Date: Tue, 12 Apr 2016 22:56:05 +0000 (UTC) From: Warren Block <wblock@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r48598 - head/en_US.ISO8859-1/htdocs/news/status Message-ID: <201604122256.u3CMu51Y079611@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: wblock Date: Tue Apr 12 22:56:05 2016 New Revision: 48598 URL: https://svnweb.freebsd.org/changeset/doc/48598 Log: Add ASLR report from Konstantin Belousov <kostikbel@gmail.com>. Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2016-01-2016-03.xml Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2016-01-2016-03.xml ============================================================================== --- head/en_US.ISO8859-1/htdocs/news/status/report-2016-01-2016-03.xml Tue Apr 12 22:50:54 2016 (r48597) +++ head/en_US.ISO8859-1/htdocs/news/status/report-2016-01-2016-03.xml Tue Apr 12 22:56:05 2016 (r48598) @@ -1578,4 +1578,113 @@ </task> </help> </project> + + <project cat='proj'> + <title>Address Space Layout Randomization</title> + + <contact> + <person> + <name> + <given>Konstantin</given> + <common>Belousov</common> + </name> + <email>kib@FreeBSD.org</email> + </person> + + <person> + <name> + <given>Ed</given> + <common>Maste</common> + </name> + <email>emaste@FreeBSD.org</email> + </person> + </contact> + + <links> + <url href="https://kib.kiev.ua/kib/aslr">Patch home.</url> + </links> + + <body> + <p>I wrote a small and straightforward yet feature-packed patch + to implement ASLR for &os; available for broader testing.</p> + + <p>With this change, randomization is applied to all non-fixed + mappings. By randomization I mean the base address for the + mapping is selected with a guaranteed amount of entropy + (bits). If the mapping was requested to be superpage aligned, + the randomization honours the superpage attributes.</p> + + <p>The randomization is done on a best-effort basis - that is, + the allocator falls back to a first fit strategy if + fragmentation prevents entropy injection. It is trivial to + implement a strong mode where failure to guarantee the + requested amount of entropy results in mapping request + failure, but I do not consider that to be usable.</p> + + <p>I have not fine-tuned the amount of entropy injected right + now. It is only a quantitive change that will not change the + implementation. The current amount is controlled by + aslr_pages_rnd.</p> + + <p>To not spoil coalescing optimizations, to reduce the page + table fragmentation inherent to ASLR, and to keep the + transient superpage promotion for the malloced memory, the + locality is implemented for anonymous private mappings, which + are automatically grouped until fragmentation kicks in. The + initial location for the anon group range is, of course, + randomized. After some additional tuning, the measures + appeared to be quite effective. In particular, very + address-space hungry build of PyPy 5.0 on i386 successfully + finished with the most aggressive functionality of the patch + activated.</p> + + <p>The default mode keeps the sbrk area unpopulated by other + mappings, but this can be turned off, which gives much more + breathing bits on the small AS architectures (funny that + 32bits is considered small). This is tied with the question + of following an application's hint about the <tt>mmap(2)</tt> + base address. Testing shows that ignoring the hint does not + affect the function of common applications, but I would expect + more demanding code could break. By default sbrk is preserved + and mmap hints are satisfied, which can be changed by using + the kern.elf{32,64}.aslr_care_sbrk sysctl (currently enabled + by default for wider testing).</p> + + <p>Stack gap, W^X, shared page randomization, KASLR and other + techniques are explicitely out of scope of this work.</p> + + <p>The paxtest results for the run with the previous version 5 + of the patch applied and aggresively tuned can be seen at the + https://www.kib.kiev.ua/kib/aslr/paxtest.log . For + comparison, the run on Fedora 23 on the same machine is at + https://www.kib.kiev.ua/kib/aslr/fedora.log .</p> + + <p>ASLR is enabled on per-ABI basis, and currently it is only + enabled on native i386 and amd64 (including compat 32bit) and + ARMv6 ABIs. I expect to test and enable ASLR for arm64 as + well, later.</p> + + <p>The <tt>procctl(2)</tt> control for ASLR is implemented, but + I have not provided a userspace wrapper around the syscall. + In fact, the most reasonable control needed is per-image and + not per-process, but we have no tradition to put the + kernel-read attributes into the extattrs of binary, so I am + still pondering that part and this also explains the + non-written tool.</p> + + <p>Thanks to Oliver Pinter and Shawn Webb of the HardenedBSD + project for pursuing ASLR for &os;. Although this work is + not based on theirs, it was inspired by their efforts.</p> + + <p>Thanks to Ed Maste, Robert Watson, John Baldwin, and Alan Cox + for some discussions about the patch, and for The FreeBSD + Foundation for directing me.</p> + + <p>Bartek Rutkowski tested PyPy builds on i386, and David Naylor + helped with the port which was at point of turbulence and + upgrade during the work.</p> + </body> + + <sponsor>The FreeBSD Foundation</sponsor> + </project> </report>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201604122256.u3CMu51Y079611>