Implementing ASLR in FreeBSD
BSDCan
17 May 2014
Tags: FreeBSD, ASLR, Security, grsec, pax

Shawn "lattera" Webb
SoldierX
lattera@gmail.com
https://www.soldierx.com/
@lattera

* About the Author
- Fan of opensource
- FreeBSD and ZFS fanboy
- Passionate about security
- Submitted patches to FreeBSD
- Maintainer of a few FreeBSD ports
- Author of libhijack: runtime process infection made easy on Linux and FreeBSD

Disclaimer: opinions, ideas, thoughts, etc are mine, not my employer's

.image new_sx_logo_v2.png 150 150

* Agenda
- Definitions
- History of ASLR (according thusly to ye olde Wikipedia)
- FreeBSD's security strengths
- FreeBSD's security weaknesses
- Learning from others
- How ASLR is implemented
- How to use ASLR on FreeBSD
- Further research/work
- Live demo

* Definitions
- Security: What Sony and Mt Gox have in common: they suck at it. Ever-increasing layers of an onion that make everyone tear up.
- Exploit mitigation: a method or technique to prevent the sucessful exploitation of security vulnerabilities.
- ASLR - Address Space Layout Randomization: An exploit mitigation technique by which the memory mappings of a given process are placed in random locations.

What ASLR helps protect against:
- Buffer overflows
- ret2libc attacks
- Essentially, low-level security vulnerabilities

What ASLR doesn't help protect against:
- SQL injection
- System configuration oopsies
- Essentially, higher-level security vulnerabilities

* History of ASLR
- July 2001: One or more talented persons, known as the PaX team, created a patch to the Linux kernel implementing ASLR.
- 2004: OpenBSD starts work on implementing ASLR. Gets everything except for execbase randomization (Position Independent Executables).
- June 2005: Linux rips PaX's ASLR, dumbing it down and calling it secure.
- 2007: Windows Vista introduces ASLR. Major problems with their implementation, even today.
- 2007: Apple starts working on ASLR for OSX
- 2008: OpenBSD completes ASLR implementation with PIE support.
- 2011: ASLR introduced in Solaris 11
- 2012: Apple finishes ASLR for OSX
- 2014: Oliver Pinter and Shawn Webb submit ASLR patches to FreeBSD

* FreeBSD's Security Strengths

Mostly based on policies:

- MAC framework
- NFSv4 and Posix ACLs
- Securelevel
- auditdistd
- Jails (and soon/now: bhyve)

Non-policy technologies:

- Non-exec stack
- ptrace restriction

* FreeBSD's Security Weaknesses

- Only one exploit mitigation technology: non-exec (NX) stack
- Gotcha: NX stack not working for all platforms
- No PIE support in base
- No ASLR
- The many features of grsec

* Learning From Others
Linux:
- Hooray politics!
- If you rip off PaX and grsec, make your rip off less secure, claim it to be more secure, you're gonna have a bad time.
- Only one knob: turn ASLR on and off for the whole system (half-truth, you can turn ASLR off on a per-run basis: setarch $(uname -m) -R ./yourProgram)
- Weak. Linux's ASLR has weaknesses.

Windows:
- Overall a pretty decent technical implementation
- BIIIIIG problem: individual EXEs and DLLs can have ASLR turned on or off

* Introducing ASLR in FreeBSD

Available on all architectures

Features:
- Execution base randomzation for position-independent executables
- Per-jail ASLR settings
- NX stack on architectures where NX stack wasn't being obeyed (bug?)
- Segmentation fault protection (via segvguard)
- OMG awesomeness: ugidfw(8)/mac_bsdextended(4) integration for fine-grained, high-level control

* How ASLR is Implemented - High-Level Details
- Per-jail settings
- Knobs:
  security.pax.aslr.status: 1
  security.pax.aslr.debug: 0
  security.pax.aslr.mmap_len: 16
  security.pax.aslr.stack_len: 12
  security.pax.aslr.exec_len: 21
- If COMPAT_FREEBSD32 is defined
  security.pax.aslr.compat.status: 1
  security.pax.aslr.compat.mmap_len: 8
  security.pax.aslr.compat.stack_len: 6
  security.pax.aslr.compat.exec_len: 6
- What about applications that don't support ASLR? (exhibit crashes, proprietary/can't compile, etc.)
- Knobs can be set per-jail. Set up a jail with ASLR turned off in just that jail. Jail the misbehaving application.

