We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Introducing ASLR in FreeBSD

00:00
subtitles
off
playback rate
1
subtitles
off
English (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
576p
69
 Cite
 Share
 Download Purchase
No logo availableBerkeley System Distribution (BSD), Andrea Ross
 Webb, Shawn

Formal Metadata

Title
Introducing ASLR in FreeBSD
Title of Series
Number of Parts
24
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language
Production Year2014
Production PlaceOttawa, Canada

Content Metadata

Subject Area
Genre
Abstract
Address-space layout randomization (ASLR) has existed in many operating systems for a number of years. The most famous implementation is the PaX patch for Linux's kernel. This presentation introduces and announces an ASLR implementation based on PaX for FreeBSD/amd64. Details regarding how ASLR has been ported to FreeBSD and some advanced features will be presented. FreeBSD will soon be getting a port of PaX to 11-CURRENT/amd64. This presentation details changes to how ELF executables are loaded in memory and innovative workarounds for legacy applications that don't support (or misbehave) ASLR. Jails can have their own ASLR settings. Misbehaving applications can be run in a jail with ASLR turned off, while ASLR remains turned on in the other jails and in the host.
The Technical BSD Conference 20147 / 24
00:00
Process (computing)FreewareInformation securityLevel (video gaming)InjektivitätConfiguration spaceSpacetimeAddress spaceKernel (computing)Open setWindows VistaImplementationRandomizationIndependence (probability theory)Position operatorPiVulnerability (computing)Programmer (hardware)Projective planeMatching (graph theory)Semiconductor memoryNumberLevel (video gaming)Physical systemTouch typingNeuroinformatikLine (geometry)CodeMoment (mathematics)Metropolitan area networkMultiplication signExpected valueHand fanMobile WebSharewareNumbering schemeOperating systemComputer programmingPersonal identification number (Denmark)10 (number)Computer filePoint (geometry)Information securityInstallation artOpen setVideo gameOnline helpElectronic visual displayComputer iconFamilySoftware testingString (computer science)CuboidAddress spaceFreewareStreaming mediaInheritance (object-oriented programming)Musical ensembleRandomizationDressing (medical)Cartesian coordinate systemSampling (statistics)Different (Kate Ryan album)Crash (computing)MassBuffer overflowMereologyDialectService (economics)Scripting languageDeterminismAuthorizationExploit (computer security)Client (computing)Patch (Unix)Functional (mathematics)CASE <Informatik>Game theoryPasswordRun time (program lifecycle phase)Library (computing)InjektivitätWeb pageSpring (hydrology)Cross-site scriptingSoftware maintenanceEnterprise architectureMultiplicationType theorySource codeBitModemDemo (music)Automatic differentiationGodBand matrixOpen sourceProcess (computing)HexagonGastropod shellText editorPlastikkarteSystem callOperator (mathematics)Buffer solutionDistanceFile formatAndroid (robot)Connected spaceOcean currentIntegerComputer hardwareXMLComputer animation
10:00
Canadian Light SourceStack (abstract data type)ImplementationImplementationPatch (Unix)Cartesian coordinate systemSoftware testingRight angleInformation securityAddress spaceField (computer science)EmailAuthorizationFlash memoryDecision theorySystem callElectronic mailing listCodeCollatz conjectureStack (abstract data type)Physical systemRandomizationScripting languageArmQuicksortExploit (computer security)Order (biology)BitData Encryption StandardBasis <Mathematik>FingerprintPosition operatorMultiplication signIndependence (probability theory)Computing platformMereologyProjective planeSemiconductor memoryComputer programmingSpecial unitary groupKernel (computing)Computer architectureWindowMathematicsDisk read-and-write headPoint (geometry)Sound effectArithmetic meanSoftware frameworkFrequencyTouchscreenSlide ruleMedical imagingHill differential equationState of matterProgrammer (hardware)VideoconferencingPropagatorBinary codeVulnerability (computing)Intelligent NetworkNoise (electronics)WordPhysical lawLatent heatNetwork topologyOffenes KommunikationssystemStructural loadPrime idealComputer animation
20:00
