Add ASLR report from Konstantin Belousov <kostikbel@gmail.com>.
This commit is contained in:
Warren Block
parent
9e21248b2e
commit
0e149a0494
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=48598
1 changed files with 109 additions and 0 deletions
|
|
@ -1578,4 +1578,113 @@
|
||||||
</task>
|
</task>
|
||||||
</help>
|
</help>
|
||||||
</project>
|
</project>
|
||||||
|
|
||||||
|
<project cat='proj'>
|
||||||
|
<title>Address Space Layout Randomization</title>
|
||||||
|
|
||||||
|
<contact>
|
||||||
|
<person>
|
||||||
|
<name>
|
||||||
|
<given>Konstantin</given>
|
||||||
|
<common>Belousov</common>
|
||||||
|
</name>
|
||||||
|
<email>kib@FreeBSD.org</email>
|
||||||
|
</person>
|
||||||
|
|
||||||
|
<person>
|
||||||
|
<name>
|
||||||
|
<given>Ed</given>
|
||||||
|
<common>Maste</common>
|
||||||
|
</name>
|
||||||
|
<email>emaste@FreeBSD.org</email>
|
||||||
|
</person>
|
||||||
|
</contact>
|
||||||
|
|
||||||
|
<links>
|
||||||
|
<url href="https://kib.kiev.ua/kib/aslr">Patch home.</url>
|
||||||
|
</links>
|
||||||
|
|
||||||
|
<body>
|
||||||
|
<p>I wrote a small and straightforward yet feature-packed patch
|
||||||
|
to implement ASLR for &os; available for broader testing.</p>
|
||||||
|
|
||||||
|
<p>With this change, randomization is applied to all non-fixed
|
||||||
|
mappings. By randomization I mean the base address for the
|
||||||
|
mapping is selected with a guaranteed amount of entropy
|
||||||
|
(bits). If the mapping was requested to be superpage aligned,
|
||||||
|
the randomization honours the superpage attributes.</p>
|
||||||
|
|
||||||
|
<p>The randomization is done on a best-effort basis - that is,
|
||||||
|
the allocator falls back to a first fit strategy if
|
||||||
|
fragmentation prevents entropy injection. It is trivial to
|
||||||
|
implement a strong mode where failure to guarantee the
|
||||||
|
requested amount of entropy results in mapping request
|
||||||
|
failure, but I do not consider that to be usable.</p>
|
||||||
|
|
||||||
|
<p>I have not fine-tuned the amount of entropy injected right
|
||||||
|
now. It is only a quantitive change that will not change the
|
||||||
|
implementation. The current amount is controlled by
|
||||||
|
aslr_pages_rnd.</p>
|
||||||
|
|
||||||
|
<p>To not spoil coalescing optimizations, to reduce the page
|
||||||
|
table fragmentation inherent to ASLR, and to keep the
|
||||||
|
transient superpage promotion for the malloced memory, the
|
||||||
|
locality is implemented for anonymous private mappings, which
|
||||||
|
are automatically grouped until fragmentation kicks in. The
|
||||||
|
initial location for the anon group range is, of course,
|
||||||
|
randomized. After some additional tuning, the measures
|
||||||
|
appeared to be quite effective. In particular, very
|
||||||
|
address-space hungry build of PyPy 5.0 on i386 successfully
|
||||||
|
finished with the most aggressive functionality of the patch
|
||||||
|
activated.</p>
|
||||||
|
|
||||||
|
<p>The default mode keeps the sbrk area unpopulated by other
|
||||||
|
mappings, but this can be turned off, which gives much more
|
||||||
|
breathing bits on the small AS architectures (funny that
|
||||||
|
32bits is considered small). This is tied with the question
|
||||||
|
of following an application's hint about the <tt>mmap(2)</tt>
|
||||||
|
base address. Testing shows that ignoring the hint does not
|
||||||
|
affect the function of common applications, but I would expect
|
||||||
|
more demanding code could break. By default sbrk is preserved
|
||||||
|
and mmap hints are satisfied, which can be changed by using
|
||||||
|
the kern.elf{32,64}.aslr_care_sbrk sysctl (currently enabled
|
||||||
|
by default for wider testing).</p>
|
||||||
|
|
||||||
|
<p>Stack gap, W^X, shared page randomization, KASLR and other
|
||||||
|
techniques are explicitely out of scope of this work.</p>
|
||||||
|
|
||||||
|
<p>The paxtest results for the run with the previous version 5
|
||||||
|
of the patch applied and aggresively tuned can be seen at the
|
||||||
|
https://www.kib.kiev.ua/kib/aslr/paxtest.log . For
|
||||||
|
comparison, the run on Fedora 23 on the same machine is at
|
||||||
|
https://www.kib.kiev.ua/kib/aslr/fedora.log .</p>
|
||||||
|
|
||||||
|
<p>ASLR is enabled on per-ABI basis, and currently it is only
|
||||||
|
enabled on native i386 and amd64 (including compat 32bit) and
|
||||||
|
ARMv6 ABIs. I expect to test and enable ASLR for arm64 as
|
||||||
|
well, later.</p>
|
||||||
|
|
||||||
|
<p>The <tt>procctl(2)</tt> control for ASLR is implemented, but
|
||||||
|
I have not provided a userspace wrapper around the syscall.
|
||||||
|
In fact, the most reasonable control needed is per-image and
|
||||||
|
not per-process, but we have no tradition to put the
|
||||||
|
kernel-read attributes into the extattrs of binary, so I am
|
||||||
|
still pondering that part and this also explains the
|
||||||
|
non-written tool.</p>
|
||||||
|
|
||||||
|
<p>Thanks to Oliver Pinter and Shawn Webb of the HardenedBSD
|
||||||
|
project for pursuing ASLR for &os;. Although this work is
|
||||||
|
not based on theirs, it was inspired by their efforts.</p>
|
||||||
|
|
||||||
|
<p>Thanks to Ed Maste, Robert Watson, John Baldwin, and Alan Cox
|
||||||
|
for some discussions about the patch, and for The FreeBSD
|
||||||
|
Foundation for directing me.</p>
|
||||||
|
|
||||||
|
<p>Bartek Rutkowski tested PyPy builds on i386, and David Naylor
|
||||||
|
helped with the port which was at point of turbulence and
|
||||||
|
upgrade during the work.</p>
|
||||||
|
</body>
|
||||||
|
|
||||||
|
<sponsor>The FreeBSD Foundation</sponsor>
|
||||||
|
</project>
|
||||||
</report>
|
</report>
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue