Add ASLR report from Konstantin Belousov <kostikbel@gmail.com>.
This commit is contained in:
Warren Block
parent
9e21248b2e
commit
0e149a0494
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=48598
1 changed files with 109 additions and 0 deletions
|
|
@ -1578,4 +1578,113 @@
|
|||
</task>
|
||||
</help>
|
||||
</project>
|
||||
|
||||
<project cat='proj'>
|
||||
<title>Address Space Layout Randomization</title>
|
||||
|
||||
<contact>
|
||||
<person>
|
||||
<name>
|
||||
<given>Konstantin</given>
|
||||
<common>Belousov</common>
|
||||
</name>
|
||||
<email>kib@FreeBSD.org</email>
|
||||
</person>
|
||||
|
||||
<person>
|
||||
<name>
|
||||
<given>Ed</given>
|
||||
<common>Maste</common>
|
||||
</name>
|
||||
<email>emaste@FreeBSD.org</email>
|
||||
</person>
|
||||
</contact>
|
||||
|
||||
<links>
|
||||
<url href="https://kib.kiev.ua/kib/aslr">Patch home.</url>
|
||||
</links>
|
||||
|
||||
<body>
|
||||
<p>I wrote a small and straightforward yet feature-packed patch
|
||||
to implement ASLR for &os; available for broader testing.</p>
|
||||
|
||||
<p>With this change, randomization is applied to all non-fixed
|
||||
mappings. By randomization I mean the base address for the
|
||||
mapping is selected with a guaranteed amount of entropy
|
||||
(bits). If the mapping was requested to be superpage aligned,
|
||||
the randomization honours the superpage attributes.</p>
|
||||
|
||||
<p>The randomization is done on a best-effort basis - that is,
|
||||
the allocator falls back to a first fit strategy if
|
||||
fragmentation prevents entropy injection. It is trivial to
|
||||
implement a strong mode where failure to guarantee the
|
||||
requested amount of entropy results in mapping request
|
||||
failure, but I do not consider that to be usable.</p>
|
||||
|
||||
<p>I have not fine-tuned the amount of entropy injected right
|
||||
now. It is only a quantitive change that will not change the
|
||||
implementation. The current amount is controlled by
|
||||
aslr_pages_rnd.</p>
|
||||
|
||||
<p>To not spoil coalescing optimizations, to reduce the page
|
||||
table fragmentation inherent to ASLR, and to keep the
|
||||
transient superpage promotion for the malloced memory, the
|
||||
locality is implemented for anonymous private mappings, which
|
||||
are automatically grouped until fragmentation kicks in. The
|
||||
initial location for the anon group range is, of course,
|
||||
randomized. After some additional tuning, the measures
|
||||
appeared to be quite effective. In particular, very
|
||||
address-space hungry build of PyPy 5.0 on i386 successfully
|
||||
finished with the most aggressive functionality of the patch
|
||||
activated.</p>
|
||||
|
||||
<p>The default mode keeps the sbrk area unpopulated by other
|
||||
mappings, but this can be turned off, which gives much more
|
||||
breathing bits on the small AS architectures (funny that
|
||||
32bits is considered small). This is tied with the question
|
||||
of following an application's hint about the <tt>mmap(2)</tt>
|
||||
base address. Testing shows that ignoring the hint does not
|
||||
affect the function of common applications, but I would expect
|
||||
more demanding code could break. By default sbrk is preserved
|
||||
and mmap hints are satisfied, which can be changed by using
|
||||
the kern.elf{32,64}.aslr_care_sbrk sysctl (currently enabled
|
||||
by default for wider testing).</p>
|
||||
|
||||
<p>Stack gap, W^X, shared page randomization, KASLR and other
|
||||
techniques are explicitely out of scope of this work.</p>
|
||||
|
||||
<p>The paxtest results for the run with the previous version 5
|
||||
of the patch applied and aggresively tuned can be seen at the
|
||||
https://www.kib.kiev.ua/kib/aslr/paxtest.log . For
|
||||
comparison, the run on Fedora 23 on the same machine is at
|
||||
https://www.kib.kiev.ua/kib/aslr/fedora.log .</p>
|
||||
|
||||
<p>ASLR is enabled on per-ABI basis, and currently it is only
|
||||
enabled on native i386 and amd64 (including compat 32bit) and
|
||||
ARMv6 ABIs. I expect to test and enable ASLR for arm64 as
|
||||
well, later.</p>
|
||||
|
||||
<p>The <tt>procctl(2)</tt> control for ASLR is implemented, but
|
||||
I have not provided a userspace wrapper around the syscall.
|
||||
In fact, the most reasonable control needed is per-image and
|
||||
not per-process, but we have no tradition to put the
|
||||
kernel-read attributes into the extattrs of binary, so I am
|
||||
still pondering that part and this also explains the
|
||||
non-written tool.</p>
|
||||
|
||||
<p>Thanks to Oliver Pinter and Shawn Webb of the HardenedBSD
|
||||
project for pursuing ASLR for &os;. Although this work is
|
||||
not based on theirs, it was inspired by their efforts.</p>
|
||||
|
||||
<p>Thanks to Ed Maste, Robert Watson, John Baldwin, and Alan Cox
|
||||
for some discussions about the patch, and for The FreeBSD
|
||||
Foundation for directing me.</p>
|
||||
|
||||
<p>Bartek Rutkowski tested PyPy builds on i386, and David Naylor
|
||||
helped with the port which was at point of turbulence and
|
||||
upgrade during the work.</p>
|
||||
</body>
|
||||
|
||||
<sponsor>The FreeBSD Foundation</sponsor>
|
||||
</project>
|
||||
</report>
|
||||
|
|
|
|||
Loading…
Reference in a new issue