HARDENED & ASLR & SEGVGUARD & Grsecurity for FreeBSD 10 & 11

B

bryn1u

First of all: the latest versions are available below!

This is what I've been waiting for a long time!

Hey All,

[NOTE: crossposting between freebsd-current@, freebsd-security@, and
freebsd-stable@. Please forgive me if crossposting is frowned upon.]

Address Space Layout Randomization, or ASLR for short, is an exploit
mitigation technology. It helps secure applications against low-level
exploits. A popular secure implementation is known as PaX ASLR, which is
a third-party patch for Linux. Our implementation is based off of PaX's.

Oliver Pinter, Danilo Egea, and I have been working hard to bring more
features and robust stability to our ASLR patches. We've done extensive
testing on amd64. We'd like to get as many people testing these patches.
Given the nature of them, we'd also like as many eyeballs reviewing the
code as well.

I have a Raspberry Pi and have noticed a few bugs. On ARM (at least, on
the RPI), when a parent forks a child, and the child gracefully exits,
the parent segfaults with the pc register pointing to 0xc0000000. That
address is always the same, no matter the application. If anyone knows
the ARM architecture well, and how FreeBSD ties into it, I'd like a
little guidance.

I also have a sparc64 box, but I'm having trouble getting a vanilla
11-current system to be stable on it. I ought to file a few PRs.

You can find links to the patches below.

Patch for 11-current:
http://www.crysys.hu/~op/freebsd/patche ... PSHOT.diff


Patch for 10-stable:
http://www.crysys.hu/~op/freebsd/patche ... PSHOT.diff


Thanks,

Shawn Webb
Click to expand...

Try it people! Now I'm getting to love freebsd FreeBSD much better!
https://www.soldierx.com/news/Administe ... wall-Rules
 
Re: ASLR, PIE, and segvguard patch! FreeBSD 10, 11

I have been trying a patch for few minutes and must say that rocks! ASLR has implemented with ugidfw (mac_bsdextended.ko) which is the best solution.

Code: 
root@ns4004894:~ # sysctl -a | grep pax
security.pax.aslr.status: 1
security.pax.aslr.debug: 0
security.pax.aslr.mmap_len: 21
security.pax.aslr.stack_len: 16
security.pax.aslr.exec_len: 21
security.pax.aslr.compat.status: 1
security.pax.aslr.compat.mmap_len: 8
security.pax.aslr.compat.stack_len: 6
security.pax.aslr.compat.exec_len: 6
security.pax.segvguard.status: 1
security.pax.segvguard.debug: 0
security.pax.segvguard.expiry_timeout: 120
security.pax.segvguard.suspend_timeout: 600
security.pax.segvguard.max_crashes: 5
root@ns4004894:~ #
Example using mac_bsdextended
Code: 
root@ns4004894:~ # ugidfw add subject not uid root object uid root mode rxws paxflags a
0 subject not uid root object uid root mode rswx paxflags a
root@ns4004894:~ # ugidfw list
1 slots, 1 rules
0 subject not uid root object uid root mode rswx paxflags a
 
Re: ASLR, PIE, and segvguard patch! FreeBSD 10, 11

New round of patches are there:

FreeBSD 11 - CURRENT -> http://www.crysys.hu/~op/freebsd/patches/20140524011327-freebsd-current-aslr-segvguard-SNAPSHOT.diff
FreeBSD 10 - STABLE -> http://www.crysys.hu/~op/freebsd/pa...reebsd-stable-10-aslr-segvguard-SNAPSHOT.diff


Code: 
root@ns3306115:~ # umount /jails
[PAX ASLR] orig_addr=0x7fffffffafe0, new_addr=0x7ffffffd3fd0
root@ns3306115:~ # mount
[PAX ASLR] orig_addr=0x7fffffffafe0, new_addr=0x7fffffff4c78
root@ns3306115:~ # zpool create -f -O compress=lz4 jails ada0s1g
[PAX ASLR] orig_addr=0x7fffffffafe0, new_addr=0x7ffffff9fd00
 
Re: ASLR, PIE, and segvguard patch! FreeBSD 10, 11

I have got on my mail a new version of secure patch under FreeBSD (ASLR & SEGVGUARD):

Download:

