HardenedBSD Completes Strong ASLR Implementation

New submitter HardenedBSD writes: A relatively new fork of FreeBSD, HardenedBSD, has completed its Address Space Layout Randomization (ASLR) feature. Without ASLR, applications are loaded into memory in a deterministic manner. An attacker who knows where a vulnerability lies in memory can reliably exploit that vulnerability to manipulate the application into doing the attacker's bidding. ASLR removes the determinism, making it so that even if an attacker knows that a vulnerability exists, he doesn't know where that vulnerability lies in memory. HardenedBSD's particular implementation of ASLR is the strongest form ever implemented in any of the BSDs.

The next step is to update documentation and submit updates to the patches they have already submitted upstream to FreeBSD. ASLR is the first step in a long list of exploit mitigation technologies HardenedBSD plans to implement.

Re:

[Barsteward]

register and log in then maybe you'll be listened to - what are you scared of?

Re:

[alexgieg]

It took you more time to explain why you don't want an account that it'd have taken for you to make one. As for logging in every time, how about, I dunno, keeping your account logged in?

Re:

[Barsteward]

mine stays logged in, no need to keep logging in. i think you don't want your opinions tracked. if you registered, logged in and posted (umlimited posts) we'd know if you are a troll or not.

Update documentation

[zAPPzAPP]

That's always my next step too

Re:

[Bengie]

They have great documentation, especially compared to the competition, but there are some pieces that are lacking. There is a dedicated group that started in the past few years that is going over documenting the entirety of FreeBSD with people with great documentation skills and are also normalizing the formats to a new document format. Large undertaking.

Cool

[Anonymous Coward]

Pretty cool stuff. Nice to see more distros do this stuff. Personally I'm using openbsd for all my work these days because they have pretty much all these things turned on (and have had them for a long time)

Re:

[fisted]

I'm using openbsd for all my work

Nice to see more distros do this stuff.

Something tells me you aren't as familiar with the BSDs as you pretend to be. What could it possibly be?

Re:

[fisted]

BSD doesn't have "distributions" in the way GNU/Linux does, dear AC. The concept doesn't quite apply.

Re:

[Bengie]

The next step is to update documentation and submit updates to the patches they have already submitted upstream to FreeBSD

Re:

[unixisc]

I'd like to see it make it to PC-BSD. 11 maybe?

Re:

[Bengie]

PC-BSD is just a thin wrapper of scripts, wizards, and some decent tools over FreeBSD. You can upgrade and downgrade to/from PC-BSD/FreeBSD.

Re:

[unixisc]

From the documentation in the handbooks, I'm left w/ the impression that PC-BSD is what you get the moment you want X11 on top of FreeBSD. Or is there more to it than that?

Re:

[TheRaven64]

PC-BSD occasionally picks some patches to apply on top of a stock FreeBSD, but they try to keep it fairly small. I suspect that they're unlikely to pick up these for several reasons. First, there are still some random segfaults in applications caused by these patches that are not yet diagnosed. Second, the HardenedBSD team doesn't have a great track record for security, for example merging some insecure random number generator patches that were under review for FreeBSD and rejected over security issues a [hardenedbsd.org]

Re:

[TheRaven64]

BROP doesn't work against a proper ASLR implementation

Define 'proper'. Re-randomisation after every fork()? Good luck with that. PLTs at random offsets? Sure, if you're willing to pay the overhead of not being able to share any position-independent code between processes.

Re:

[ArcadeMan]

Moo [geoffreygolden.com]

Why not just use OpenBSDs?

[Anonymous Coward]

Wouldn't it be easier to just import OpenBSD's implementation?

Re:Why not just use OpenBSDs?

[Zer0P]

Wouldn't it be easier to just import OpenBSD's implementation?

See the pictures under this link: http://hup.hu/node/140322 [hup.hu] . ;)

Re:

[Bengie]

OpenBSD has an entirely different kernel at this point. Their only major commonality is starting from the same OS a long time ago.

