Introducing ASLR for FreeBSD
Shawn Webb
Oliver Pinter
10 July 2014
http://www.hardenedbsd.org/
[ 1. Introduction ]
Security in FreeBSD is based primarily in policy-based technologies. Existing tools such as jails, Capsicum, vnet/vimage, and the MAC framework, can make FreeBSD-based systems quite resilient against attacks. FreeBSD lacks basic low-level exploit mitigation, such as Address Space Layout Randomization (ASLR)[1]. ASLR randomizes the address space layout of an application, making exploitation difficult for an attacker. This paper and the associated implementation aim to provide a secure, robust, extensible, and easily-managed form of ASLR fit for production use within FreeBSD.
[ 2. History ]
On 14 May 2013, Oliver Pinter published to GitHub an initial patch[2]. His work was inspired by Elad Efrat's work in NetBSD. The patch was submitted to FreeBSD as a bug report on 24 Aug 2013[3]. Independently of Oliver's work, on 30 Jun 2014, Shawn Webb posted on his tech blog that he was interested in implementing ASLR for FreeBSD[4]. Oliver found the post and suggested that he and Shawn work together. On 08 Jun 2014, preparatory work was committed to FreeBSD, adding Position-Independent Executable (PIE) support in base[5]. On 07 Apr 2014, SoldierX[6] agreed to sponsor the project and donated a sparc64 box and a beaglebone black to Shawn Webb. This hardware is used for testing and debugging
ASLR on those platforms.
[ 3. General Overview ]
ASLR is enabled by default for all architectures and controlled by the PAX_ASLR kernel option. This means ASLR will be applied to all supported applications. If a user wishes to disable ASLR for a given application, the user must force that application to opt-out (detailed later).
Another kernel option, PAX_SYSCTLS, exposes additional tunables (via sysctl), allowing ASLR behavior control without requiring a reboot. By default, the sysctl security.pax.aslr.status can only be changed at boot time via /boot/loader.conf. Enabling the PAX_SYSCTLS kernel option allows a root user to modify security.pax.aslr.status. See Appendix B for a list of the tunables.
ASLR tunables are per-jail and each jail inherits its parent jail's settings. Having per-jail tunables allows more flexibility in shared-hosting environments. This structure also allows a user to selectively disable ASLR for applications that misbehave. ASLR-disabled applications will still have policy-based security applied to it by virtue of being jailed.
The mac_bsdextended(4) MAC module and its corresponding ugidfw(8) application have been modified to allow a user to enable or disable ASLR for specific applications. The filesys object specification has been modified to pass the inode along with the filesystem id when the new paxflags option is specified. The paxflags option is optionally placed at the end of the rule. An upper-case "A" argument to the option signifies ASLR is enabled for the application and a lower-case "a" signifies ASLR is disabled for the application. Sample ugidfw(8) rules are in Appendix C.
[ 4. Implementation Details ]
A new sysinit subroutine ID, SI_SUB_PAX, initializes all ASLR system variables. Upon system boot, tunables from /boot/loader.conf are checked for validity. Any invalid values, generate a warning message to the console and the tunable is
set to a sensible default.
For the sake of performance, the ASLR system relies on per-process deltas rather than calling arc4random(3) for each mapping. When a process calls execve(2), the ASLR system is initialized. Deltas are randomly generated for the execution base, mmap(2), and stack addresses. Only the execution base of applications compiled as PIEs are randomized. The execution base of non-PIE applications are not modified. The mappings of shared objects are randomized for both PIE and non-PIE applications.
The deltas are used as a hint to the Virtual Memory (VM) system. The VM system may modify the hint to make a better fit for super pages and other alignment constraints.
The delta applied to the PIE exec base is different than the delta applied to the base address of shared objects. In the Executable and Linkable File (ELF) image handler, the execution base of PIE applications is randomized by adding the delta controlled by security.pax.aslr.exec_len tunable to et_dyn_addr, which is initialized to be ET_DYN_LOAD_ADDR (an architecture-dependent macro). The base address of shared objects loaded by the runtime linker are randomized by applying the delta controlled by the security.pax.aslr.mmap_len tunable in sys_mmap().
Stack randomization is implemented using a stack gap[7]. On executable image activation, the stack delta is computed and then subtracted from the top of the stack.
[ 5. Further Enhancements ]
The existing gap-based stack randomization is not optimal. Mapping-base stack randomization is more robust, but hard-coded kernel structures and addresses, especially PS_STRINGS, will need to be modified. The required changes to PS_STRINGS are major and will likely touch userland along with the kernel. The original PaX implementation, from which the FreeBSD implementation is inspired, uses a special ELF process header which requires modification of executable files. The authors of the FreeBSD implementation have deliberately chosen to go a different route based on mac_bsdextended(4)/ugidfw(8). Support for filesystem extended attributes will be added at a later time.
