HardenedBSD Completes Strong ASLR Implementation

New submitter HardenedBSD writes: A relatively new fork of FreeBSD, HardenedBSD, has completed its Address Space Layout Randomization (ASLR) feature. Without ASLR, applications are loaded into memory in a deterministic manner. An attacker who knows where a vulnerability lies in memory can reliably exploit that vulnerability to manipulate the application into doing the attacker's bidding. ASLR removes the determinism, making it so that even if an attacker knows that a vulnerability exists, he doesn't know where that vulnerability lies in memory. HardenedBSD's particular implementation of ASLR is the strongest form ever implemented in any of the BSDs.

The next step is to update documentation and submit updates to the patches they have already submitted upstream to FreeBSD. ASLR is the first step in a long list of exploit mitigation technologies HardenedBSD plans to implement.

??? nothing

No comments? No one had anything to say about this?

Re:??? nothing

[ArcadeMan]

I'm just waiting for the "moo cow" guy to post a reply with a link to a cowgirl image...

Re:??? nothing

I have some ideas:

1. Dice, get rid of the awful moderating. When most of a story's comments (especially the most insightful ones, even if they may be deemed controversial by small-minded individuals) have been wrongly modded down to -1, they won't be read, and they won't be replied to.

2. Dice, get rid of the posting limits. Let us post more than 10 comments a day, and don't make us wait any longer than 1 minute between comments. Since there are only like 100 different people who actually bother to post these days, the current limits mean that we don't see more than 1000 comments each day!

3. Dice, don't post any more dumb social "justice" submissions that drive away the people who are here to talk about software, computers, science, math, and everything except social "justice" (which, upon any critical examination, is clearly not about "justice", or "fairness", or anything like that).

When Slashdot returns to being a place where free discussion about relevant topics (that is, not social "justice") is allowed, unimpeded by awful moderation and excessively restrictive posting limits, there will be more people who want to visit this site, there will be more people wanting to engage in discussion, and thus there will be more comments!

Re:??? nothing

your mom

Re:??? nothing

Or just expect that, when a story is posted on a Saturday afternoon/evening, the Slashdot audience will be much smaller than usual. It'll also include a disproportionate number of brave, dedicated Men's Rights Advocates that have no family, no girlfriend, no prospects, and nothing better to be doing on a weekend afternoon than to post anonymous whines.

Re:??? nothing

You are wrong on all accounts.

Three things are destroying Slashdot:

1. The terrible moderating.

2. The unnecessarily restrictive posting limits.

3. The social "justice" submissions.

All three need to go.

Re: ??? nothing

1. No, you are wrong. This isn't a matter of opinion.
2. Yeah, because special snowflake you just needs to shit up every reply in every thread.
3. Log the fuck in and vote in the firehose.

Or you could just STFU or leave we don't care.

Re:??? nothing

[Barsteward]

register and log in then maybe you'll be listened to - what are you scared of?

Re:??? nothing

I'm not scared of anything, my anonymous friend "Barsteward". I'm just too lazy to register and log in each time I want to comment here. I don't want to deal with yet another goddamn website account, especially when I can post without one here. I've got enough of those fuckers for other sites!

Re:??? nothing

[alexgieg]

It took you more time to explain why you don't want an account that it'd have taken for you to make one. As for logging in every time, how about, I dunno, keeping your account logged in?

Re:??? nothing

[Barsteward]

mine stays logged in, no need to keep logging in. i think you don't want your opinions tracked. if you registered, logged in and posted (umlimited posts) we'd know if you are a troll or not.

Update documentation

[zAPPzAPP]

That's always my next step too

Re:Update documentation

Yep, they will start with that just after they managed to get code execution to follow the same random sequence as the program loading.

Re:Update documentation

That's always my next step too

I know you're joking, but the *BSDs have some pretty damn good documentation:

* https://www.freebsd.org/docs.html

They also have translation teams that take the canonical English versions and translate them many other languages (including Mongolian of all things).

Re:Update documentation

[Bengie]

They have great documentation, especially compared to the competition, but there are some pieces that are lacking. There is a dedicated group that started in the past few years that is going over documenting the entirety of FreeBSD with people with great documentation skills and are also normalizing the formats to a new document format. Large undertaking.