Position operatorIndependence (probability theory)Control flowManufacturing execution systemFinite element methodLie groupMoving averageInformation securitySpecial unitary groupMaxima and minimaRule of inferenceFirewall (computing)Asynchronous Transfer ModeCartesian coordinate systemRule of inferenceBookmark (World Wide Web)Binary codeObject (grammar)Natural numberInsertion lossMultiplication signRevision controlQuicksortType theoryWindowWebsiteMereologyAddress spaceSemiconductor memoryDifferent (Kate Ryan album)ImplementationAreaIndependence (probability theory)DeterminismClosed setBitSoftware testingIntegerSparse matrixPatch (Unix)Software frameworkLocal ringRight angleDisk read-and-write headGroup action1 (number)Vulnerability (computing)Dynamical systemSet (mathematics)Structural loadReverse engineeringState of matterComputer fileStreaming mediaINTEGRALStandard deviationExploit (computer security)Basis <Mathematik>Computer iconHypermediaCASE <Informatik>File systemControl flowSystem callBootingRandomizationAttribute grammarFile formatSoftwareFirewall (computing)Computer hardwareLibrary (computing)Arithmetic meanException handlingXML
30:00
PiFunction (mathematics)Random numberLevel (video gaming)Physical lawPosition operatorComputer configurationCompilerKernel (computing)Default (computer science)ArmOnline helpSoftware testingOnline helpVulnerability (computing)ArmRun time (program lifecycle phase)Right anglePasswordCartesian coordinate systemLinker (computing)Source codeForcing (mathematics)BitSystem callPointer (computer programming)ImplementationKernel (computing)Sinc functionPhase transitionAddress spaceData structureRule of inferenceStructural loadComputer architectureFunctional (mathematics)Inheritance (object-oriented programming)BootingMathematicsMereologyPatch (Unix)Exception handlingCASE <Informatik>CuboidMappingSoftware testingSlide ruleSet (mathematics)VideoconferencingFlagAutomatic differentiation2 (number)Computer fileInsertion lossComputer configurationRekursiv aufzählbare MengeArithmetic meanRevision controlGeneric programmingProjective planeInterior (topology)SpeicherschutzProcess (computing)Software frameworkLibrary (computing)Demo (music)Error messageMedical imagingMassOrder (biology)Multiplication signCrash (computing)Ferry CorstenLevel (video gaming)Presentation of a groupCompilerRandomizationCompilation albumVector potentialMoment (mathematics)Software developerAcoustic shadowCommutatorWebsiteInstallation artAuthorizationPreprocessorLocal ringDesign by contractMusical ensembleCompact spaceGame controller3 (number)Client (computing)Physical lawCopyright infringementFrame problemWordMatching (graph theory)Default (computer science)NumberComputer animation
40:00
Session Initiation ProtocolSpecial unitary groupBitSoftware testingPointer (computer programming)Line (geometry)Address spaceMultiplication signPoint (geometry)Cartesian coordinate systemSystem callPhysical law3 (number)Computer animationSource codeJSON
40:53
Electronic data interchangeConvex hullAddress spaceMultiplication signRandomizationFile systemFirewall (computing)Cartesian coordinate systemRule of inferenceSource code
41:44
View (database)CAN bus12 (number)Cartesian coordinate systemFlagAsynchronous Transfer ModeArithmetic meanComputer configurationComputer fileCASE <Informatik>Physical lawBasis <Mathematik>Source code
42:37
3 (number)Gastropod shellElectronic data interchangeCommon Language InfrastructureSkewnessSicPhysical lawCASE <Informatik>Cartesian coordinate systemSoftware testingComputer fileFirewall (computing)Source code
43:15
Software testingArmOnline helpPiSoftware developerPrincipal idealAddress spaceSpacetimeRandomizationProxy serverComa BerenicesNumberComputer filePhysical lawFirewall (computing)Insertion lossPresentation of a groupBootingCausalityBlogQuicksortGodSoftware developerComputer hardwareSoftware testingSlide ruleTraffic reportingSource codeComputer animation
Transcript: English(auto-generated)
00:01
We've got quite a few projects underneath us, and ASLR is one of the projects that we took on. And while people are joining in, while people are still filing in, I thought I would have a little egotistical moment and talk a little bit about me. I'm a big fan of open source.
