ASLR work into -HEAD ?

Post by Adrian Chadd
Hi,
https://reviews.freebsd.org/D473
Does anyone have any strong objections to it landing in the tree as-is?

There’s rather a lot of them specifically spelled out in the code review.
Many of the earlier ones were kinda blown off, so I’ve not been inclined
to take the time to re-review it. Glancing at it, I see several minor issues
that should be cleaned up.

Cool. Thanks for taking the time to look at it again.

Shawn is in #freebsd on freenode irc, so if you/others want a more
interactive review then he's there during the day.

-a

Oliver Pinter

2015-03-19 20:31:29 UTC

Post by Adrian Chadd
Hi,
https://reviews.freebsd.org/D473
Does anyone have any strong objections to it landing in the tree as-is?

Cool. Thanks for taking the time to look at it again.
Shawn is in #freebsd on freenode irc, so if you/others want a more
interactive review then he's there during the day.

Please CC the ***@hardenedbsd.org in future please, when you are
talking about this issue.

Adrian: do you able to review the MIPS or ARM part especially or test them?

Post by Adrian Chadd
-a
_______________________________________________
http://lists.freebsd.org/mailman/listinfo/freebsd-arch

Adrian Chadd

2015-03-19 21:51:32 UTC

Post by Adrian Chadd
Hi,
https://reviews.freebsd.org/D473
Does anyone have any strong objections to it landing in the tree as-is?

Cool. Thanks for taking the time to look at it again.
Shawn is in #freebsd on freenode irc, so if you/others want a more
interactive review then he's there during the day.

talking about this issue.
Adrian: do you able to review the MIPS or ARM part especially or test them?

I'm out of spare cycles to poke at the MIPS stuff, sorry.

All I can suggest in the short term is that you fire it up in a mips32
/ mips64 emulator environment. FreeBSD works fine in qemu-devel in all
four modes (32, 64 bit; big/little endian.) YOu should be able to get
high test coverage that way.

-adrian

Warner Losh

2015-03-20 15:28:59 UTC

Post by Adrian Chadd
Hi,
https://reviews.freebsd.org/D473
Does anyone have any strong objections to it landing in the tree as-is?

Thereâs rather a lot of them specifically spelled out in the code review.
Many of the earlier ones were kinda blown off, so Iâve not been inclined
to take the time to re-review it. Glancing at it, I see several minor issues
that should be cleaned up.

Cool. Thanks for taking the time to look at it again.
Shawn is in #freebsd on freenode irc, so if you/others want a more
interactive review then he's there during the day.

talking about this issue.
Adrian: do you able to review the MIPS or ARM part especially or test them?

Adrian: Do not commit the changes.

Iâve gone back and re-read Robert Watsonâs rather long review and it appears
that virtually none of that has been addressed. Until it is, do not commit it. This
code interacts with dangerous parts of the system, and the default cannot be
to just let it in because no one has objected recently. Objections have been made,
they have been quantified, they havenât been answered or acted upon. Until that
changes, you can assume the objections remain in place and asking again without
fixing them isnât going to change the answer.

Warner

Shawn Webb

2015-03-20 18:17:44 UTC

Post by Adrian Chadd
Hi,
https://reviews.freebsd.org/D473
Does anyone have any strong objections to it landing in the tree as-is?

Cool. Thanks for taking the time to look at it again.
Shawn is in #freebsd on freenode irc, so if you/others want a more
interactive review then he's there during the day.

talking about this issue.
Adrian: do you able to review the MIPS or ARM part especially or test them?

Adrian: Do not commit the changes.
Iâve gone back and re-read Robert Watsonâs rather long review and it appears
that virtually none of that has been addressed. Until it is, do not commit it. This
code interacts with dangerous parts of the system, and the default cannot be
to just let it in because no one has objected recently. Objections have been made,
they have been quantified, they havenât been answered or acted upon. Until that
changes, you can assume the objections remain in place and asking again without
fixing them isnât going to change the answer.
Warner

Warner,

We've fixed the vast majority of the concerns raised in that review. To
say "virtually none of that has been addressed" and "they haven't been
answered or acted upon" is a blatant lie. The fact that there are so
many revisions of the patch is proof. We even made our ASLR
implementation for FreeBSD less secure by providing a mechanism in
ptrace() to disable it as requested by a member of the FreeBSD
Foundation. (This "feature" doesn't exist in HardenedBSD's
implementation.) If comments like these continue, I will remove the diff
from Phabricator and close the BugZilla ticket. FreeBSD can feel free to
pull from us, but we won't make any effort to proactively upstream our
work.