Cool

Pretty cool stuff. Nice to see more distros do this stuff. Personally I'm using openbsd for all my work these days because they have pretty much all these things turned on (and have had them for a long time)

Re:Cool

[fisted]

I'm using openbsd for all my work

Nice to see more distros do this stuff.

Something tells me you aren't as familiar with the BSDs as you pretend to be. What could it possibly be?

Re: Cool

He said he uses OpenBSD for all his work! Maybe he was fired 16 years ago you insensitive clod!

Re: Cool

I don't get what you guys are saying. the openbsd distribution is different from the FreeBSD distribution which is different from dragonflybsd distribution. are you guys saying only Linux has distributions? plus I love how on slashdot even when the OP makes a fairly neutral comment, the clowns come in with hateful comments right away. the level of comments here is quite low...

Re: Cool

[fisted]

BSD doesn't have "distributions" in the way GNU/Linux does, dear AC. The concept doesn't quite apply.

FreeBSD

Are there plans to merge ASLR into FreeBSD ?

Re:FreeBSD

[Bengie]

The next step is to update documentation and submit updates to the patches they have already submitted upstream to FreeBSD

Re:FreeBSD

[unixisc]

I'd like to see it make it to PC-BSD. 11 maybe?

Re:FreeBSD

[Bengie]

PC-BSD is just a thin wrapper of scripts, wizards, and some decent tools over FreeBSD. You can upgrade and downgrade to/from PC-BSD/FreeBSD.

Re:FreeBSD

[TheRaven64]

PC-BSD occasionally picks some patches to apply on top of a stock FreeBSD, but they try to keep it fairly small. I suspect that they're unlikely to pick up these for several reasons. First, there are still some random segfaults in applications caused by these patches that are not yet diagnosed. Second, the HardenedBSD team doesn't have a great track record for security, for example merging some insecure random number generator patches that were under review for FreeBSD and rejected over security issues and shipping them in production. Third, since the Blind ROP work from Stanford, ASLR is largely discredited as a security feature - it's a nice checkbox feature, but it doesn't really buy you much against a determined attacker. Fourth, the last iteration of the patches still had some very odd decisions about the interfaces for turning ASLR on and off (they also had a number of lock-order reversals, which are hopefully fixed in the latest version).

Re:FreeBSD

[unixisc]

From the documentation in the handbooks, I'm left w/ the impression that PC-BSD is what you get the moment you want X11 on top of FreeBSD. Or is there more to it than that?

Re:FreeBSD

??

no you don't undrestand - it won't be used by PCBSD - it can't.
flash player is not supported with a hardenedbsd kernel. so no way.

Re:FreeBSD

I'd say PC-BSD vs FreeBSD is akin to Ubuntu vs Debian. One is based on the other, with the goal of being newbie-friendly.

You can install Debian and install a desktop, or you can install Ubuntu and get a desktop configured and ready to use.

Personally, I'd always choose Debian and build up from that. (Posting this from FreeBSD.)

Re:FreeBSD

> Third, since the Blind ROP work from Stanford [stanford.edu], ASLR is largely discredited as a security feature

this is utter nonsense. BROP doesn't work against a proper ASLR implementation. hint: brute force prevention is part of the deal. if you know better then feel free to demonstrate BROP against a grsecurity system ;).

cheers,
  PaX Team

Re:FreeBSD

[TheRaven64]

BROP doesn't work against a proper ASLR implementation

Define 'proper'. Re-randomisation after every fork()? Good luck with that. PLTs at random offsets? Sure, if you're willing to pay the overhead of not being able to share any position-independent code between processes.

Re:FreeBSD

i defined it in the challenge i gave you: grsecurity and its brute force prevention mechanism (but you can also just read the canonical document on ASLR on the PaX doc site where this requirement is clearly spelled out). if you can make BROP work there, by all means, let us and the world know. otherwise stop the parroting of academic 'research'.

BSD is for cows.

You are all cows. Cows say moo. MOOOOOOOOOOO! MOOOOOOOOOOO! Moo cows MOOOOOOOOO! Moo say the cows. YOU COWS!!

Re:BSD is for cows.

[ArcadeMan]

Moo

Re:BSD is for cows.