* How ASLR is Implemented - High-Level Details

ugidfw(8) integration:
- Create firewall-like rules for controlling ASLR behavior
- Very powerful
- My changes to ugidfw cause ABI breakage

Example usage:
ugidfw add subject uid shawn object filesys /usr/home/shawn/tmp/test mode rwxs paxflags a

* How ASLR is Implemented - Low-Level Details

`sys/kern/kern_pax.c` - Generic functions

`sys/kern/kern_pax_aslr.c` - Brains of ASLR

`sys/kern/kern_pax_segvguard.c` - Brains of segvguard

`sys/kern/imgact_elf.c` - RTLD randomizations
- Normally, the RTLD is loaded at the same spot each time it's loaded, then it reloads itself in a random spot
- So, immediately randomize the RTLD
- PIE support

Position-Independent Executables:
- Guaranteed to be loaded at a non-NULL address
- WITH_PIE knob (defaulted to off), each application must also define CAN_PIE if said app can be compiled with -fPIE -pie (some apps can't be)
- Some apps in base have CAN_PIE defined. Need more. Major project: ports

* How to use ASLR on FreeBSD
- Compile kernel with PAX_ASLR option
- `sysctl security.pax.aslr.status=[n]` - Enable/disable ASLR, n > 1 is enabled, n == 0 is disabled
- Enabled by default
- Child jails will inherit parent jail's settings
- Even the host is a jail (JID 0, invisible to the user)
- Compile applications with -fPIE -pie (note: how many ports entries do we have?)

* Segfault Protection
- AKA PaX segvguard
- Application dies due to segfault, insert delay before application can restart
- Too many segfaults within a given period, application is blocked from restarting during a given period
- Controllable via sysctl knobs
- Recommended, but not required, for proper ASLR implementation

* Future Work
- ARM help: applications segfault when their child processes exit (_only_ on ARM)
- Testing. Testing. And more testing!
- Better support custom jailing
- Support PIE with high-visibility applications (network daemons, first)
- Porting of more grsec/PaX features

* A Special Thank You

Oliver Pinter - Codeveloper, original porter of ASLR to FreeBSD
Danilo Egea (danilo) - Codeveloper, principal developer of segvguard on FreeBSD
Ryan Steinmetz (zi) - Coworker with awesome ideas
Johannes Meixner (xmj) - Convinced me to do stuff
[[https://www.soldierx.com/][SoldierX]] - Donating hardware

* References

General ASLR:

[[http://pax.grsecurity.net/][The PaX Team]]
[[https://en.wikipedia.org/wiki/Address_space_layout_randomization][Wikipedia - Address Space Layout Randomization]]

OSX:

[[http://blog.azimuthsecurity.com/2014/03/attacking-ios-7-earlyrandom-prng.html][Attacking the iOS 7 early_random() PRNG]]

Windows:

[[http://cansecwest.com/slides/2013/DEP-ASLR%20bypass%20without%20ROP-JIT.pdf][DEP/ASLR bypass without ROP/JIT]]
[[http://labs.bromium.com/2014/02/24/bypassing-emet-4-1/][Bypassing EMET 4.1]]
[[http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx][On the Effectiveness of DEP and ASLR]]

* References (cont'd)

Linux:

[[http://danigargu.blogspot.com/2013/01/having-fun-with-rop-nxaslr-bypass-linux_18.html][Having fun with ROP - NX/ASLR Bypass]]

[[http://nebelwelt.net/publications/12TRpie/gccPIE-TR120614.pdf][Whitepaper - Too Much PIE is bad for Performance]]

[[https://www.cert.org/blogs/certcc/post.cfm?EntryID=191][Differences Between ASLR on Windows and Linux]]