00:20
When I started learning how to program when I was like 12 or so, I didn't even have a computer. I wrote in C on like a piece of paper or anything, it really sucked. And so did my code.
00:40
But I'm a big fan of open source. When we got a computer and I finally got online, I would look at other people's source code and learn from others, and that was a big help. I love FreeBSD and ZFS. Great technologies in FreeBSD, ZFS is amazing. I'm such a fanboy of ZFS that I even have it running on my little netbook, which kind
01:06
of sucks, makes it a little bit slow, but it works. I'm passionate about security. The first time I got online, I was like 14, and I spent a whole month convincing my
01:20
parents that we need a 56K dial-up modem. We got online using the free trial of AOL, and then I found out about NetZero and Juno. So NetZero and Juno, they provide free dial-up service, or they did at the time, but they made it so that you had to install adware on your system.
01:45
So it would be a program that displays just a little rectangular image with ads. I'm like, dude, this takes up a lot of my precious dial-up bandwidth. I can't deal with this. And so my first experience with security was downloading a hex editor and looking at how
02:05
the strings and stuff, how the dial-up program authenticated in grepping through using strings to look at all the 800 dial-up numbers. So we didn't have to call long distance either.
02:21
And so I found out what numbers it uses and how it authenticates with our servers, and I ended up scripting my own little dial-up connection client so that I wouldn't have to use our adware. So that was pretty fun. I've submitted a few patches to FreeBSD.
02:42
By far, ASLR is the biggest. I'm a maintainer of a few FreeBSD ports, mainly dealing with jails and Go and Drupal. I'm the author of libhijack.
03:07
I spoke last year about it. It's a tool that makes a shared library that makes runtime process infection easy on Linux and FreeBSD. It's a pretty cool tool.
03:20
You can inject shellcode in as little as eight lines of C code. It's pretty nifty. One of my friends right now is porting it to ARM for Linux. So eventually, hopefully, we'll use libhijack for a lot of security things on Android devices.
03:42
A little bit of a disclaimer. Of course, I have to put this to satisfy the legal department. Any opinions, thoughts, ideas, tools, blah, blah, blah, they reflect me only and Soldier X, not any of my previous employers, my current employers, or future employers.
04:01
So I'm here on my own accord. I am representing Soldier X here today because they've donated hardware to the project, they've donated resources, they're pretty cool peeps. So what we're going to do is we're going to start off with a few definitions. We're going to start off, try to get on the same page with what ASLR is and the history
04:23
behind it. Then we're going to talk about FreeBSD security strengths and their weaknesses, some of the things that need to be improved upon. Then we're going to talk about what we can learn from others because FreeBSD is pretty much the last enterprise operating system to implement ASLR.
04:41
So we have the unique opportunity to learn from the strengths and mistakes of others. Then I'm going to talk about how we've implemented ASLR in a very high-level detail because I've only got 45 minutes and ASLR touches quite a few different places in the
05:04
system, in the source code. I don't have the time to go in-depth, but I'm at least going to show you the files that are modified and what we do. Then I'm going to talk about how to use ASLR and FreeBSD and what needs to happen
05:21
next. Then I've got a live demo, and I did sacrifice 3.5 goats to the demo gods. And the goat BOF was born. So for definitions, security, it's what Sony and Mt. Gox have in common. They suck at it.
05:43
Really security is just an onion that's made up of ever-increasing layers. The more layers you have, the more time and resources it's going to take an attacker to successfully exploit your system. So we have many different layers, and one of those layers are different exploit mitigation
06:03
technologies, techniques. An exploit mitigation technique is a method or technique to prevent the successful exploitation of security vulnerabilities. Our computers have millions and millions and millions of lines of code in them. All these programs, dozens of programs, hundreds of programs we run on our computer.
06:24
And we don't know where the vulnerabilities lie. But an attacker, a dedicated attacker, is going to use whatever means possible to pop a shell in your box. And so exploit mitigation technologies allow you to secure your system from the unknown,
06:48
at least help in giving you more time to be able to address security vulnerabilities. ASLR is one such exploit mitigation technology.