And I suppose you think you're a Keyboard Cowboy...

Why not just use OpenBSDs?

Wouldn't it be easier to just import OpenBSD's implementation?

Re:Why not just use OpenBSDs?

[Zer0P]

Wouldn't it be easier to just import OpenBSD's implementation?

See the pictures under this link: http://hup.hu/node/140322 . ;)

Re:Why not just use OpenBSDs?

[Bengie]

OpenBSD has an entirely different kernel at this point. Their only major commonality is starting from the same OS a long time ago.

1993 - NetBSD forks 4.3BSD
1993 - FreeBSD forks 4.4BSD
1996 - OpenBSD forks NetBSD 1.0

As much as they still shared code, they have diverged over the past 20 years.

Re: Why not just use OpenBSDs?

this is interesting but aren't some of these issues already addressed in openbsd 5.8 and about to be released 5.9? 5.7 is pretty ancient at this point. would love to see how newer openbsd holds up. tried to run the tests myself but seems like they don't compile out of the box on openbsd :-( would love it if someone posted instructions.

Old story

[no-body]

Adamantix over 10 years ago but got silent after version 2 or so. Tried to find their soure recently- impossible. Would have been great to get it to current HW compatibility. End of old story.

OpenBSD?

I believe OpenBSD already added this functionality. Yer or two ago. How is this implementation better than theirs?

Re:OpenBSD?

This list should clarify things a bit.
While OpenBSD had ASLR it is lacking in many other ways.
That is the thing with security, it isn't the doors you locked that matters, it's that single one you didn't lock that is the problem.

Re:OpenBSD?

[Noryungi]

This list should clarify things a bit.
While OpenBSD had ASLR it is lacking in many other ways.
That is the thing with security, it isn't the doors you locked that matters, it's that single one you didn't lock that is the problem.

Hmmm... While I agree with you on the general principle, here are a couple of things, off the top of my head:

1. False positives ("Vulnerable" tests in your example) do exist, you know. How are you sure that OpenBSD (or FreeBSD) is vulnerable in such and such case? Have you created an exploit specifically for the things being tested by paxtest? Maybe OpenBSD has other capabilities

2. False negatives are also a thing. Even if paxtest says: "such-and-such is OK", how do you know if a clever hacker won't be able to find a way around the ASLR protection?

Also important: paxtest dates back to 2004, and, as far as I know, has never been updated since (web site here). Not that this is a bad thing, but ASLR, and security, has changed a lot since then...

Re:OpenBSD?

Wait, I'm pretty sure that the one I answered to wasn't an AC. Did Slashdot drop the poster info?

Re:OpenBSD?

[buchner.johannes]

You can achieve the same level of security with Hardened Gentoo Linux (PaX, Grsecurity2, which is Gentoo with different flags) https://wiki.gentoo.org/wiki/H... .
The only small difference is that strcpy is still allowed (applications should move to strlcpy/strpcpy instead).

Then again, I don't use hardened Gentoo, because last time I tried (couple of years back), it was hard to maintain on a simple desktop.

Other distributions that use PaX: https://en.wikipedia.org/wiki/...

My big question now...

[tlambert]

My big question now...

Can I still run the debugger on running binaries, or does the debugger now need work done on it?

Same question, but for core dumps.

Re:My big question now...

My guess is yes on non-stripped binaries and no on stripped binaries. Which is fine for development but a PITA for debugging crashes on client computers.

Re:My big question now...

More importantly it'll make some bugs harder to find - since the memory is laid out differently every time it means some bugs will appear differently every time, eg because they overflow into different memory which causes a crash that looks different every time, or sometimes doesn't crash at all.

Re:My big question now...

More importantly it'll make some bugs harder to find - since the memory is laid out differently every time it means some bugs will appear differently every time, eg because they overflow into different memory which causes a crash that looks different every time, or sometimes doesn't crash at all.

It will also reveal some bugs that were nicely hidden before, when the particular fixed allocation didn't cause any immediately visible issues.

Re:My big question now...

[tlambert]

It will also reveal some bugs that were nicely hidden before, when the particular fixed allocation didn't cause any immediately visible issues.

Fuzzing is useless, if you can't reproduce the bug.

