, Shawn Webb <lattera at gmail.com> wrote:
> Hey All,
>
> [NOTE: crossposting between freebsd-current@, freebsd-security@, and
> freebsd-stable at . Please forgive me if crossposting is frowned upon.]
>
> Address Space Layout Randomization, or ASLR for short, is an exploit
> mitigation technology. It helps secure applications against low-level
> exploits. A popular secure implementation is known as PaX ASLR, which is
> a third-party patch for Linux. Our implementation is based off of PaX's.
>
> Oliver Pinter, Danilo Egea, and I have been working hard to bring more
> features and robust stability to our ASLR patches. We've done extensive
> testing on amd64. We'd like to get as many people testing these patches.
> Given the nature of them, we'd also like as many eyeballs reviewing the
> code as well.
>
> I have a Raspberry Pi and have noticed a few bugs. On ARM (at least, on
> the RPI), when a parent forks a child, and the child gracefully exits,
> the parent segfaults with the pc register pointing to 0xc0000000. That
> address is always the same, no matter the application. If anyone knows
> the ARM architecture well, and how FreeBSD ties into it, I'd like a
> little guidance.
>
> I also have a sparc64 box, but I'm having trouble getting a vanilla
> 11-current system to be stable on it. I ought to file a few PRs.
>
> You can find links to the patches below.
>
> Patch for 11-current:
> http://www.crysys.hu/~op/freebsd/patches/20140514091132-freebsd-current-aslr-segvguard-SNAPSHOT.diff
>
> Patch for 10-stable:
> http://www.crysys.hu/~op/freebsd/patches/20140514091132-freebsd-stable-10-aslr-segvguard-SNAPSHOT.diff
>
> Thanks,
>
> Shawn Webb
>

New round of patches are there:

11-CURRENT: http://www.crysys.hu/~op/freebsd/patches/20140524011327-freebsd-current-aslr-segvguard-SNAPSHOT.diff

10-STABLE: http://www.crysys.hu/~op/freebsd/patches/20140524011327-freebsd-stable-10-aslr-segvguard-SNAPSHOT.diff



What's changed related to previous tag:
11-CURRENT:
Oliver Pinter (17):
      PAX ASLR: update license in kern_pax_aslr.c
      PAX: update license in kern_pax.c
      PAX SEGVGUARD: update license in kern_pax_segvguard.c
      PAX: update license in pax.h
      PAX ASLR: remove unneeded parameter from pax_aslr_stack function
      PAX LOG: implement new logging subsystem
      PAX LOG: fix pax_ulog_segvguard
      PAX LOG: added sysctl's and tunables
      PAX ASLR: use PAX LOG
      PAX LOG: fix pax_ulog_##name()
      PAX LOG: fix prison init
      PAX LOG: fixed log and ulog sysctl
      PAX ASLR: fixed debug sysctl
      PAX: blacklist clang and related binaries from PIE support
      PAX ASLR: make ASLR by default opt-out
      Merge remote-tracking branch 'freebsd/master' into hardened/current/aslr
      Merge branch 'hardened/current/aslr' of
github.com:HardenedBSD/hardenedBSD into hardened/current/aslr

Shawn Webb (10):
      Remove CAN_PIE in preparation for NO_PIE
      Merge remote-tracking branch 'upstream/master' into hardened/current/aslr
      PAX ASLR: Blacklist the applications that don't support being
built as a position-independent executable
      Merge remote-tracking branch 'upstream/master' into hardened/current/aslr
      Disable PAX_SEGVGUARD in LATT-ASLR kernel
      PAX ASLR: Lock the jail when initializing PAX per-jail PAX settings
      PAX ASLR: Fix bug with pax_aslr_active()
      PAX ASLR: Use a full kernel config for LATT-ASLR
      Revert "PAX: blacklist clang and related binaries from PIE support"
      Revert "Revert "PAX: blacklist clang and related binaries from
PIE support""


10-STABLE:
Oliver Pinter (20):
      PAX ASLR: update license in kern_pax_aslr.c
      PAX: update license in kern_pax.c
      PAX SEGVGUARD: update license in kern_pax_segvguard.c
      PAX: update license in pax.h
      PAX ASLR: remove unneeded parameter from pax_aslr_stack function
      PAX LOG: implement new logging subsystem
      PAX LOG: fix pax_ulog_segvguard
      PAX LOG: added sysctl's and tunables
      PAX ASLR: use PAX LOG
      PAX LOG: fix pax_ulog_##name()
      PAX LOG: fix prison init
      PAX LOG: fixed log and ulog sysctl
      PAX ASLR: fixed debug sysctl
      Merge remote-tracking branch 'freebsd/stable/10' into hardened/10/aslr
      Merge remote-tracking branch 'freebsd/stable/10' into hardened/10/aslr
      added OPN-ASLR kernel config
      PAX: Remove CAN_PIE in preparation for NO_PIE from /bin/sh
      PAX: blacklist clang and related binaries from PIE support
      PAX ASLR: make ASLR by default opt-out
      Merge remote-tracking branch 'freebsd/stable/10' into hardened/10/aslr

Shawn Webb (4):
      PAX: Remove CAN_PIE in preparation for NO_PIE
      PAX ASLR: Blacklist the applications that don't support being
built as a position-independent executable
      PAX ASLR: Lock the jail when initializing PAX per-jail PAX settings
      PAX ASLR: Fix bug with pax_aslr_active()

More information about the freebsd-stable mailing list