Implementing ASLR in FreeBSD BSDCan 17 May 2014 Tags: FreeBSD, ASLR, Security, grsec, pax Shawn "lattera" Webb SoldierX lattera@gmail.com https://www.soldierx.com/ @lattera * About the Author - Fan of opensource - FreeBSD and ZFS fanboy - Passionate about security - Submitted patches to FreeBSD - Maintainer of a few FreeBSD ports - Author of libhijack: runtime process infection made easy on Linux and FreeBSD Disclaimer: opinions, ideas, thoughts, etc are mine, not my employer's .image new_sx_logo_v2.png 150 150 * Agenda - Definitions - History of ASLR (according thusly to ye olde Wikipedia) - FreeBSD's security strengths - FreeBSD's security weaknesses - Learning from others - How ASLR is implemented - How to use ASLR on FreeBSD - Further research/work - Live demo * Definitions - Security: What Sony and Mt Gox have in common: they suck at it. Ever-increasing layers of an onion that make everyone tear up. - Exploit mitigation: a method or technique to prevent the sucessful exploitation of security vulnerabilities. - ASLR - Address Space Layout Randomization: An exploit mitigation technique by which the memory mappings of a given process are placed in random locations. What ASLR helps protect against: - Buffer overflows - ret2libc attacks - Essentially, low-level security vulnerabilities What ASLR doesn't help protect against: - SQL injection - System configuration oopsies - Essentially, higher-level security vulnerabilities * History of ASLR - July 2001: One or more talented persons, known as the PaX team, created a patch to the Linux kernel implementing ASLR. - 2004: OpenBSD starts work on implementing ASLR. Gets everything except for execbase randomization (Position Independent Executables). - June 2005: Linux rips PaX's ASLR, dumbing it down and calling it secure. - 2007: Windows Vista introduces ASLR. Major problems with their implementation, even today. - 2007: Apple starts working on ASLR for OSX - 2008: OpenBSD completes ASLR implementation with PIE support. - 2011: ASLR introduced in Solaris 11 - 2012: Apple finishes ASLR for OSX - 2014: Oliver Pinter and Shawn Webb submit ASLR patches to FreeBSD * FreeBSD's Security Strengths Mostly based on policies: - MAC framework - NFSv4 and Posix ACLs - Securelevel - auditdistd - Jails (and soon/now: bhyve) Non-policy technologies: - Non-exec stack - ptrace restriction * FreeBSD's Security Weaknesses - Only one exploit mitigation technology: non-exec (NX) stack - Gotcha: NX stack not working for all platforms - No PIE support in base - No ASLR - The many features of grsec * Learning From Others Linux: - Hooray politics! - If you rip off PaX and grsec, make your rip off less secure, claim it to be more secure, you're gonna have a bad time. - Only one knob: turn ASLR on and off for the whole system (half-truth, you can turn ASLR off on a per-run basis: setarch $(uname -m) -R ./yourProgram) - Weak. Linux's ASLR has weaknesses. Windows: - Overall a pretty decent technical implementation - BIIIIIG problem: individual EXEs and DLLs can have ASLR turned on or off * Introducing ASLR in FreeBSD Available on all architectures Features: - Execution base randomzation for position-independent executables - Per-jail ASLR settings - NX stack on architectures where NX stack wasn't being obeyed (bug?) - Segmentation fault protection (via segvguard) - OMG awesomeness: ugidfw(8)/mac_bsdextended(4) integration for fine-grained, high-level control * How ASLR is Implemented - High-Level Details - Per-jail settings - Knobs: security.pax.aslr.status: 1 security.pax.aslr.debug: 0 security.pax.aslr.mmap_len: 16 security.pax.aslr.stack_len: 12 security.pax.aslr.exec_len: 21 - If COMPAT_FREEBSD32 is defined security.pax.aslr.compat.status: 1 security.pax.aslr.compat.mmap_len: 8 security.pax.aslr.compat.stack_len: 6 security.pax.aslr.compat.exec_len: 6 - What about applications that don't support ASLR? (exhibit crashes, proprietary/can't compile, etc.) - Knobs can be set per-jail. Set up a jail with ASLR turned off in just that jail. Jail the misbehaving application. * How ASLR is Implemented - High-Level Details ugidfw(8) integration: - Create firewall-like rules for controlling ASLR behavior - Very powerful - My changes to ugidfw cause ABI breakage Example usage: ugidfw add subject uid shawn object filesys /usr/home/shawn/tmp/test mode rwxs paxflags a * How ASLR is Implemented - Low-Level Details `sys/kern/kern_pax.c` - Generic functions `sys/kern/kern_pax_aslr.c` - Brains of ASLR `sys/kern/kern_pax_segvguard.c` - Brains of segvguard `sys/kern/imgact_elf.c` - RTLD randomizations - Normally, the RTLD is loaded at the same spot each time it's loaded, then it reloads itself in a random spot - So, immediately randomize the RTLD - PIE support Position-Independent Executables: - Guaranteed to be loaded at a non-NULL address - WITH_PIE knob (defaulted to off), each application must also define CAN_PIE if said app can be compiled with -fPIE -pie (some apps can't be) - Some apps in base have CAN_PIE defined. Need more. Major project: ports * How to use ASLR on FreeBSD - Compile kernel with PAX_ASLR option - `sysctl security.pax.aslr.status=[n]` - Enable/disable ASLR, n > 1 is enabled, n == 0 is disabled - Enabled by default - Child jails will inherit parent jail's settings - Even the host is a jail (JID 0, invisible to the user) - Compile applications with -fPIE -pie (note: how many ports entries do we have?) * Segfault Protection - AKA PaX segvguard - Application dies due to segfault, insert delay before application can restart - Too many segfaults within a given period, application is blocked from restarting during a given period - Controllable via sysctl knobs - Recommended, but not required, for proper ASLR implementation * Future Work - ARM help: applications segfault when their child processes exit (_only_ on ARM) - Testing. Testing. And more testing! - Better support custom jailing - Support PIE with high-visibility applications (network daemons, first) - Porting of more grsec/PaX features * A Special Thank You Oliver Pinter - Codeveloper, original porter of ASLR to FreeBSD Danilo Egea (danilo) - Codeveloper, principal developer of segvguard on FreeBSD Ryan Steinmetz (zi) - Coworker with awesome ideas Johannes Meixner (xmj) - Convinced me to do stuff [[https://www.soldierx.com/][SoldierX]] - Donating hardware * References General ASLR: [[http://pax.grsecurity.net/][The PaX Team]] [[https://en.wikipedia.org/wiki/Address_space_layout_randomization][Wikipedia - Address Space Layout Randomization]] OSX: [[http://blog.azimuthsecurity.com/2014/03/attacking-ios-7-earlyrandom-prng.html][Attacking the iOS 7 early_random() PRNG]] Windows: [[http://cansecwest.com/slides/2013/DEP-ASLR%20bypass%20without%20ROP-JIT.pdf][DEP/ASLR bypass without ROP/JIT]] [[http://labs.bromium.com/2014/02/24/bypassing-emet-4-1/][Bypassing EMET 4.1]] [[http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx][On the Effectiveness of DEP and ASLR]] * References (cont'd) Linux: [[http://danigargu.blogspot.com/2013/01/having-fun-with-rop-nxaslr-bypass-linux_18.html][Having fun with ROP - NX/ASLR Bypass]] [[http://nebelwelt.net/publications/12TRpie/gccPIE-TR120614.pdf][Whitepaper - Too Much PIE is bad for Performance]] [[https://www.cert.org/blogs/certcc/post.cfm?EntryID=191][Differences Between ASLR on Windows and Linux]]