With that said, I have missed a few of the concerns raised. There's so
many comments/concerns in that review that it's easy to miss a few. I
will address them tonight and upload a new patch tomorrow.

Thanks,

Shawn Webb
HardenedBSD

Shawn Webb

2015-03-20 19:05:39 UTC

Post by Adrian Chadd
Hi,
https://reviews.freebsd.org/D473
Does anyone have any strong objections to it landing in the tree as-is?

Cool. Thanks for taking the time to look at it again.
Shawn is in #freebsd on freenode irc, so if you/others want a more
interactive review then he's there during the day.

talking about this issue.
Adrian: do you able to review the MIPS or ARM part especially or test them?

Adrian: Do not commit the changes.
Iâve gone back and re-read Robert Watsonâs rather long review and it appears
that virtually none of that has been addressed. Until it is, do not commit it. This
code interacts with dangerous parts of the system, and the default cannot be
to just let it in because no one has objected recently. Objections have been made,
they have been quantified, they havenât been answered or acted upon. Until that
changes, you can assume the objections remain in place and asking again without
fixing them isnât going to change the answer.
Warner

Warner,
We've fixed the vast majority of the concerns raised in that review. To
say "virtually none of that has been addressed" and "they haven't been
answered or acted upon" is a blatant lie. The fact that there are so
many revisions of the patch is proof. We even made our ASLR
implementation for FreeBSD less secure by providing a mechanism in
ptrace() to disable it as requested by a member of the FreeBSD
Foundation. (This "feature" doesn't exist in HardenedBSD's
implementation.) If comments like these continue, I will remove the diff
from Phabricator and close the BugZilla ticket. FreeBSD can feel free to
pull from us, but we won't make any effort to proactively upstream our
work.
With that said, I have missed a few of the concerns raised. There's so
many comments/concerns in that review that it's easy to miss a few. I
will address them tonight and upload a new patch tomorrow.

I've updated the patch. Is there anything I've missed?

Thanks,

Shawn Webb
HardenedBSD

Warner Losh

2015-03-20 21:14:30 UTC

Post by Adrian Chadd
Hi,
https://reviews.freebsd.org/D473
Does anyone have any strong objections to it landing in the tree as-is?

Cool. Thanks for taking the time to look at it again.
Shawn is in #freebsd on freenode irc, so if you/others want a more
interactive review then he's there during the day.

talking about this issue.
Adrian: do you able to review the MIPS or ARM part especially or test them?

Adrian: Do not commit the changes.
Iâve gone back and re-read Robert Watsonâs rather long review and it appears
that virtually none of that has been addressed. Until it is, do not commit it. This
code interacts with dangerous parts of the system, and the default cannot be
to just let it in because no one has objected recently. Objections have been made,
they have been quantified, they havenât been answered or acted upon. Until that
changes, you can assume the objections remain in place and asking again without
fixing them isnât going to change the answer.
Warner

Warner,
We've fixed the vast majority of the concerns raised in that review. To
say "virtually none of that has been addressed" and "they haven't been
answered or acted upon" is a blatant lie. The fact that there are so
many revisions of the patch is proof. We even made our ASLR
implementation for FreeBSD less secure by providing a mechanism in
ptrace() to disable it as requested by a member of the FreeBSD
Foundation. (This "feature" doesn't exist in HardenedBSD's
implementation.) If comments like these continue, I will remove the diff
from Phabricator and close the BugZilla ticket. FreeBSD can feel free to
pull from us, but we won't make any effort to proactively upstream our
work.
With that said, I have missed a few of the concerns raised. There's so
many comments/concerns in that review that it's easy to miss a few. I
will address them tonight and upload a new patch tomorrow.

I've updated the patch. Is there anything I've missed?

Iâve taken a look at the updated patch and see that it addressed the
issues I raised. It almost looks like the update to the review a month
ago was the wrong version, since so many more of the original
comments appear to be addressed than when I looked. Thanks!

Warner

Shawn Webb

2015-03-21 14:43:40 UTC

On Mar 19, 2015, at 2:31 PM, Oliver Pinter

Post by Adrian Chadd
Hi,
https://reviews.freebsd.org/D473
Does anyone have any strong objections to it landing in the tree as-is?

Thereâs rather a lot of them specifically spelled out in the code
review.
Many of the earlier ones were kinda blown off, so Iâve not been inclined
to take the time to re-review it. Glancing at it, I see several minor
issues that should be cleaned up.

Cool. Thanks for taking the time to look at it again.
Shawn is in #freebsd on freenode irc, so if you/others want a more
interactive review then he's there during the day.

talking about this issue.
Adrian: do you able to review the MIPS or ARM part especially or test them?