07:02
It is address-based layout randomization. So what happens is without ASLR, your application that you want to run, like Firefox for example, says to the operating system, I expect to be loaded at this address. My data is here. I need it here. If it's not here, I'm going to crash.
07:23
And so your program is loaded in a deterministic way. So if there's a vulnerable function, if there's a piece of data that an attacker is interested in, either a vulnerable function or a password stored in memory, a social security number, credit card number, whatever it is, then the attacker knows exactly how
07:45
to reach that point in memory and trigger that vulnerability. What ASLR does is it randomizes where the program and its dependencies are loaded in memory. So the attacker doesn't know, the attacker knows that there is a vulnerability, but
08:01
he doesn't know where in memory it is. So the program like Firefox I was saying, for example, will tell the operating system, hey, I can be loaded anywhere in memory. That's fine. My data can be loaded anywhere in memory. I'll make do. You just tell me where I'm loaded, and we'll make amends.
08:23
So ASLR helps protect against very low-level attacks, buffer overflows, return to libc, and when you mix that with like format string vulnerabilities and integer overflows, you know, really low-level things.
08:41
ASLR doesn't help protect against PHP, LFI, and RFI, and SQL injection attacks, and cross-site scripting, all that fun stuff. You know, that's too high-level for ASLR. So we're really just talking about really low-level vulnerabilities here.
09:04
You can think of exploits like Stuxnet, and Flame, and even Heartbleed, even though ASLR wouldn't have helped in the Heartbleed case, but same kind of low-level type of thing.
09:21
To give a little bit of history, this is all on Wikipedia, so thanks, Wikipedia University. Just to get on the same page, though, in 2001, we now know that the PAX team is just a single person, but at the time, we didn't know if it was one person or multiple people.
09:40
So I still call them the PAX team, just because that's how we've called them over the years. They implemented, as a third-party patch, ASLR for Linux. And in 2004, OpenBSD picked up that patch, and it took open... I'm sorry, no, we didn't know about it.
10:02
Oh, you didn't? It was in the end of it. Oh, okay. Well, then I was wrong. Well, in 2004, OpenBSD started implementing ASLR, I think, I guess, maybe not based on PAX. But at least their current implementation is based on PAX, I believe.
10:22
No? No. Completely improved. Okay. All right. It may have been based on the same research. Okay. But not on... None of the code. None of the code. None of the code. I don't think of any of their papers. Okay. All right. Well, I learn something new every day.
10:41
So it took OpenBSD four years to implement ASLR, but to their credit, they had a lot more work to do. They had to change a whole lot of stuff in order to support ASLR. Because we're coming at this a little bit behind, we don't have to change as much stuff. There's not as many prerequisites for implementing ASLR.
11:06
For us, it's already been done. In 2005, Linux ripped PAX's ASLR, and they dumbed it down, called it more secure, and did a lot of politics bullcrap there.
11:23
I'll talk a bit more about Linux in our learning from others slide. In 2007, Microsoft introduced ASLR into Windows Vista. Their initial ASLR implementation was crap.
11:41
Very easy to bypass. Extremely easy. It was pretty much useless. They made some design and architecture decisions that were more of a mistake that last till today, because they had to add some fields to the PE header to say,
12:01
we'll talk about that later. But yeah, they introduced ASLR in 2007. It took Apple five years to finish up their ASLR work for OS X, which they started in 2007. In 2011, Sun or Oracle, I don't remember what year Oracle bought Sun,
12:24
but they introduced ASLR into Solaris 11. In 2014, Oliver Pinter and I submitted call for testing emails to the mailing list for our ASLR implementation on FreeBSD.
12:43
And FreeBSD has a lot of security strengths. FreeBSD security mainly relies on policy-based security decisions. The MAC framework, NFS v4 and POSIX ACL, secure-level, audit dist and jails. And you can think of jails and beehive as sort of a policy-based security,
13:06
because you're saying that I don't trust this application, so I'm going to jail it. FreeBSD has kind of a hybrid policy-based and exploit mitigation technology, sandboxing, known as Capsicum.