28.06.2014 - For FreeBSD 10 - STABLE
21.06.2014 - For FreeBSD 11 - CURRENT

FreeBSD 10 - STABLE: http://oksymoron.edu.pl/~bryn1u/FreeBSD ... able.patch
FreeBSD 11 - CURRENT:: http://oksymoron.edu.pl/~bryn1u/FreeBSD ... rent.patch

Hey all,

Here's what's changed since our last our of patches on 24 May 2014:
Shawn Webb:
Sat Jun 28 09:57:19 2014 -0400: PAX ASLR: Move the mmap randomization to
a better spot as suggested by Alan Cox
Fri Jun 27 09:26:18 2014 -0400: PAX ASLR: Remove erroneous line of code
Sat Jun 21 20:03:07 2014 -0400: PAX SEGVGUARD: Remove segvguard prior to
putting in a separate feature branch
Thu Jun 19 21:08:37 2014 -0400: PAX ASLR: More style(9) fixes
Thu Jun 19 20:59:44 2014 -0400: PAX ASLR: Add PAX_SYSCTLS to
sys/conf/NOTES
Thu Jun 19 20:48:42 2014 -0400: PAX ASLR: Remove extra NO_PIE/MK_PIE
entries that aren't now needed
Wed Jun 11 22:07:51 2014 -0400: PAX ASLR: Rollback code cleanup that
removed orig_addr from pax_aslr_mmap().
Wed Jun 11 17:54:12 2014 -0400: PAX ASLR: style(9) changes. Grammar
fixes. Code cleanup.
Fri May 30 18:36:49 2014 -0400: PAX ASLR: Pull in Oliver Pinter's change
to add stack randomization
Fri May 30 18:36:01 2014 -0400: Update copyright

Oliver Pinter:
Wed Jun 4 09:39:48 2014 +0200: PAX ASLR: added FEATURE(aslr, ...) to the
kernel, and modify ugidfw to use them
Wed May 28 00:27:06 2014 +0200: PAX: fix prison0 initialization after my
jail modifications
Sun May 25 21:20:23 2014 +0200: PAX: show pax settings in dmesg, and
validate some value
Sun May 25 19:48:44 2014 +0200: PAX ASLR: make security.pax.aslr sysctls
optional
Sun May 25 19:15:16 2014 +0200: PAX: check proc->p_ucred
Sun May 25 19:11:50 2014 +0200: PAX: added PAX_SYSCTLS kernel option
Sun May 25 19:10:16 2014 +0200: PAX ASLR: simplify jail handling
Sun May 25 19:00:12 2014 +0200: PAX: hook in pax_init_prison at
kern_jail_set
Click to expand...
 
Relevant is this awesome presentation on ASLR's implementation in FreeBSD by Shawn Webb: https://www.youtube.com/watch?v=jo8ObzR1tKQ
(edit: fixed speaker name, sorry for the mistake.)

bryn1u said:
Exploit Mitigation Techniques: an Update After 10 Years

http://tech.yandex.com/events/ruBSD/2013/talks/103/
Click to expand...

(Wow, quite the condescension in that talk toward FreeBSD.)

Yeah, OpenBSD definitely had ASLR support before FreeBSD.

That totally makes up for OpenBSD's continued lack of GPT (let alone SecureBoot) support, for an installer that can't do whole-disk encryption, mirroring or striping, for having no SSD TRIM support, weaker SMP support, lack of memcontrol to configure memory sections, lack of binary nvidia drivers for best-in-class OpenGL support (leaving you with hopelessly slow nv or resolution-crippled vesa), lack of many important ports such as brasero, xfburn4, clearlooks-phenix-theme, iboz-mozc (... and higan :cough:), several conflict selections when installing binary packages, lack of support for USB audio devices such as the Creative X-Fi, lack of /usr/ports immediately after a full base install, lack of ZFS for volume management and software RAID, lack of DTrace for easier debugging, lack of a democratically-appointed rotating leadership team (instead following the Linux model of one leader with a tendency to scare off businesses and professionals with often very valid yet still quite crass comments), lack of Clang to replace GCC for a more permissively licensed system, on and on.