Adrian: Do not commit the changes.
Iâve gone back and re-read Robert Watsonâs rather long review and it
appears that virtually none of that has been addressed. Until it is, do
not commit it. This code interacts with dangerous parts of the system,
and the default cannot be to just let it in because no one has objected
recently. Objections have been made, they have been quantified, they
havenât been answered or acted upon. Until that changes, you can assume
the objections remain in place and asking again without fixing them
isnât going to change the answer.
Warner

Warner,
We've fixed the vast majority of the concerns raised in that review. To
say "virtually none of that has been addressed" and "they haven't been
answered or acted upon" is a blatant lie. The fact that there are so
many revisions of the patch is proof. We even made our ASLR
implementation for FreeBSD less secure by providing a mechanism in
ptrace() to disable it as requested by a member of the FreeBSD
Foundation. (This "feature" doesn't exist in HardenedBSD's
implementation.) If comments like these continue, I will remove the diff
from Phabricator and close the BugZilla ticket. FreeBSD can feel free to
pull from us, but we won't make any effort to proactively upstream our
work.
With that said, I have missed a few of the concerns raised. There's so
many comments/concerns in that review that it's easy to miss a few. I
will address them tonight and upload a new patch tomorrow.

I've updated the patch. Is there anything I've missed?

I've updated the patch again. Please let me know if there's anything I've
missed. Otherwise, I'd love to see this committed in HEAD. :-)

--
Shawn Webb
HardenedBSD

GPG Key ID: 0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE

Shawn Webb

2015-05-20 15:20:00 UTC

On Mar 19, 2015, at 2:31 PM, Oliver Pinter

Post by Adrian Chadd
Hi,
https://reviews.freebsd.org/D473
Does anyone have any strong objections to it landing in the tree as-is?

Thereâs rather a lot of them specifically spelled out in the code
review.
Many of the earlier ones were kinda blown off, so Iâve not been
inclined
to take the time to re-review it. Glancing at it, I see several minor
issues that should be cleaned up.

Cool. Thanks for taking the time to look at it again.
Shawn is in #freebsd on freenode irc, so if you/others want a more
interactive review then he's there during the day.

talking about this issue.
Adrian: do you able to review the MIPS or ARM part especially or test them?

Adrian: Do not commit the changes.
Iâve gone back and re-read Robert Watsonâs rather long review and it
appears that virtually none of that has been addressed. Until it is, do
not commit it. This code interacts with dangerous parts of the system,
and the default cannot be to just let it in because no one has objected
recently. Objections have been made, they have been quantified, they
havenât been answered or acted upon. Until that changes, you can assume
the objections remain in place and asking again without fixing them
isnât going to change the answer.
Warner

Warner,
We've fixed the vast majority of the concerns raised in that review. To
say "virtually none of that has been addressed" and "they haven't been
answered or acted upon" is a blatant lie. The fact that there are so
many revisions of the patch is proof. We even made our ASLR
implementation for FreeBSD less secure by providing a mechanism in
ptrace() to disable it as requested by a member of the FreeBSD
Foundation. (This "feature" doesn't exist in HardenedBSD's
implementation.) If comments like these continue, I will remove the diff
from Phabricator and close the BugZilla ticket. FreeBSD can feel free to
pull from us, but we won't make any effort to proactively upstream our
work.
With that said, I have missed a few of the concerns raised. There's so
many comments/concerns in that review that it's easy to miss a few. I
will address them tonight and upload a new patch tomorrow.

I've updated the patch. Is there anything I've missed?

I've updated the patch again. Please let me know if there's anything I've
missed. Otherwise, I'd love to see this committed in HEAD. :-)

Does anyone have any updates since I last updated the patch over a month
ago? What's needed to get this patch in?

Thanks,

Shawn

Adrian Chadd

2015-05-20 15:32:26 UTC

Robert's been busy on a conference presentation. That's happening this
week, so I'll poke him about it later in the week and see if he has
some more cycles to review things.

Thanks!

-a

On Mar 19, 2015, at 2:31 PM, Oliver Pinter

Post by Adrian Chadd
Hi,
https://reviews.freebsd.org/D473
Does anyone have any strong objections to it landing in the tree
as-is?

There’s rather a lot of them specifically spelled out in the code
review.
Many of the earlier ones were kinda blown off, so I’ve not been
inclined
to take the time to re-review it. Glancing at it, I see several minor
issues that should be cleaned up.

Cool. Thanks for taking the time to look at it again.
Shawn is in #freebsd on freenode irc, so if you/others want a more
interactive review then he's there during the day.

talking about this issue.
Adrian: do you able to review the MIPS or ARM part especially or test them?