13:22
That's a pretty good implementation. Sandboxing is pretty cool. So I don't have that list on the slide, I forgot to put it. But Capsicum seems to be pretty useful, pretty promising for the future. Non-technology, or non-policy technology, so these are exploit mitigation technologies,
13:44
a non-exec stack for AMD64, and p-trace restrictions. Fun little fact is the p-trace restriction prevents libhijack from working. So FreeBSD does have a few weaknesses.
14:01
There were the non-exec stack. That means that you can put your shellcode on the stack. When you're exploiting the application, your end goal is to run arbitrary code, known as shellcode. But you can store it on the stack, you're just not going to get it to run on the stack.
14:20
And FreeBSD has that, but it's not working on all platforms. I have a Raspberry Pi, and supposedly it supports a non-exec stack, but it doesn't. So once we're finished with the ASLR patch itself, I'm going to go back and
14:40
take a look and see why non-exec stack isn't being obeyed on ARM. And so one of the things that goes hand in hand with ASLR is called position independent executable support. And I'm going to call that Pi because that's a lot easier to say than position
15:03
independent executable. So ASLR, really to be effective, needs Pi support. So that's the part that tells the operating system, hey, the program can be loaded anywhere in memory.
15:24
And so for ASLR to be effective, Pi support needs to happen in base. And I'm actually working on that right now and hoping to get a patch up to Brian Drury tonight to be merged into head. So that'll be coming here soon.
15:42
Of course, there's no ASLR in FreeBSD, that's why we're talking about it. And grsec is a third party patch to the Linux kernel that hardens the kernel and the user land. My end goal is to port all the features that make sense for
16:01
FreeBSD to FreeBSD. So to learn from others, Linux is really political. It's a territorial pissing contest when it comes to this kind of stuff.
16:20
What they did was they saw Pax's work, but they didn't want an implementation from an anonymous author. We didn't know, the Linux guys didn't know who wrote Pax's ASLR implementation. And so they wanted something of their own, and instead of trying to figure out
16:42
who it was and contact them, there's an actual email address for them. They could have just emailed the guy. They ripped Pax's code and dumbed it down and called it more secure. And the one thing that drives me to FreeBSD more than anything, I love FreeBSD's technologies.
17:02
The one thing that drives me to FreeBSD over everything is the lack of politics. When it comes to this kind of stuff.
17:25
I sat down with Des the other day, and I was kind of scared because this is the first time that I ever had a major patch review, and I was kind of scared. And it was more about the technology.
17:40
He had some ideas and suggestions, and it's more like, you've got a patch? That's cool. We need to get this in. But first, let's fix a few issues. It's more about the technology with FreeBSD than the territorial pissing contest. And that's been my experience. Other people's experience may vary, but that's been my experience
18:02
when submitting patches and helping out the FreeBSD project. It's not nearly as mind-numbing as it is with Linux. And so, technologically speaking, Linux is ASLR.
18:23
So I'm not going to talk about packs because Linux's actual ASLR implementation is pretty weak and pretty dumb. It's either turn ASLR on globally or turn it off globally. So if you want ASLR, if you want this exploit mitigation technology on your
18:43
system, but you have one application that is closed source, you know, kind of like Flash or the NVIDIA binaries, that kind of thing. The ones you want to have ASLR for. Yes. If an application that is misbehaving under ASLR, like it's crashing or
19:02
there's other bugs, then you have to have ASLR turned off for the whole system. So that's stupid. So the two things that I took away from this is that we need to randomize enough bits, because that's the problem with Linux's AS.
19:21
That's one of the problems with Linux's ASLR is that they're not randomizing enough bits, and there's no way to control how many bits you want to randomize. And there's no way to toggle it on a per application basis. That's kind of a half lie, but not really. This command up there, that set arch right there, you have to use that
19:44
command every single time you run this application that you want ASLR disabled for. And it's kind of stupid. So if you have, like, an application that gets started via init scripts, you have to go and modify init scripts to disable ASLR.
20:03
So every time you update the package for that, you have to back out your modifications, let the package update, and then reinsert your modifications. It's stupid. So one of the things that I learned from Linux is we want to be more
20:20
flexible, more dynamic than that. Windows, now with Windows 7, Windows 8, they have a pretty decent technical implementation. The biggest issue there is individual DLLs and EXEs can have ASLR turned on or off. So in EXE, both EXEs and DLLs are just PE files.