1993 - NetBSD forks 4.3BSD
1993 - FreeBSD forks 4.4BSD
1996 - OpenBSD forks NetBSD 1.0

As much as they still shared code, they have diverged over the past 20 years.

Old story

[no-body]

Adamantix over 10 years ago but got silent after version 2 or so. Tried to find their soure recently- impossible. Would have been great to get it to current HW compatibility. End of old story.

OpenBSD?

[Anonymous Coward]

I believe OpenBSD already added this functionality. Yer or two ago. How is this implementation better than theirs?

Re:

[Noryungi]

This list [hup.hu] should clarify things a bit.
While OpenBSD had ASLR it is lacking in many other ways.
That is the thing with security, it isn't the doors you locked that matters, it's that single one you didn't lock that is the problem.

Hmmm... While I agree with you on the general principle, here are a couple of things, off the top of my head:

1. False positives ("Vulnerable" tests in your example) do exist, you know. How are you sure that OpenBSD (or FreeBSD) is vulnerable in such and such case? Have you created an exploit specifically for the things being tested by paxtest? Maybe OpenBSD has other capabilities

2. False negatives are also a thing. Even if paxtest says: "such-and-such is OK", how do you know if a clever hacker won't be able

Re:

[buchner.johannes]

You can achieve the same level of security with Hardened Gentoo Linux (PaX, Grsecurity2, which is Gentoo with different flags) https://wiki.gentoo.org/wiki/H... [gentoo.org] .
The only small difference is that strcpy is still allowed (applications should move to strlcpy/strpcpy instead).

Then again, I don't use hardened Gentoo, because last time I tried (couple of years back), it was hard to maintain on a simple desktop.

Other distributions that use PaX: https://en.wikipedia.org/wiki/... [wikipedia.org]

My big question now...

[tlambert]

My big question now...

Can I still run the debugger on running binaries, or does the debugger now need work done on it?

Same question, but for core dumps.

Re:

[tlambert]

It will also reveal some bugs that were nicely hidden before, when the particular fixed allocation didn't cause any immediately visible issues.

Fuzzing is useless, if you can't reproduce the bug.

It's the same as saying "There's a bug in there *somewhere*, but I will be damned if I can tell you where!".

Eng: "You mean 'It's broke'?"

Test: "Yeah."

Eng: "Thank you very F'ing much!"

Test: "What are you typing?"

Eng: "I'm closing your bug as 'Can not reproduce'; there: done!"

Welcome to Windows 7

[Billly Gates]

ASLR was one of the arguments of using Windows while for some reason it is still bashed as insecure here. Chuckles

Doesn't sound like it's complete

[SleepyHappyDoc]

Perhaps they should call it "Getting Hard BSD".

Re:

[Behrooz Amoozad]

Even if that's true there are a lot of exploits out there that can't deliver more than a few bytes of machine code.
You can't exploit stuff with less than say 100 bytes of code if you don't even have the offsets for functions that you need to call. You can with less than 30 bytes if You do(eg, socket, fork, some io).
It's not just a tick in the box.

Re:

[Bengie]

If you can read the address space you can defeat ASLR

Ohh, you mean segfault when you read unallocated memory? Even if you could, are you planning to read all 8,589,934,592GiB of the address space? with O(n) scaling, assuming a crazy low 1 clock cycle per address, it would take you about 35 years to scan the entire 2^63 user virtual address space at 4ghz.

I am not saying ASLR is perfect, I'm just saying it's not nearly as simple as you make it out to be.

Re:

[TheRaven64]

Read this paper [stanford.edu] if you want to know how easy it is.

ASLR?

[tersegon]

I don't understand what this has to do with videos of whispering women.

Pollination is good

[fnj]

If this gets ported to FreeBSD I say hurrah and many thanks to HardenedBSD!

Re:

[Bengie]

Pollination is good

HardenedBSD was forked with the explicit idea of testing new security ideas and seeing what works, then pushing the code upstream back to FreeBSD. *BSD is not like Linux distros where they rarely work together. A lot of security ideas require some major changes that would not be feasible as a simple branch.