FreeBSD's virtual Dynamic Shared Object (vDSO) implementation, an efficient technique for calling kernel code from userland, uses hardcoded, non-randomized addresses. The vDSO implementation should be reworked to be at a randomized address, providing the address as an auxiliary vector passed to the image via the stack.
[ 6. Known Issues ]
ASLR does not function properly on 32bit ARM. When a process fork(2)s and calls execve(2) and the child process exits, the parent process crashes upon receiving the SIGCHLD signal. No matter which application crashed, the pc
register ends up being 0xc0000000. The ktrace(1) facility proved that the application crashed upon receiving the SIGCHLD signal.
[ Appendix A - References ]
[1]: http://pax.grsecurity.net/docs/aslr.txt
[2]: https://github.com/opntr/freebsd-patches-2013-tavasz/blob/master/r249952...
[3]: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=181497
[4]: http://0xfeedface.org/blog/lattera/2013-06-29/long-term-plans
[5]: http://svnweb.freebsd.org/base?view=revision&revision=267233
[6]: https://www.soldierx.com/
[7]: http://www.openbsd.org/papers/auug04/mgp00005.html
[ Appendix B - ASLR Tunables ]
NOTE: All tunables can only be changed during boot-time via /boot/loader.conf
unless the kernel has been compiled with PAX_SYSCTLS.
security.pax.aslr.status (integer):
Description:
Toggle system-wide ASLR protection.
Values:
0 - ASLR disabled system-wide. Individual applications may NOT opt in.
1 - ASLR disabled by default. Individual applications may opt in.
2 - ASLR enabled by default. Individual applications may opt out.
3 - ASLR enabled system-wide. Individual applications may NOT opt out.
Default: 2
security.pax.aslr.debug (integer):
Description:
Toggle debugging output.
Values:
0 - Debug output disabled.
1 - Basic debug output enabled.
2 - Verbose debug output enabled.
Default: 0
security.pax.aslr.mmap_len (integer):
Description:
Set the number of bits to be randomized for mmap(2) calls.
Values:
For 32bit systems, minimum of 8, maximum of 16.
For 64bit systems, minimum of 16, maximum of 32.
Default:
For 32bit systems, 8.
For 64bit systems, 21.
security.pax.aslr.stack_len (integer):
Description:
Set the number of bits to be randomized for the stack.
Values:
For 32bit systems, minimum of 6, maximum of 12.
For 64bit systems, minimum of 12, maximum of 21.
Default:
For 32bit systems, 6.
For 64bit systems, 16.
security.pax.aslr.exec_len (integer):
Description:
Set the number of bits to be randomized for the PIE exec base.
Values:
For 32bit systems, minimum of 6, maximum of 12.
For 64bit systems, minimum of 12, maximum of 21.
Default:
For 32bit systems, 6.
For 64bit systems, 21.
[ Appendix C - Sample ugidfw(8) rules ]
When security.pax.aslr.status is set to 2 (require applications to opt-out):
ugidfw add subject uid shawn object filesys /bin/ls mode rx paxflags a
- This adds a rule to disable ASLR for /bin/ls for the user shawn.
ugidfw add subject uid 0:65535 object filesys /bin/ls mode rx paxflags a
- This adds a rule to disable ASLR for /bin/ls for all users.
When security.pax.aslr.status is set to 1 (require applications to opt-in):
ugidfw add subject uid shawn object filesys /bin/ls mode rx paxflags A
- This adds a rule to enable ASLR for /bin/ls for the user shawn.
ugidfw add subject uid 0:65535 object filesys /bin/ls mode rx paxflags A
- This adds a rule to enable ASLR for /bin/ls for all users.
[ Appendix D - Files Modified/Created in 11-CURRENT ]
lib/libugidfw/ugidfw.c
lib/libugidfw/ugidfw.h
release/Makefile
sys/amd64/amd64/elf_machdep.c
sys/amd64/include/vmparam.h
sys/amd64/linux32/linux32_sysvec.c
sys/arm/arm/elf_machdep.c
sys/compat/freebsd32/freebsd32_misc.c
sys/compat/ia32/ia32_sysvec.c
sys/conf/NOTES
sys/conf/files
sys/conf/options
sys/i386/i386/elf_machdep.c
sys/i386/ibcs2/ibcs2_sysvec.c
sys/i386/linux/linux_sysvec.c
sys/kern/imgact_aout.c
sys/kern/imgact_elf.c
sys/kern/init_main.c
sys/kern/kern_exec.c
sys/kern/kern_fork.c
sys/kern/kern_jail.c
sys/kern/kern_pax.c
sys/kern/kern_pax_aslr.c
sys/kern/kern_pax_log.c
sys/kern/kern_sig.c
sys/mips/mips/elf_machdep.c
sys/mips/mips/freebsd32_machdep.c
sys/powerpc/powerpc/elf32_machdep.c
sys/powerpc/powerpc/elf64_machdep.c
sys/security/mac_bsdextended/mac_bsdextended.c
sys/security/mac_bsdextended/mac_bsdextended.h
sys/security/mac_bsdextended/ugidfw_internal.h
sys/security/mac_bsdextended/ugidfw_system.c
sys/security/mac_bsdextended/ugidfw_vnode.c
sys/sparc64/sparc64/elf_machdep.c
sys/sys/imgact.h
sys/sys/jail.h
sys/sys/kernel.h
sys/sys/pax.h
sys/sys/proc.h
sys/sys/sysent.h
sys/vm/vm_map.c
sys/vm/vm_map.h
sys/vm/vm_mmap.c
usr.sbin/ugidfw/ugidfw.c
SRC=https://soldierx.com/news/Whitepaper-Introducing-ASLR-FreeBSD
Introducing ASLR for FreeBSD的更多相关文章
- FREEBSD手工配置网络
在FreeBSD系统中,网络能力十分重要,对于一个标准的FreeBSD系统,至少要有一个网络界面以便与其他计算机通信.最常见的网络界面为以太网卡.此外FreeBSD也支持Token Ring和FDDI ...