20:44
And there is a bit inside of the PE file that says, for this object, ASLR is turned on or off. And so you can have an EXE that depends on, let's say, five DLLs, for example.
21:00
We'll say the EXE has ASLR turned on and four out of the five DLLs have ASLR turned off. So that means one DLL has ASLR turned off. So the ASLR will get applied. The Windows will apply ASLR to the EXE and to the four DLLs.
21:24
And ASLR won't get applied to the one DLL. So we'll be kind of in this hybrid state where ASLR was kind of applied but kind of not. And that is a big issue because, for example, just recently, I can't name the vendor. But there was one vendor who, if you use Windows, you probably use their
21:45
software every day or nearly every day, especially if you're looking at documentation. They had just released a new version of their software and it depended on
22:03
quite a few different DLLs. And it was just that exact same scenario. They had compiled their applications with ASLR support and all the DLLs except for one. There was a vulnerability in one of the DLLs that had ASLR turned on, but the call stack was such that the control flow could be controlled via the DLL that
22:29
had ASLR turned off. And because they could use that DLL that had ASLR turned off, because that was loaded in a deterministic way, attackers were able to successfully exploit the
22:43
application using nothing more than just your standard exploitation techniques. So that can be a major issue. We still have that kind of issue with ELF, with the ELF file format on
23:04
FreeBSD, but that's because the ELF file format was designed years and years and years and years, way before ASLR was even thought of. So that's why Pi support is really important because otherwise you're not
23:24
randomizing all of the address space. You're randomizing...if you don't have ASLR or Pi support for that application, you're still randomizing where the dependencies, the shared objects get loaded, but not the binary itself. So you still kind of have that DLL issue just in reverse.
23:47
So ASLR for FreeBSD is available on all architectures, FreeBSD supports with some...we don't have hardware for all architectures, of course, so your mileage may vary.
24:05
We actively test on AMD 64, i386, ARM, and kind of Spark 64. Vanilla FreeBSD, you know, just FreeBSD 11 current without the ASLR patches at all has issues on Spark 64.
24:22
So I haven't been able to test the ASLR stuff too much on Spark 64. So we have exact base randomization via Pi. I'm still working on the Pi patch and we're going to hopefully get that in base here by tonight.
24:42
I ran into some issues with being able to compile the bootloader. So that's kind of important. So two of my favorite features, if an application...we're going to have three ways that you can toggle ASLR for individual binaries.
25:08
One isn't implemented yet, that is FS extended attributes. So you can set an extended attribute for the binary in the FS that says, hey, don't apply ASLR when you're executing this application.
25:23
Another way is to...if your application is misbehaving, you can jail that application and have ASLR turned off just for that jail. So you have ASLR turned on for your host OS and all your other jails, but for just this jail, you can have ASLR turned off.
25:40
And my favorite feature overall is that I've tied into the file system firewall known as UGID-FW, which is part of the Mac framework, that allows you to specify dynamic rules as kind of like a IPFW style rules
26:01
for controlling ASLR on a per binary and even like per user and per group basis. So it's pretty cool. From Windows, we...yeah, it's kind of in...in Windows case,
26:36
you can have an individual DLL that doesn't have ASLR turned on.
26:43
And in FreeBSD's case, it would be the binary itself, not the shared object. It is, but it's already...shared objects are compiled such that they're already randomizable.
27:02
That's the nature of a shared object. It can be loaded anywhere in memory. And so, previously, without the ASLR patches, shared objects were getting loaded in a deterministic way. They were always getting loaded at the same address. Even though they could be relocated, they weren't. So that's part of this ASLR patch is to do that for shared objects.
27:23
And it's where all objects that the binary loads would have an ASLR applied or not applied, which that's the thing you're saying. Or would it be you can load a binary with ASLR turned on, and some of the shared objects may have it turned off? No. Okay. No. It's the reverse.