Adrian: Do not commit the changes.
I’ve gone back and re-read Robert Watson’s rather long review and it
appears that virtually none of that has been addressed. Until it is, do
not commit it. This code interacts with dangerous parts of the system,
and the default cannot be to just let it in because no one has objected
recently. Objections have been made, they have been quantified, they
haven’t been answered or acted upon. Until that changes, you can assume
the objections remain in place and asking again without fixing them
isn’t going to change the answer.
Warner

Warner,
We've fixed the vast majority of the concerns raised in that review. To
say "virtually none of that has been addressed" and "they haven't been
answered or acted upon" is a blatant lie. The fact that there are so
many revisions of the patch is proof. We even made our ASLR
implementation for FreeBSD less secure by providing a mechanism in
ptrace() to disable it as requested by a member of the FreeBSD
Foundation. (This "feature" doesn't exist in HardenedBSD's
implementation.) If comments like these continue, I will remove the diff
from Phabricator and close the BugZilla ticket. FreeBSD can feel free to
pull from us, but we won't make any effort to proactively upstream our
work.
With that said, I have missed a few of the concerns raised. There's so
many comments/concerns in that review that it's easy to miss a few. I
will address them tonight and upload a new patch tomorrow.

I've updated the patch. Is there anything I've missed?

I’ve taken a look at the updated patch and see that it addressed the
issues I raised. It almost looks like the update to the review a month
ago was the wrong version, since so many more of the original
comments appear to be addressed than when I looked. Thanks!
Warner

I've updated the patch again. Please let me know if there's anything I've
missed. Otherwise, I'd love to see this committed in HEAD. :-)

Does anyone have any updates since I last updated the patch over a month
ago? What's needed to get this patch in?
Thanks,
Shawn

Shawn Webb

2015-05-20 15:37:19 UTC

Post by Adrian Chadd
Robert's been busy on a conference presentation. That's happening this
week, so I'll poke him about it later in the week and see if he has
some more cycles to review things.
Thanks!
-a

Sounds good. Thanks for the quick update.

Thanks,

Shawn

Pedro Giffuni

2015-05-20 15:52:22 UTC

Hello Shawn;

What ever happened to the performance, does it still have a
noticeable effect even when disabled?

I have no technical opinion on the patch, but ...

TBH, the problem I see is that ASLR is so widespread that every
potential attacker already knows how to defeat it. Yes, it is meant
only as a mitigation technique but if it only buys you 5 min.
(at most) I don't see much advantage in obfuscating the VM.

Just IMHO ... I am not a player in that area and I don't maintain
the underlying code so I don't approve or reject anything.

Pedro.

Oliver Pinter

2015-05-20 16:31:56 UTC

Post by Pedro Giffuni
Hello Shawn;
What ever happened to the performance, does it still have a
noticeable effect even when disabled?

We should ask to run an exp-run again with/without/disabled ASLR.

Post by Pedro Giffuni
I have no technical opinion on the patch, but ...
TBH, the problem I see is that ASLR is so widespread that every
potential attacker already knows how to defeat it. Yes, it is meant
only as a mitigation technique but if it only buys you 5 min.
(at most) I don't see much advantage in obfuscating the VM.

Hi Pedro!

Explain the situation, when someone release an exploit against one
system without ASLR. The attacker hard code the address of the
specific code, and try it against the whole internet.
In this case all of the try will success. Then explain the other
situation, when the system has ASLR. In this case the exploit in the
majority fails, and the attacker must to try multiple times to attack
the system. This is very large cost on their side...

Sometimes this 5 minutes means that the attacker could break in or
not. Most of the average attackers does not have the knowledge, how to
bypass the ASLR. Yes, there exists automated ROP generator and other
tools, and articles about blink ROP effectiveness, but in the real
life the ASLR is a must have.

The ASLR would much more efficient, when segvguard or similar brute
force prevention solution existing in the system.

Post by Pedro Giffuni
Just IMHO ... I am not a player in that area and I don't maintain
the underlying code so I don't approve or reject anything.
Pedro.
_______________________________________________
http://lists.freebsd.org/mailman/listinfo/freebsd-arch

Pedro Giffuni

2015-05-20 17:24:57 UTC

Post by Pedro Giffuni
Hello Shawn;
What ever happened to the performance, does it still have a
noticeable effect even when disabled?

We should ask to run an exp-run again with/without/disabled ASLR.

So there's not much done in that sense :(.

My claim is that the majority of "professional" breachers and
governments already have ASLR workarounds pre-coded and ready
to launch. Finding an exploit is more difficult than beating
ASLR so they are not going to hint everyone that they have
an exploit until they can take all the linux/windows/MacOSX
at the same time.

