svn commit: r48598 - head/en_US.ISO8859-1/htdocs/news/status
Warren Block
wblock at FreeBSD.org
Tue Apr 12 22:56:07 UTC 2016
Author: wblock
Date: Tue Apr 12 22:56:05 2016
New Revision: 48598
URL: https://svnweb.freebsd.org/changeset/doc/48598
Log:
Add ASLR report from Konstantin Belousov <kostikbel at gmail.com>.
Modified:
head/en_US.ISO8859-1/htdocs/news/status/report-2016-01-2016-03.xml
Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2016-01-2016-03.xml
==============================================================================
--- head/en_US.ISO8859-1/htdocs/news/status/report-2016-01-2016-03.xml Tue Apr 12 22:50:54 2016 (r48597)
+++ head/en_US.ISO8859-1/htdocs/news/status/report-2016-01-2016-03.xml Tue Apr 12 22:56:05 2016 (r48598)
@@ -1578,4 +1578,113 @@
</task>
</help>
</project>
+
+ <project cat='proj'>
+ <title>Address Space Layout Randomization</title>
+
+ <contact>
+ <person>
+ <name>
+ <given>Konstantin</given>
+ <common>Belousov</common>
+ </name>
+ <email>kib at FreeBSD.org</email>
+ </person>
+
+ <person>
+ <name>
+ <given>Ed</given>
+ <common>Maste</common>
+ </name>
+ <email>emaste at FreeBSD.org</email>
+ </person>
+ </contact>
+
+ <links>
+ <url href="https://kib.kiev.ua/kib/aslr">Patch home.</url>
+ </links>
+
+ <body>
+ <p>I wrote a small and straightforward yet feature-packed patch
+ to implement ASLR for &os; available for broader testing.</p>
+
+ <p>With this change, randomization is applied to all non-fixed
+ mappings. By randomization I mean the base address for the
+ mapping is selected with a guaranteed amount of entropy
+ (bits). If the mapping was requested to be superpage aligned,
+ the randomization honours the superpage attributes.</p>
+
+ <p>The randomization is done on a best-effort basis - that is,
+ the allocator falls back to a first fit strategy if
+ fragmentation prevents entropy injection. It is trivial to
+ implement a strong mode where failure to guarantee the
+ requested amount of entropy results in mapping request
+ failure, but I do not consider that to be usable.</p>
+
+ <p>I have not fine-tuned the amount of entropy injected right
+ now. It is only a quantitive change that will not change the
+ implementation. The current amount is controlled by
+ aslr_pages_rnd.</p>
+
+ <p>To not spoil coalescing optimizations, to reduce the page
+ table fragmentation inherent to ASLR, and to keep the
+ transient superpage promotion for the malloced memory, the
+ locality is implemented for anonymous private mappings, which
+ are automatically grouped until fragmentation kicks in. The
+ initial location for the anon group range is, of course,
+ randomized. After some additional tuning, the measures
+ appeared to be quite effective. In particular, very
+ address-space hungry build of PyPy 5.0 on i386 successfully
+ finished with the most aggressive functionality of the patch
+ activated.</p>
+
+ <p>The default mode keeps the sbrk area unpopulated by other
+ mappings, but this can be turned off, which gives much more
+ breathing bits on the small AS architectures (funny that
+ 32bits is considered small). This is tied with the question
+ of following an application's hint about the <tt>mmap(2)</tt>
+ base address. Testing shows that ignoring the hint does not
+ affect the function of common applications, but I would expect
+ more demanding code could break. By default sbrk is preserved
+ and mmap hints are satisfied, which can be changed by using
+ the kern.elf{32,64}.aslr_care_sbrk sysctl (currently enabled
+ by default for wider testing).</p>
+
+ <p>Stack gap, W^X, shared page randomization, KASLR and other
+ techniques are explicitely out of scope of this work.</p>
+
+ <p>The paxtest results for the run with the previous version 5
+ of the patch applied and aggresively tuned can be seen at the
+ https://www.kib.kiev.ua/kib/aslr/paxtest.log . For
+ comparison, the run on Fedora 23 on the same machine is at
+ https://www.kib.kiev.ua/kib/aslr/fedora.log .</p>
+
+ <p>ASLR is enabled on per-ABI basis, and currently it is only
+ enabled on native i386 and amd64 (including compat 32bit) and
+ ARMv6 ABIs. I expect to test and enable ASLR for arm64 as
+ well, later.</p>
+
+ <p>The <tt>procctl(2)</tt> control for ASLR is implemented, but
+ I have not provided a userspace wrapper around the syscall.
+ In fact, the most reasonable control needed is per-image and
+ not per-process, but we have no tradition to put the
+ kernel-read attributes into the extattrs of binary, so I am
+ still pondering that part and this also explains the
+ non-written tool.</p>
+
+ <p>Thanks to Oliver Pinter and Shawn Webb of the HardenedBSD
+ project for pursuing ASLR for &os;. Although this work is
+ not based on theirs, it was inspired by their efforts.</p>
+
+ <p>Thanks to Ed Maste, Robert Watson, John Baldwin, and Alan Cox
+ for some discussions about the patch, and for The FreeBSD
+ Foundation for directing me.</p>
+
+ <p>Bartek Rutkowski tested PyPy builds on i386, and David Naylor
+ helped with the port which was at point of turbulence and
+ upgrade during the work.</p>
+ </body>
+
+ <sponsor>The FreeBSD Foundation</sponsor>
+ </project>
</report>
More information about the svn-doc-all
mailing list