27:42
Shared objects will always get randomized unless ASLR is turned off for the binary or in the jail. So if your binary is not compiled as a position-independent executable, though, compiling as a position-independent executable turns your executable into a shared object,
28:04
pretty much. So if your executable itself is not compiled as a Pi, then the executable will be loaded at a deterministic address in a deterministic way. So we kind of have the opposite of the same type of Windows problem,
28:27
but in the opposite way. So, yeah. And I'll show you how that all works. So here are all the settings, all the SysCTL tunables.
28:44
The status tunable says there's three different values for that, integer-based. One is you have to have your applications opt in right now just via the UGIDFW.
29:04
Or setting it to 2 says opt out, meaning that all applications will have ASLR applied, except for the ones that you say you want to opt out of. And 3 means that it's enabled globally,
29:22
that we're going to force ASLR to be turned on everywhere for every application. And so really my favorite feature is the UGIDFW integration, because you can create firewall rules that apply per user,
29:41
per group, per file, or per object. You can define an object as not a file, but as different ways. You can take a look at the man page for the object stuff. It's really cool. It's very powerful.
30:02
But there is some ABI and KBI breakage with this, so if you are a third-party developer and you've developed based off of the lib UGIDFW stuff, then there is a little bit of ABI breakage. You'll need to recompile your application.
30:24
API, there's no API breakage, so all your function calls and stuff will remain the same, but I did have to change some underlying structures. So an example rule would be, for me, if I want to disable ASLR for this test application,
30:44
then I could say, add a rule for my user only. When I run this test application, that small a means disable ASLR. So that's pretty cool.
31:04
So this is low-level details, the higher-level version of the low-level details. In currentpacks.c, those are just generic helper functions, and currentpacks.aclr.c is where the sysctls are implemented
31:22
and the math of how we're applying the ASLR is done. And imageact.elf is where we're doing the runtime linker randomizations, and it's where we've implemented Py support.
31:44
So there is a potential issue with compiling as a Py. In that, since we're randomizing the load address of the executable,
32:02
you might end up with a null and null address. Well, our implementation guarantees that you won't have a null mapping. So that's kind of important. We double-checked and made sure that that isn't an issue. Null mappings will never happen with our ASLR and Py implementation.
32:24
So this bullet's a little out of date as of today. There's two knobs that need to be set. One is user-controlled and one is developer-controlled. The user-controlled knob is withPy.
32:41
So you put withPy in your make.conf or source.conf if you just want. Source.conf if you want Py only for base. Make.conf if you want it globally. Some applications don't support being compiled as a Py, and some applications are buggy when ran as a Py.
33:04
So each application must... This is the part that's out of date. I'm turning this opt-in to opt-out. By default, applications in base will compile as a Py, except for those that have the noPy equals yes flag.
33:24
So I'm adding... What's that? Are you imp? Yeah. Okay.
33:43
There isn't really any other way... We'll talk. We'll talk. But I don't know if there's any other way to do it other than a no flag. There is now. There is now? Cool.
34:01
So I'll utilize that. Crap. I've got to go and change all 30 different files. Well, see, that's exactly it. They're helping me. They're like, hey, do it a different way.
34:22
But they're helping me with it. Whereas with Linux, it'd be like, go screw yourself. But... He could, but he doesn't.
34:55
But the next project is going to be dealing with the ports framework after this,
35:01
and that's going to be a project in and of itself. So it's a good thing that I work with some ports people. Just 20 feet away. Well, a little bit more than that. But that's going to be my next major project, is adding PySupport to the ports framework. So how to use it?
35:20
Compile your kernel with the pax-slr option. Right now, ASLR is not in base, so you have to apply a patch. We're still in the call for testing phase. So apply the patch, add pax-slr to your kernel, recompile, install the kernel.
35:41
By default, ASLR will be turned on when you compile with that kernel option. And if you use jails, child jails will inherit the parent jail settings. So that means if you have ASLR turned off for the parent,
36:01
then when you boot up the new jail, ASLR will be turned off for the jail when it boots up. And if you want to take advantage of PySupport, then you have to compile your applications with the dash fpy and dash pycflags,
36:22
and ideally also add dash py to your ldflags as well. I'm going to skip this slide because our segfault protection, which is a recommended feature for ASLR but is not required, we're still working out the low-level details of that. Segfault protection is a very difficult thing to architect,
36:45
and we're going between two or three different designs and architectures for our implementation. So we're still a little bit undecided on how we want to implement that. Basically what segfault protection does is it frustrates the attacker
37:06
that is trying to determine the inner workings of ASLR to see if there's any deterministic behavior. So if there's a vulnerability that the attacker is triggering that causes a segfault,
37:22
and like SSH-D, SSH-D will restart the process automatically if it crashes or if it exits. An attacker will basically do a password brute force attack, but in this case a segfault brute force attack.