The cost for the NSA and/or anonymous to step on
ASLR is zero.

Post by Oliver Pinter
Sometimes this 5 minutes means that the attacker could break in or
not. Most of the average attackers does not have the knowledge, how to
bypass the ASLR. Yes, there exists automated ROP generator and other
tools, and articles about blink ROP effectiveness, but in the real
life the ASLR is a must have.

I think (and see it's just my opinion), that it was a must have
5 years ago, but now any such measure is futile. Capsicum
everywhere would be better spent effort.

Post by Oliver Pinter
The ASLR would much more efficient, when segvguard or similar brute
force prevention solution existing in the system.

Define efficient .. performance with PIE and other measures is
certainly hit and very likely there is an energy cost as well, so
energetically you could consider it a waste of resources.

And, just to clarify, I am not in any way against your work:
I would personally like to have the option to use ASLR but
off by default. If I do turn it on sometime, I won't want any
one else to turn it off (even for debugging).

Pedro.

Bryan Drewery

2015-05-22 23:40:51 UTC

Post by Pedro Giffuni
My claim is that the majority of "professional" breachers and
governments already have ASLR workarounds pre-coded and ready
to launch. Finding an exploit is more difficult than beating
ASLR so they are not going to hint everyone that they have
an exploit until they can take all the linux/windows/MacOSX
at the same time.
The cost for the NSA and/or anonymous to step on
ASLR is zero.

This sort of argument easily turns into "why bother with security?".
Please be careful with it. Every layer and mitigation helps. The real
world is not just NSA or China. It's also full of script kiddies. Should
we just stop using SSL because NSA might have cracked it? Should we just
hand over root ssh keys to China because they probably have it all
hacked anyway? Should we just give up since billions of dollars pour
into security breaking research? Should I just post my CC here since
it's surely leaked from the hundreds of places I use it at anyway? No.

I've had very basic security checks, that could be easily circumvented,
stop actual script kiddies before. Had they persisted longer I would
have been in major trouble. If I explained what it is you would surely
laugh it off and tell me to not bother. Well it worked. ASLR has its
place too.

--
Regards,
Bryan Drewery

Poul-Henning Kamp

2015-05-23 06:26:30 UTC

--------

Post by Bryan Drewery
This sort of argument easily turns into "why bother with security?".

That would be an extremely uninformed reaction.

The correct reaction is: This is not something we can fix with
technology, it needs to be fixed at the political level.

For the USAnians that should be particularly evident, because
every bit of technology you roll out will be defeated with your
own tax-money.

Engage in politics, that's the only place these problems can be solved.

PS: And don't give me the "There's nobody to vote for", that just means
that you have to become a candidate yourself.

--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
***@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.

Pedro Giffuni

2015-05-23 14:41:27 UTC

Post by Poul-Henning Kamp
--------

Post by Bryan Drewery
This sort of argument easily turns into "why bother with security?".

That would be an extremely uninformed reaction.
The correct reaction is: This is not something we can fix with
technology, it needs to be fixed at the political level.

I agree, this is the correct reaction.

Furthermore, and on a more pragmatical note, I think we
can now come to understand that anything you do on the
Internet is unlikely to be private for long. If you have something
that you want to keep for yourself, think twice before you put it
in your computer or, even worse, on the cloud.

However brutal the NK regime may be they appear to have
understood how to keep their information secure.

Pedro.

Pedro Giffuni

2015-05-23 14:32:35 UTC

Post by Bryan Drewery

This sort of argument easily turns into "why bother with security?".

I don't think you can blame me of that since I proposed, and
am actually mentoring, a project to add yet another security
layer (which is hopefully zero-cost).

Post by Bryan Drewery
Please be careful with it. Every layer and mitigation helps. The real
world is not just NSA or China. It's also full of script kiddies. Should
we just stop using SSL because NSA might have cracked it? Should we just
hand over root ssh keys to China because they probably have it all
hacked anyway? Should we just give up since billions of dollars pour
into security breaking research? Should I just post my CC here since
it's surely leaked from the hundreds of places I use it at anyway? No.

I think there is a real danger that just because we add something
like ASLR, someone will think they are actually protected.
AFAICT there is not even one attack today that can be prevented
by ASLR.

Even then, it might be worth it, but I just don't find acceptable any
performance hit even when turned off.

Post by Bryan Drewery
I've had very basic security checks, that could be easily circumvented,
stop actual script kiddies before. Had they persisted longer I would
have been in major trouble. If I explained what it is you would surely
laugh it off and tell me to not bother. Well it worked. ASLR has its
place too.