But hey, it had a security feature that sometimes mitigates certain classes of exploits sooner. So it's totally worth calling out and denigrating the competition instead of working together to make a single BSD OS that is great at everything, right? =)
 
byuu said:
That totally makes up for OpenBSD's continued lack of GPT (let alone SecureBoot) support, for an installer that can't do whole-disk encryption, mirroring or striping, for having no SSD TRIM support, weaker SMP support, lack of memcontrol to configure memory sections, lack of binary nvidia drivers for best-in-class OpenGL support (leaving you with hopelessly slow nv or resolution-crippled vesa), lack of many important ports such as brasero, xfburn4, clearlooks-phenix-theme, iboz-mozc (... and higan :cough:), several conflict selections when installing binary packages, lack of support for USB audio devices such as the Creative X-Fi, lack of /usr/ports immediately after a full base install, lack of ZFS for volume management and software RAID, lack of DTrace for easier debugging, lack of a democratically-appointed rotating leadership team (instead following the Linux model of one leader with a tendency to scare off businesses and professionals with often very valid yet still quite crass comments), lack of Clang to replace GCC for a more permissively licensed system, on and on.

But hey, it had a security feature that sometimes mitigates certain classes of exploits sooner. So it's totally worth calling out and denigrating the competition instead of working together to make a single BSD OS that is great at everything, right? =)
Click to expand...

Surprise surprise - OpenBSD "lacks" so many usefull things, still, developers do all the work in the same OS.
According you, FreeBSD is so feature rich, when comparing with OpenBSD, still most ( if not all ) developers refuse to work in FreeBSD - they use Apple's MAC OS X and run FreeBSD virtually.

See preferences and patterns? Who cares about super duper technology, if its pain in ass to use ;)
 
Let's not take any of this personally, okay? It's reasonable that FreeBSD and OpenBSD have different features, because they concentrate on and value different things. Each can point at the other and say "look at the silly priorities those guys have".
 
Yeah sorry, I wasn't meaning to derail. Was just kind of annoyed at that linked video commentary at the end.

I split off my comparison to the off-topic area, so if you want to delete these posts, please feel free.

And CoTones, is Oko your alt-account, or perhaps a good friend of yours? Just curious.
 
Ah. You both seem to have an almost identical one is all. Same grammatical style, same OpenBSD position, and the same concern about what kind of laptops others are using. Nothing wrong with that, but the resemblence is uncanny!
 
Security FreeBSD vs OpenBSD !
http://networkfilter.blogspot.com/2014/12/security-openbsd-vs-freebsd.html

About features of freebsd hardened:
Short Summary
The HardenedBSD project aims to continuously add advanced exploit mitigation technologies and security hardening features to FreeBSD. We have implemented Address Space Layout Randomization (ASLR), mprotect(exec) hardening, PTrace restrictions, among other features. Will will work to upstream to FreeBSD most features we implement in HardenedBSD.

The HardenedBSD project officially launched in August 2014. In just these past few months, development has really taken off. We are in need of a new server to automate the build process and unify development.

What We've Accomplished
We've already implemented these features in HardenedBSD:
Address Space Layout Randomization (ASLR)
Basic mprotect hardening
PTrace restrictions
OpenBSD's getentropy system call
Migration of arc4random to chacha20
SegvGuard
Framework in the base system to create Position-Independent Executables (PIEs)
Custom package repository

What We're Currently Working On
We're actively working on quite a few projects:
Upstreaming ASLR to FreeBSD
Advanced mprotect hardening
Kernel W^X, KERNEXEC, and UDEREF
Removal of obsolete image activators (such as a.out)
Improvements to ASLR: VDSO randomization and efficient shared stack randomization
Self-validating build automation with Jenkins, ZFS, and bhyve
The full grsecurity patchset
secfw, an intelligent replacement for ugidfw
Ports framework support for PIE
 
New step in future of FreeBSD-11-HARDENEDBSD
Mode: kiddie:
Code: 
[root@Indyferentny ~/paxtest-0.9.11]# ./paxtest
usage: paxtest [kiddie|blackhat]
[root@Indyferentny ~/paxtest-0.9.11]# ./paxtest kiddie
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Mode: kiddie
FreeBSD Indyferentny.pl 11.0-CURRENT FreeBSD 11.0-CURRENT #9 193deb4(hardened/current/master)-dirty: Tue Feb 24 02:49:24 CET 2015     bryn1u@Indyferent                                                                              ny.pl:/usr/obj/usr/src/sys/HARDENEDBSD  amd64

Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect)              : Killed
Anonymous mapping randomisation test     : 30 bits (guessed)
Heap randomisation test (ET_EXEC)        : 20 bits (guessed)
Heap randomisation test (PIE)            : 21 bits (guessed)
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (PIE)      : 21 bits (guessed)
Shared library randomisation test        : 30 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 19 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 19 bits (guessed)
Arg/env randomisation test (SEGMEXEC)    : 20 bits (guessed)
Arg/env randomisation test (PAGEEXEC)    : 20 bits (guessed)
Randomization under memory exhaustion @~0: 31 bits (guessed)
Randomization under memory exhaustion @0 : 30 bits (guessed)
Return to function (strcpy)              : paxtest: return address contains a NULL byte.
Return to function (strcpy, PIE)         : paxtest: return address contains a NULL byte.
Return to function (memcpy)              : Killed
Return to function (memcpy, PIE)         : Killed
Executable shared library bss            : Killed
Executable shared library data           : Killed
Writable text segments                   : Vulnerable
Mode: blackhat:
Code: 
[root@Indyferentny ~/paxtest-0.9.11]# ./paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Mode: blackhat
FreeBSD Indyferentny.pl 11.0-CURRENT FreeBSD 11.0-CURRENT #9 193deb4(hardened/current/master)-dirty: Tue Feb 24 02:49:24 CET 2015     bryn1u@Indyferentny.pl:/usr/obj/usr/src                                                        /sys/HARDENEDBSD  amd64

Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect)              : Killed
Anonymous mapping randomisation test     : 30 bits (guessed)
Heap randomisation test (ET_EXEC)        : 20 bits (guessed)
Heap randomisation test (PIE)            : 20 bits (guessed)
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (PIE)      : 21 bits (guessed)
Shared library randomisation test        : 30 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 19 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 19 bits (guessed)
Arg/env randomisation test (SEGMEXEC)    : 20 bits (guessed)
Arg/env randomisation test (PAGEEXEC)    : 20 bits (guessed)
Randomization under memory exhaustion @~0: 30 bits (guessed)
Randomization under memory exhaustion @0 : 30 bits (guessed)
Return to function (strcpy)              : paxtest: return address contains a NULL byte.
Return to function (strcpy, PIE)         : paxtest: return address contains a NULL byte.
Return to function (memcpy)              : Killed
Return to function (memcpy, PIE)         : Killed
Executable shared library bss            : Killed
Executable shared library data           : Killed
Writable text segments                   : Vulnerable

[root@Indyferentny ~/paxtest-0.9.11]#

Add PAX_ASLR and PAX_SYSCTLS options to your kernel config. Recompile and install world and kernel. Reboot and execute a shell, running procstat -v <pid> inside of it to see that the process' memory is randomized.
Or execute paxtest from this link: https://github.com/HardenedBSD/tool...test-freebsd/paxtest-0.9.11-fbsd64-Hunger.tgz
Click to expand...
My sysctl hardening:
Code: 
[root@Indyferentny ~/paxtest-0.9.11]# sysctl hardening
hardening.pax.aslr.status: 2
hardening.pax.aslr.mmap_len: 30
hardening.pax.aslr.stack_len: 20
hardening.pax.aslr.exec_len: 21
hardening.pax.aslr.compat.status: 2
hardening.pax.aslr.compat.mmap_len: 8
hardening.pax.aslr.compat.stack_len: 8
hardening.pax.aslr.compat.exec_len: 8
hardening.pax.segvguard.status: 1
hardening.pax.segvguard.debug: 0
hardening.pax.segvguard.expiry_timeout: 120
hardening.pax.segvguard.suspend_timeout: 600
hardening.pax.segvguard.max_crashes: 5
hardening.version: 16
hardening.log.log: 1
hardening.log.ulog: 0
hardening.allow_map32bit: 0
hardening.mprotect_exec_harden: 1
hardening.procfs_harden: 1
hardening.ptrace_hardening.status: 1
hardening.ptrace_hardening.gid: 50000
[root@Indyferentny ~/paxtest-0.9.11]#
 
You must log in or register to reply here.
Back
Top