37:41
Segfault protection just adds a delay into restarting that application. There's one thing, Linux only has segfault, but these details have loss error from where pointers get corrupted as well, so make sure that's included as well. Okay. That's really good to know. I did not know that.
38:01
Danilo Egea, who is a committer, is actually working on the segfault protection feature, and so I'll bring that up with him. So for future work, I need help with the ARM stuff. I don't know the ARM architecture very well. I attended yesterday's ARM intro presentation.
38:22
That was really helpful, but I still don't know jack about ARM. So if you own a BeagleBone Black or Raspberry Pi and you're willing to test this stuff out, get with me and I'd love some help with that.
38:41
Hopefully, we're going to be committing the Pi support today after I remake all my changes to not do the no Pi thing. And we need testing. We need people to test this. I've been running the ASLR patches on my box pretty much since its inception,
39:03
and our ASLR implementation, at least for AMD64, is solid. I have not had a single issue. I now have Chrome, the Chromium project, compiled as a Pi,
39:20
and it works great except for HTML5 audio and video doesn't work anymore. I don't know why. So my end goal, though, is once ASLR is done and in base and Pi support is done and in base and NX support is fixed on non-AMD64, and I think i36 architectures,
39:42
then I'm going to work on more GR second packs features. I'm probably going to work on WXORX next and then MProtect. So now is the demo.
40:04
So you can see in this test application, basically all I'm doing is I've got a pointer that points to some data, and I'm just printing out the address of that pointer. So you can see...
40:22
You can see I've got ASLR turned on. Wow, just had a brain fart. I'm randomizing 21 bits of MMAP calls
40:41
and 21 bits of the exec base. That's Pi. The exec line is for Pi. So when I run this application, you'll see that that address gets randomized each time. So...
41:01
So I've got ASLR turned off globally, and that address isn't randomized anymore.
41:22
So right now what I'm doing is I'm adding a UJFW, a firewall or file system firewall rule to disable ASLR for that one application.
41:43
Actually, what I'm going to do... I'm going to disable ASLR just for that application.
42:07
This mode says I can read the file and execute it. The pax flags option, which is optional,
42:21
the lowercase a means ASLR is disabled for this application. The uppercase A means it's enabled. So if we're running an opt-in basis, using a capital A will say I'm opting in this application to ASLR. So now you can see the behavior is the same,
42:42
but we can see that ASLR is enabled, but it is disabled for that application. So I copied test to test U, so it's a different file. We can see that ASLR is still working,
43:02
but for other files. The firewall rule? It is... Oh, no, just run test. Oh, yes. Yep. So running it as a different user means ASLR is applied for that file.
43:27
I chose 10 because it's nice, easy number to remember. So now that I removed the firewall rule, ASLR is enabled. So that's really it for the presentation.
43:41
I wanted to thank a few people. Oliver Pinter is the one who initially started development on the ASLR feature. What happened was I had pointed out, I had posted on my little tech blog that I was going to start working on ASLR for FreeBSD.
44:01
And then he somehow saw that post and then contacted me and said, hey, let's work together. So I added the per jail support, PI support, and the UJITFW stuff. And he did quite a few other awesome things. Danilo Egea, he's working on the SEG-V guard feature.
44:24
And Ryan Steinmetz is the ports committer and ports SEC team member that I work with. He's awesome. I'm probably going to murder this name. Johannes Meixner. No clue how to say that last name. He convinced me to send a status report
44:44
for the quarterly status report, which got some people interested in and added some more testers to CFTQ and to Soldier X for donating hardware and support otherwise.
45:01
So these slides are online. It's just a text file that you can open up with VIM, Emacs, whatever. So these are some references. And thank you very much for coming.