The fact that SONY pictures was breached in, doesn't mean I am
turning off my firewall, but I won't be deploying anything based
on enigma, just because "it's better than nothing".

Pedro.

K. Macy

2015-05-24 20:43:21 UTC

Post by Bryan Drewery

Correct. But who are we really protecting against? If it's the NSA only air
gap will really do. In reality it's just a matter of making the cost of
circumventing protections exceed the value of the data or items being
protected. Locking one's doors and windows doesn't make one's house
impenetrable by any stretch, but it does deter opportunistic passerby.

Protecting against state overreach is a political matter and shouldn't
factor into whether to invest in deterring lesser malfeasors.

I'm sorry, but Bryan has it right. The political discussion is a side show.

-K

Post by Bryan Drewery
This sort of argument easily turns into "why bother with security?".
Please be careful with it. Every layer and mitigation helps. The real
world is not just NSA or China. It's also full of script kiddies. Should
we just stop using SSL because NSA might have cracked it? Should we just
hand over root ssh keys to China because they probably have it all
hacked anyway? Should we just give up since billions of dollars pour
into security breaking research? Should I just post my CC here since
it's surely leaked from the hundreds of places I use it at anyway? No.
I've had very basic security checks, that could be easily circumvented,
stop actual script kiddies before. Had they persisted longer I would
have been in major trouble. If I explained what it is you would surely
laugh it off and tell me to not bother. Well it worked. ASLR has its
place too.
--
Regards,
Bryan Drewery

Alfred Perlstein

2015-05-27 06:20:53 UTC

Correct. But who are we really protecting against? If it's the NSA only air
gap will really do. In reality it's just a matter of making the cost of
circumventing protections exceed the value of the data or items being
protected. Locking one's doors and windows doesn't make one's house
impenetrable by any stretch, but it does deter opportunistic passerby.
Protecting against state overreach is a political matter and shouldn't
factor into whether to invest in deterring lesser malfeasors.
I'm sorry, but Bryan has it right. The political discussion is a side show.

+1, also having a line item is good. Not having ASLR just makes FreeBSD
look derp.

DragonFly BSD has an implementation of ASLR based upon OpenBSD's model,
added in 2010.[
Microsoft's Windows Vista (released January 2007) and later have ASLR
enabled
In 2003, OpenBSD became the first mainstream operating system to support
partial ASLR
In Mac OS X Leopard 10.5 (released October 2007), Apple introduced
randomization for system libraries

Linux has enabled a weak form of ASLR by default since kernel version
2.6.12 (released June 2005).

So basically 1 more week and we can be 10 years behind Linux. :)

w00t.

-Alfred

Shawn Webb

2015-05-27 11:35:53 UTC

Correct. But who are we really protecting against? If it's the NSA only air
gap will really do. In reality it's just a matter of making the cost of
circumventing protections exceed the value of the data or items being
protected. Locking one's doors and windows doesn't make one's house
impenetrable by any stretch, but it does deter opportunistic passerby.
Protecting against state overreach is a political matter and shouldn't
factor into whether to invest in deterring lesser malfeasors.
I'm sorry, but Bryan has it right. The political discussion is a side show.

+1, also having a line item is good. Not having ASLR just makes FreeBSD

look derp.

Post by Alfred Perlstein
DragonFly BSD has an implementation of ASLR based upon OpenBSD's model,

added in 2010.[

Post by Alfred Perlstein
Microsoft's Windows Vista (released January 2007) and later have ASLR

enabled

Post by Alfred Perlstein
In 2003, OpenBSD became the first mainstream operating system to support

partial ASLR

Post by Alfred Perlstein
In Mac OS X Leopard 10.5 (released October 2007), Apple introduced

randomization for system libraries

Post by Alfred Perlstein
Linux has enabled a weak form of ASLR by default since kernel version

2.6.12 (released June 2005).

Post by Alfred Perlstein
So basically 1 more week and we can be 10 years behind Linux. :)
w00t.
-Alfred

FreeBSD is 14 years behind Linux if you count PaX's ASLR patch.

Thanks,

Shawn

Pedro Giffuni

2015-05-27 16:04:38 UTC

Correct. But who are we really protecting against? If it's the NSA only air
gap will really do. In reality it's just a matter of making the cost of
circumventing protections exceed the value of the data or items being
protected. Locking one's doors and windows doesn't make one's house
impenetrable by any stretch, but it does deter opportunistic passerby.
Protecting against state overreach is a political matter and shouldn't
factor into whether to invest in deterring lesser malfeasors.
I'm sorry, but Bryan has it right. The political discussion is a side show.

+1, also having a line item is good. Not having ASLR just makes
FreeBSD look derp.