- 让 FreeBSD 和 Gentoo Linux 在 ZFS 存储卷上共存
自我回归到 Librem 15 已经有段时间了.我一般会选择 FreeBSD 来处理所有的事情,但有时会要访问一个运行在 Librem 平台上的 Linux OS,以便用它来帮助我对一些遗留的设备驱动 ...
- freebsd启动报错:My unqualified host name unkown...Sleeping for retry.
原文 http://blog.163.com/sujoe_2006/blog/static/335315120111158576591/ 病状:启动报"My unqualified host ...
- 【转载】查看freebsd 服务器硬件信息
http://3918479.blog.51cto.com/3908479/857900 查看服务器的cpu配置 Fb-bj138# dmesg | grep CPU CPU: Intel(R) Co ...
- 更新与升级 FreeBSD
https://www.freebsd.org/doc/zh_CN/books/handbook/updating-upgrading-freebsdupdate.html 安全补丁存储在远程的机器上 ...
- freebsd 系统时间
http://blog.csdn.net/wowoto/article/details/5557810 https://www.douban.com/note/150233427/ date #查看当 ...
- FreeBSD network connect
在安装FreeBSD的过程中,网络设置部分我将其设置为DHCP,在此期间,下载了en_us_freebsd_hanbook.txzen_us_freebsd_hanbook.txz,zh_cn_fre ...
- Slackware Linux or FreeBSD 配置中文环境。
配置中文环境. Slackware Linux 如果在控制面板的语言与地区选项中没有找到中文,那说明在安装系统选择软件的时候没有将国际语言支持包选上,可以从slackware的安装盘或ISO文件中提取 ...
- 最近几天玩freebsd奋斗成果总结
玩freebsd发现真的很累人..相信如下问题第一次玩freebsd都遇到过: 安装系统默认只有文本模式,需要手工安装gnome,kde等desktop environment. Freebsd安装. ...
随机推荐
- sass06 mixin
scss @mixin cont{ //mixin是关键字 color:red; } body{ @include cont; //使用默认值 } @mixin cont($color: red ){ ...
- poj--3620--Avoid The Lakes(dfs)
Avoid The Lakes Time Limit: 1000MS Memory Limit: 65536KB 64bit IO Format: %I64d & %I64u Subm ...
- Dictionaries and lists
Lists can appear as values in a dictionary. For example, if you were given a dictionary that maps fr ...
- BZOJ 1711 网络流
思路: 神建图 源->饮料 边权为1 牛拆点 两个点之间的边权为1 饮料->左牛 边权为1 右牛->食品 边权为1 食品->汇边权为1 //By SiriusRen #incl ...
- Android——PullToRefresh自动刷新
需求:强制刷新 方法一: PullToRefreshListView本身提供了一个setRefreshing()接口,调用该接口会自动触发下拉刷新的操作(前提是支持下拉刷新).按照一般的操作我们直接在 ...
- 认识javascript的引擎之--1
前言: 一:每一款浏览器里面都能执行js脚本,那是因为制造商在浏览器里面加入了js引擎.也就是说js引擎在浏览器里面占有一席之地. 1.开始的时候js处于沉睡状态,直到运行页面遇到 <scrip ...
- Python常用目录操作(Python2)
Python获取当前路径 Python查看指定路径下的文件和文件夹 Python修改当前工作目录(在读取文件等时需要) Python添加import路径(有时候为了import自己写的py文件,且 ...
- Spring学习总结(12)——Druid连接池及监控在spring配置
Druid连接池及监控在spring配置如下: <bean id="dataSource" class="com.alibaba.druid.pool.DruidD ...
- IPMI远程管理一点记录
http://www.07net01.com/storage_networking/IPMIyuanchengguanliyidianjilu_53093_1357975254.html
- BZOJ——T 1612: [Usaco2008 Jan]Cow Contest奶牛的比赛
http://www.lydsy.com/JudgeOnline/problem.php?id=1612 Time Limit: 5 Sec Memory Limit: 64 MBSubmit: 1 ...