svn commit: r48598 - head/en_US.ISO8859-1/htdocs/news/status

Warren Block wblock at FreeBSD.org
Tue Apr 12 22:56:07 UTC 2016 

Author: wblock
Date: Tue Apr 12 22:56:05 2016
New Revision: 48598
URL: https://svnweb.freebsd.org/changeset/doc/48598

Log:
  Add ASLR report from Konstantin Belousov <kostikbel at gmail.com>.

Modified:
  head/en_US.ISO8859-1/htdocs/news/status/report-2016-01-2016-03.xml

Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2016-01-2016-03.xml
==============================================================================
--- head/en_US.ISO8859-1/htdocs/news/status/report-2016-01-2016-03.xml	Tue Apr 12 22:50:54 2016	(r48597)
+++ head/en_US.ISO8859-1/htdocs/news/status/report-2016-01-2016-03.xml	Tue Apr 12 22:56:05 2016	(r48598)
@@ -1578,4 +1578,113 @@
       </task>
     </help>
   </project>
+
+  <project cat='proj'>
+    <title>Address Space Layout Randomization</title>
+
+    <contact>
+      <person>
+	<name>
+	  <given>Konstantin</given>
+	  <common>Belousov</common>
+	</name>
+	<email>kib at FreeBSD.org</email>
+      </person>
+
+      <person>
+	<name>
+	  <given>Ed</given>
+	  <common>Maste</common>
+	</name>
+	<email>emaste at FreeBSD.org</email>
+      </person>
+    </contact>
+
+    <links>
+      <url href="https://kib.kiev.ua/kib/aslr">Patch home.</url>
+    </links>
+
+    <body>
+      <p>I wrote a small and straightforward yet feature-packed patch
+	to implement ASLR for &os; available for broader testing.</p>
+
+      <p>With this change, randomization is applied to all non-fixed
+	mappings.  By randomization I mean the base address for the
+	mapping is selected with a guaranteed amount of entropy
+	(bits).  If the mapping was requested to be superpage aligned,
+	the randomization honours the superpage attributes.</p>
+
+      <p>The randomization is done on a best-effort basis - that is,
+	the allocator falls back to a first fit strategy if
+	fragmentation prevents entropy injection.  It is trivial to
+	implement a strong mode where failure to guarantee the
+	requested amount of entropy results in mapping request
+	failure, but I do not consider that to be usable.</p>
+
+      <p>I have not fine-tuned the amount of entropy injected right
+	now.  It is only a quantitive change that will not change the
+	implementation.  The current amount is controlled by
+	aslr_pages_rnd.</p>
+
+      <p>To not spoil coalescing optimizations, to reduce the page
+	table fragmentation inherent to ASLR, and to keep the
+	transient superpage promotion for the malloced memory, the
+	locality is implemented for anonymous private mappings, which
+	are automatically grouped until fragmentation kicks in.  The
+	initial location for the anon group range is, of course,
+	randomized.  After some additional tuning, the measures
+	appeared to be quite effective.  In particular, very
+	address-space hungry build of PyPy 5.0 on i386 successfully
+	finished with the most aggressive functionality of the patch
+	activated.</p>
+
+      <p>The default mode keeps the sbrk area unpopulated by other
+	mappings, but this can be turned off, which gives much more
+	breathing bits on the small AS architectures (funny that
+	32bits is considered small).  This is tied with the question
+	of following an application's hint about the <tt>mmap(2)</tt>
+	base address.  Testing shows that ignoring the hint does not
+	affect the function of common applications, but I would expect
+	more demanding code could break.  By default sbrk is preserved
+	and mmap hints are satisfied, which can be changed by using
+	the kern.elf{32,64}.aslr_care_sbrk sysctl (currently enabled
+	by default for wider testing).</p>
+
+      <p>Stack gap, W^X, shared page randomization, KASLR and other
+	techniques are explicitely out of scope of this work.</p>
+
+      <p>The paxtest results for the run with the previous version 5
+	of the patch applied and aggresively tuned can be seen at the
+	https://www.kib.kiev.ua/kib/aslr/paxtest.log .  For
+	comparison, the run on Fedora 23 on the same machine is at
+	https://www.kib.kiev.ua/kib/aslr/fedora.log .</p>
+
+      <p>ASLR is enabled on per-ABI basis, and currently it is only
+	enabled on native i386 and amd64 (including compat 32bit) and
+	ARMv6 ABIs.  I expect to test and enable ASLR for arm64 as
+	well, later.</p>
+
+      <p>The <tt>procctl(2)</tt> control for ASLR is implemented, but
+	I have not provided a userspace wrapper around the syscall.
+	In fact, the most reasonable control needed is per-image and
+	not per-process, but we have no tradition to put the
+	kernel-read attributes into the extattrs of binary, so I am
+	still pondering that part and this also explains the
+	non-written tool.</p>
+
+      <p>Thanks to Oliver Pinter and Shawn Webb of the HardenedBSD
+	project for pursuing ASLR for &os;.  Although this work is
+	not based on theirs, it was inspired by their efforts.</p>
+
+      <p>Thanks to Ed Maste, Robert Watson, John Baldwin, and Alan Cox
+	for some discussions about the patch, and for The FreeBSD
+	Foundation for directing me.</p>
+
+      <p>Bartek Rutkowski tested PyPy builds on i386, and David Naylor
+	helped with the port which was at point of turbulence and
+	upgrade during the work.</p>
+    </body>
+
+    <sponsor>The FreeBSD Foundation</sponsor>
+  </project>
 </report>

More information about the svn-doc-all mailing list