hardening, current status of aslr/wx with firefox,ntpd

Alain De Vos

Alain De Vos

What are the secure values we can put for
Code: 
kern.elf64.nxstack
kern.elf64.aslr.enable              
kern.elf64.aslr.stack              
kern.elf64.aslr.honor_sbrk         
kern.elf64.aslr.pie_enable          
kern.elf64.allow_wx           
security.bsd.stack_guard_page
 
Alexander88207 said:
ASLR is enabled by default for a while now.
Click to expand...
Depends on what exactly you mean by "enabled". Here are values from a stock 13.1-RELEASE-p2
Code: 
kern.elf64.aslr.stack: 1
kern.elf64.aslr.honor_sbrk: 1
kern.elf64.aslr.pie_enable: 0
kern.elf64.aslr.enable: 0
vm.aslr_restarts: 0
kern.elf64.nxstack: 1
kern.elf64.allow_wx: 1
security.bsd.stack_guard_page: 1
Some aslr values are enabled, but not all.
 
Code: 
paul@zoo-FreeBSD ~ $ uname -a
FreeBSD zoo-FreeBSD.home 13.1-RELEASE-p2 FreeBSD 13.1-RELEASE-p2 GENERIC amd64

I have these in /etc/sysctl.conf without apparent ill effects (e.g. openntpd, firefox and chromium all work):

Code: 
kern.elf64.aslr.pie_enable=1
kern.elf64.aslr.enable=1
resulting in:

Code: 
paul@zoo-FreeBSD ~ $ sysctl -a | grep kern.elf64
kern.elf64.allow_wx: 1
kern.elf64.sigfastblock: 1
kern.elf64.aslr.stack: 1
kern.elf64.aslr.honor_sbrk: 1
kern.elf64.aslr.pie_enable: 1
kern.elf64.aslr.enable: 1
kern.elf64.pie_base: 16912384
kern.elf64.vdso: 1
kern.elf64.nxstack: 1
kern.elf64.fallback_brand: -1
and

Code: 
paul@zoo-FreeBSD ~ $ sysctl -a | grep aslr
kern.elf32.aslr.stack: 1
kern.elf32.aslr.honor_sbrk: 1
kern.elf32.aslr.pie_enable: 0
kern.elf32.aslr.enable: 0
kern.elf64.aslr.stack: 1
kern.elf64.aslr.honor_sbrk: 1
kern.elf64.aslr.pie_enable: 1
kern.elf64.aslr.enable: 1
vm.aslr_restarts: 396
paul@zoo-FreeBSD ~ $
 
You must log in or register to reply here.
Back
Top