Browse Source

Remove a slide and move a few things around

Shawn Webb 5 years ago
1 changed files with 25 additions and 21 deletions
  1. +25

+ 25
- 21
eurobsdcon/2014/introducing_aslr_in_freebsd.slide View File

@@ -1,7 +1,7 @@
Implementing ASLR in FreeBSD
Introducing ASLR in FreeBSD
28 Sep 2014
Tags: FreeBSD, ASLR, Security, grsec, pax
Tags: FreeBSD, HardenedBSD, ASLR, Security, grsec, pax

Shawn "lattera" Webb
@@ -41,14 +41,12 @@ Disclaimer: opinions, ideas, thoughts, etc are mine, not my employer's
- ASLR - Address Space Layout Randomization: An exploit mitigation technique by which the memory mappings of a given process are placed in random locations.

What ASLR helps protect against:

- Buffer overflows
- ret2libc attacks
- Integer overflows
- Essentially, low-level security vulnerabilities

What ASLR doesn't help protect against:
- SQL injection
- System configuration oopsies
- Essentially, higher-level security vulnerabilities
*NOTE*: ASLR is *not* the end-all-be-all of security

* History of ASLR
- July 2001: One or more talented persons, known as the PaX team, created a patch to the Linux kernel implementing ASLR.
@@ -86,6 +84,7 @@ Non-policy technologies:

* Learning From Others

- Hooray politics!
- If you rip off PaX and grsec, make your rip off less secure, claim it to be more secure, you're gonna have a bad time.
- Weak. Linux's ASLR has weaknesses.
@@ -96,19 +95,31 @@ Linux:

* Learning From Others

- Overall a pretty decent technical implementation
- BIIIIIG problem: individual EXEs and DLLs can have ASLR turned on or off
- Situation is better with EMET 5.0: Force enable ASLR

Learning from EMET:

- ASLR is not the end-all-be-all of exploit mitigation technologies
- Blind ROP (aka, BROP)
- Combination of multiple technologies
- ASLR is the place to start

* Introducing ASLR in FreeBSD

Available on all architectures
Available on all architectures:

- amd64 and x86 fully working
- ARM broken
- sparc64: status unknown


- Execution base randomzation for position-independent executables
- Basic address space layout randomization for non-PIEs
- Per-jail ASLR settings
- OMG awesomeness: ugidfw(8)/mac_bsdextended(4) integration for fine-grained, high-level control (this feature will not make it upstream initially)

* How ASLR is Implemented - High-Level Details
- Per-jail settings
@@ -126,27 +137,18 @@ Features:
- What about applications that don't support ASLR? (exhibit crashes, proprietary/can't compile, etc.)
- Knobs can be set per-jail. Set up a jail with ASLR turned off in just that jail. Jail the misbehaving application.

* How ASLR is Implemented - High-Level Details

ugidfw(8) integration:
- Create firewall-like rules for controlling ASLR behavior
- Very powerful
- My changes to ugidfw cause ABI breakage

Example usage:
ugidfw add subject uid shawn object filesys /usr/home/shawn/tmp/test mode rwxs paxflags a

* How ASLR is Implemented - Low-Level Details
When an application starts:

- Calculate different deltas for mmap, execbase, and stack randomizations
- Apply stack delta in exec_new_vmspace() kernel function
- Apply execbase delta to execbase for PIEs in the ELF image activator
- Apply mmap delta whenever the application calls mmap with the right flags

Position-Independent Executables:

- Guaranteed to be loaded at a non-NULL address
- WITH_PIE knob (defaulted to off), each application must also define CAN_PIE if said app can be compiled with -fPIE -pie (some apps can't be)
- Some apps in base have CAN_PIE defined. Need more. Major project: ports
- Base apps: soon-ish

* How to use ASLR on FreeBSD
- Compile kernel with PAX_ASLR option
@@ -157,6 +159,8 @@ Position-Independent Executables:
- Compile applications with -fPIE -pie (note: how many ports entries do we have?)

* Future Work
- Randomize PS_STRINGS and the VDSO
- Randomize shared object loading order
- ARM help: applications segfault when their child processes exit (_only_ on ARM)
- Testing. Testing. And more testing!
- Porting of more grsec/PaX features