It's the same as saying "There's a bug in there *somewhere*, but I will be damned if I can tell you where!".

Eng: "You mean 'It's broke'?"

Test: "Yeah."

Eng: "Thank you very F'ing much!"

Test: "What are you typing?"

Eng: "I'm closing your bug as 'Can not reproduce'; there: done!"

Re:My big question now...

Do you able to run debugger on linux since ~10 years with enabled ASLR? ;)

Welcome to Windows 7

[Billly+Gates]

ASLR was one of the arguments of using Windows while for some reason it is still bashed as insecure here. Chuckles

Re:Welcome to Windows 7

[WndSks]

Welcome to Vista (Beta 2, http://blogs.msdn.com/b/michae... )

Re:Welcome to Windows 7

Yes. Windows beat Mac and FreeBSD to ASLR, but was years behind everybody else (especially if you consider OOT patches.

Theo Radt commented on FreeBSD not having ASLR. He said something the the effect of, "even Windows has ASLR for fucks sake."

So, yeah, pretty sad. But, Windows still suffers insane design decisions that makes it the least secure OS in the history of software. Things like font parsing in kernel space. So, anything that uses a fucking font can gain root on a windows box (yet another exploit using this vector is in the wild right now for windows). So, yeah, windows is horrible on security. Beating freebsd to ASLR doesn't change this.

Doesn't sound like it's complete

[SleepyHappyDoc]

Perhaps they should call it "Getting Hard BSD".

How is ASLR doing on Linux?

Seriously, back in 2013 (and even before that) ASLR has been talked about on the Linux developer scene - some even post articles online about it, such as http://securityetalii.es/2013/...

As it is already 2015, how is ASLR doing on Linux?

All that effort, so little protection

If you can read the address space you can defeat ASLR. So it makes life a little more difficult, but once you've solved it you've solved it.

More 'tick in the box' security which doesn't actually provide anything useful.

Re:All that effort, so little protection

[behrooz0az]

Even if that's true there are a lot of exploits out there that can't deliver more than a few bytes of machine code.
You can't exploit stuff with less than say 100 bytes of code if you don't even have the offsets for functions that you need to call. You can with less than 30 bytes if You do(eg, socket, fork, some io).
It's not just a tick in the box.

Re:All that effort, so little protection

[Bengie]

If you can read the address space you can defeat ASLR

Ohh, you mean segfault when you read unallocated memory? Even if you could, are you planning to read all 8,589,934,592GiB of the address space? with O(n) scaling, assuming a crazy low 1 clock cycle per address, it would take you about 35 years to scan the entire 2^63 user virtual address space at 4ghz.

I am not saying ASLR is perfect, I'm just saying it's not nearly as simple as you make it out to be.

Re:All that effort, so little protection

[TheRaven64]

Read this paper if you want to know how easy it is.

OpenBSD?

Didn't OpenBSD do this, and more, the other year?

ASLR?

[tersegon]

I don't understand what this has to do with videos of whispering women.

Pollination is good

[fnj]

If this gets ported to FreeBSD I say hurrah and many thanks to HardenedBSD!

Re:Pollination is good

[Bengie]

Pollination is good

HardenedBSD was forked with the explicit idea of testing new security ideas and seeing what works, then pushing the code upstream back to FreeBSD. *BSD is not like Linux distros where they rarely work together. A lot of security ideas require some major changes that would not be feasible as a simple branch.

Right, Let's hope OS X gets jumps in too !

Right, I'm whishing OS X would try to catch up also ...

I just did quick and dirty port to get it compiled and see how Yosemite compares.

ac

ps. Slashdot is hostile towards posting code & patches, I got complained about using less 'junk' characters up until I removed all of that what's linked.

brains....

yes, I like FreeBSD.

Unfortunately, they (hardenedbsd) just made it the ASLR implementation unusable: flash player is forbidden. So, then anyway I don't need ASLR. linux layer is not supported. Great decision. First they put all the work in hardeningf BSD which makes a great desktop, then they through out basically the main reason why someone on the desktop would indeeeed neeeeeed ASLR.
Really. Great. get some brains, and start again.

Re:brains....

Flash is being phased out. There are many BSD desktop users that do not care for flash.