And of course I am in the minority that thinks that just because
everybody else (or at least the OSs that matter) has done it
doesn't necessarily make it a great idea. This will be my last email
on the subject and I'll stop whining ... promise.

Post by Alfred Perlstein
DragonFly BSD has an implementation of ASLR based upon OpenBSD's
model, added in 2010.[
Microsoft's Windows Vista (released January 2007) and later have ASLR
enabled
In 2003, OpenBSD became the first mainstream operating system to
support partial ASLR
In Mac OS X Leopard 10.5 (released October 2007), Apple introduced
randomization for system libraries
Linux has enabled a weak form of ASLR by default since kernel version
2.6.12 (released June 2005).
So basically 1 more week and we can be 10 years behind Linux. :)

Happy birthday ASLR? ;) Somehow it hasn't been terribly useful in 10 years,
and we haven't really missed it, unless there's something I am unaware of
that the security advisories didn't mention.

If it comes to adopt things because we have to follow the herd,
that I guess I prefer the Dragonfly BSD approach:

- It is a very simple, to-the-point patch.
- It is off by default (NetBSD too?) but very
easy to setup with through a sysctl.
- Given both points above it is very easy
to revert once the marketing hype foo dies.

Again just my uneducated opinion, and I won't
spend time on the "quick" approach either.

regards,

Pedro.

Ian Lepore

2015-05-27 16:41:17 UTC

Post by Pedro Giffuni

Correct. But who are we really protecting against? If it's the NSA only air
gap will really do. In reality it's just a matter of making the cost of
circumventing protections exceed the value of the data or items being
protected. Locking one's doors and windows doesn't make one's house
impenetrable by any stretch, but it does deter opportunistic passerby.
Protecting against state overreach is a political matter and shouldn't
factor into whether to invest in deterring lesser malfeasors.
I'm sorry, but Bryan has it right. The political discussion is a side show.

+1, also having a line item is good. Not having ASLR just makes
FreeBSD look derp.

Happy birthday ASLR? ;) Somehow it hasn't been terribly useful in 10 years,
and we haven't really missed it, unless there's something I am unaware of
that the security advisories didn't mention.
If it comes to adopt things because we have to follow the herd,
- It is a very simple, to-the-point patch.
- It is off by default (NetBSD too?) but very
easy to setup with through a sysctl.
- Given both points above it is very easy
to revert once the marketing hype foo dies.
Again just my uneducated opinion, and I won't
spend time on the "quick" approach either.
regards,
Pedro.

You may be in a minority, but you're not alone. I just hope that when
this fad fades away we aren't left with a permenent performance hit that
we can't get rid of. The best way to ensure that is to make sure
there's a no-performance-hit way to disable this stuff on day one.

-- Ian

Adrian Chadd

2015-05-27 16:54:50 UTC

Post by Ian Lepore
You may be in a minority, but you're not alone. I just hope that when
this fad fades away we aren't left with a permenent performance hit that
we can't get rid of. The best way to ensure that is to make sure
there's a no-performance-hit way to disable this stuff on day one.

I believe that's the point of the implementation. It's disabled by
default. We can also remove it relatively easily too.

I may want this compiled into access points and other IoT devices to
harden against a class of attacks, but I also want to be able to
remove it for debugging. He makes it so you can enable/disable it
during runtime with a sysctl - it's quite nice.

-adrian

Shawn Webb

2015-05-27 16:25:44 UTC

Post by Pedro Giffuni

Correct. But who are we really protecting against? If it's the NSA only air
gap will really do. In reality it's just a matter of making the cost of
circumventing protections exceed the value of the data or items being
protected. Locking one's doors and windows doesn't make one's house
impenetrable by any stretch, but it does deter opportunistic passerby.
Protecting against state overreach is a political matter and shouldn't
factor into whether to invest in deterring lesser malfeasors.
I'm sorry, but Bryan has it right. The political discussion is a side show.

+1, also having a line item is good. Not having ASLR just makes
FreeBSD look derp.

Good. I'd rather focus on code rather than pointless politics.

Post by Pedro Giffuni

Our patch is more complex due to per-jail support and the various
weaknesses FreeBSD wanted us to add. HardenedBSD's implementation does
not contain those weaknesses.

Post by Pedro Giffuni
- It is off by default (NetBSD too?) but very
easy to setup with through a sysctl.

Our patch is disabled by default in the GENERIC kernel.

Post by Pedro Giffuni
- Given both points above it is very easy
to revert once the marketing hype foo dies.

I hope security-related patches that have proven stable and
well-performing never get reverted.

Post by Pedro Giffuni
Again just my uneducated opinion, and I won't
spend time on the "quick" approach either.
regards,
Pedro.
_______________________________________________
http://lists.freebsd.org/mailman/listinfo/freebsd-arch

Warner Losh

2015-05-27 23:37:06 UTC

Post by Shawn Webb
Good. I'd rather focus on code rather than pointless politics.

But thenâŠ

Post by Shawn Webb
Our patch is more complex due to per-jail support and the various
weaknesses FreeBSD wanted us to add. HardenedBSD's implementation does
not contain those weaknesses.

Youâll get more flies with honey than vinegar.

And FreeBSD didnât want you to do anything. Certain people wanted certain features
or changes. Perhaps you could be more specific, since this kind of carping is totally
unhelpful.

Warner

Shawn Webb

2015-05-28 00:00:02 UTC

wrote: Good. I'd rather focus on code rather than pointless politics.

But thenâŠ

Our patch is more complex due to per-jail support and the various
weaknesses FreeBSD wanted us to add. HardenedBSD's implementation does
not contain those weaknesses.

Youâll get more flies with honey than vinegar.
And FreeBSD didnât want you to do anything. Certain people wanted certain
features or changes. Perhaps you could be more specific, since this kind of
carping is totally unhelpful.

At the FreeBSD Developer Summit at EuroBSDCon 2014, Ed Maste said on behalf of
the FreeBSD Foundation that he (and by extension, the Foundation) would block
the ASLR patch from being merged into HEAD if we didn't provide a mechanism
for disabling ASLR as a non-root user on a per-binary basis.

I begrudgingly committed a first draft of the API on 26 Sep 2014 to our
upstreaming branch[1]. Further changes were made to clean up the
implementation a bit within a few days. This rather silly "feature" was
included in the next patch update to the review on Phabricator.

This, of course, is a vast weakness that can be easily abused. So we've made
sure not to have this in HardenedBSD. Want to debug an application with ASLR
turned off? Set the sysctl to turn it off. Or use secadm to disable ASLR for
that application. Usage of secadm requires root privileges and works on a per-
jail basis, just like our sysctls that control ASLR.

[1]:
https://github.com/HardenedBSD/hardenedBSD/commit/0e6726c5606c9055951bea44ff4a6fca8a79329c

--
Shawn Webb
HardenedBSD

GPG Key ID: 0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE

Ed Maste

2015-05-28 00:31:12 UTC

Post by Shawn Webb
At the FreeBSD Developer Summit at EuroBSDCon 2014, Ed Maste said on behalf of
the FreeBSD Foundation that he (and by extension, the Foundation) would block
the ASLR patch from being merged into HEAD if we didn't provide a mechanism
for disabling ASLR as a non-root user on a per-binary basis.

I said no such thing.

I did have reservations about various aspects of the ASLR work and
also passed on concerns of others. I certainly did not say that I (or
the Foundation) would block the work unless certain conditions were
met. The Foundation doesn't have authority to block a change, anyway.

I did say that we'd need the ability to disable ASLR on a per-process
basis, with my specific interest being use by the debugger.

Shawn Webb

2015-05-28 01:19:15 UTC

Post by Ed Maste

Post by Shawn Webb
At the FreeBSD Developer Summit at EuroBSDCon 2014, Ed Maste said on
behalf of the FreeBSD Foundation that he (and by extension, the
Foundation) would block the ASLR patch from being merged into HEAD if we
didn't provide a mechanism for disabling ASLR as a non-root user on a
per-binary basis.

I said no such thing.
I did have reservations about various aspects of the ASLR work and
also passed on concerns of others. I certainly did not say that I (or
the Foundation) would block the work unless certain conditions were
met. The Foundation doesn't have authority to block a change, anyway.
I did say that we'd need the ability to disable ASLR on a per-process
basis, with my specific interest being use by the debugger.

After talking with Ed in private, I realized that I must have misunderstood
the situation. He was mainly curious about how to satisfy existing
functionality in gdb and lldb. He didn't mean to convey that he would block
the merge of the patch. I must have misunderstood. I still dislike the
feature, but it'll remain in the patch upstream.

I fear that I may be growing tired of non-technical discussions involving
politics. As I said to Adrian Chadd in IRC, over the last nearly two years,
I've kissed so many shoes to get this in, I've now grown weary and cynical.

Unless someone has actual technical input regarding the patch itself, I'm
going to refrain from commenting further. If you have technical input
regarding the patch, please comment on the diff at Phabricator.

Thanks,

--
Shawn Webb
HardenedBSD

GPG Key ID: 0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE

Shawn Webb

2015-05-20 17:29:24 UTC