OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: franco on March 30, 2016, 02:38:46 pm
-
Hello everyone,
With the help of Shawn and Olivér from HardenedBSD we have finally incorporated the first piece of their wonderfully crafted improvements: Address Space Layout Randomization, or short ASLR. This change only affects the kernel and is now open for public testing.
Things to be aware of:
This is a call for testing that replaces the kernel. Use with care. The old kernel can still be booted from the early boot menu under option (5), selecting "kernel.old" and then continue the boot with option (1).
The kernel ABI changes, VMware and XEN plugins may not work at the moment. This problem can only be addressed once the kernel is in place and our packages use the new API. Manually compiled drivers may need to be recompiled against the current master of src.git
The impact of the patch is minimal, the system will boot ok, continue to function normally and ASLR will be enables as "opt-out", which means it will be on by default.
The next firmware upgrade will remove the test kernel and switch back to a vanilla version without ASLR. In those cases, the kernel needs to be reapplied.
To switch to the ASLR kernel:
# opnsense-update -kr 16.1.8-aslr && /usr/local/etc/rc.reboot
To switch back to the standard kernel:
# opnsense-update -k && /usr/local/etc/rc.reboot
I will ask Shawn to explain the impact of the patch a bit more as well as what it means for going forward.
On a more or less related note: consider me totally happy about this CFT :)
Have fun,
Franco
-
I'd first like to say thank you to Franco and the rest of the OPNsense team for working with me on this. Their continual focus on security and community development never ceases to impresses me. They have been a delight to work with.
The ASLR patch that OPNsense imported came directly from HardenedBSD. Last week, I took a few hours to backport our patch from 11-CURRENT to a format that OPNsense could import into 10-STABLE and 10.2-RELEASE. Franco was extremely kind to help in testing the backported patch. I'd like to thank him for his efforts and contributions.
There has recently become available a patch for FreeBSD for their own ASLR implementation. Being a fresh effort, it will require more work and peer review until it is going to be included in FreeBSD. And it is actually ASR, not ASLR. Due to being ASR, it has the potential to fragment the virtual address space. If the virtual address space is fragmented enough ASR could be disabled. FreeBSD's implementation also provides an API for non-root users to disable ASR for their own processes. HardenedBSD's implementation provides no such API and does not cause address space fragmentation issues. FreeBSD's patch under review can be found here: https://reviews.freebsd.org/D5603
No matter the architecture (amd64 vs i386 vs arm vs arm64, etc.), the HardenedBSD ASLR patch provides a performance impact so small that the authors of the patch (Oliver Pinter and myself) do not know how to accurately measure the impact.
As of this writing, OPNsense does not support building applications as Position-Independent Executables (PIEs). That will come soon. Compiling an application as a PIE allows that application to take full advantage of ASLR.
On amd64, compiling the application as a PIE incurs zero overhead. On i386, the performance impact could be as large as 12%. It's important to note that the overhead on i386 is _NOT_ due to HardenedBSD's ASLR implementation, but due to the i386 architecture. PIE on i386 places additional requirements that cause performance degradation.
HardenedBSD's ASLR implementation has proven to be rock solid over the multiple-year span it has been developed. It performs extremely well and, of all the BSD ASLR implementations, introduces the most entropy into the process' address space. I know of no other ASLR implementation that introduces 41 bits of entropy into the stack on amd64.
-
Hello everyone,
With the help of Shawn and Olivér from HardenedBSD we have finally incorporated the first piece of their wonderfully crafted improvements: Address Space Layout Randomization, or short ASLR. This change only affects the kernel and is now open for public testing.
Things to be aware of:
This is a call for testing that replaces the kernel. Use with care. The old kernel can still be booted from the early boot menu under option (5), selecting "kernel.old" and then continue the boot with option (1).
The kernel ABI changes, VMware and XEN plugins may not work at the moment. This problem can only be addressed once the kernel is in place and our packages use the new API. Manually compiled drivers may need to be recompiled against the current master of src.git
The impact of the patch is minimal, the system will boot ok, continue to function normally and ASLR will be enables as "opt-out", which means it will be on by default.
The next firmware upgrade will remove the test kernel and switch back to a vanilla version without ASLR. In those cases, the kernel needs to be reapplied.
To switch to the ASLR kernel:
# opnsense-update -kr 16.1.8-aslr && /usr/local/etc/rc.reboot
To switch back to the standard kernel:
# opnsense-update -k && /usr/local/etc/rc.reboot
I will ask Shawn to explain the impact of the patch a bit more as well as what it means for going forward.
On a more or less related note: consider me totally happy about this CFT :)
Have fun,
Franco
Thank you! I am trying it now.
Hopefully these https://pkg.opnsense.org/snapshots/hbsd-exp-09/ (https://pkg.opnsense.org/snapshots/hbsd-exp-09/) has going to be released as an option like SSL library changing and we able to switch in between vanilla and hardenedbsd firmwares. Most likely I would like to see these feature.
Its funny but pfsense developers released 2.3 alpha too ;D it would be great to see how competition between two would progress as the time passing by.
-
OK I am now under new kernel and how do I look what kernel I used up?
The following commands does't provide any detailed information about if it is "hardened" or not:
root@home_gateway:~ # ps aux | grep kernel
root 0 0.0 0.0 0 160 - DLs 12:56PM 0:00.01 [kernel]
root 55148 0.0 0.2 18728 2244 0 S+ 12:58PM 0:00.00 grep kernel
root@home_gateway:~ # ps aux | grep kernel | more
root 0 0.0 0.0 0 160 - DLs 12:56PM 0:00.01 [kernel]
root 55465 0.0 0.2 18728 2248 0 S+ 12:58PM 0:00.00 grep kernel
root@home_gateway:~ # freebsd-version -k
10.2-RELEASE-p14
root@home_gateway:~ # freebsd-version -u
10.2-RELEASE-p14
root@home_gateway:~ # uname -mrs
FreeBSD 10.2-RELEASE-p14 amd64
root@home_gateway:~ # getconf LONG_BIT
64
root@home_gateway:~ # uname -a
FreeBSD home_gateway.home 10.2-RELEASE-p14 FreeBSD 10.2-RELEASE-p14 #0 eda6bf2(master): Wed Mar 30 06:11:42 CEST 2016 root@sensey64:/usr/obj/usr/src/sys/SMP amd64
Can I issue some special command to see if I use hardened kernel over vanilla one? I just google some commands but all of them returns me somehow default results which is not represents the current state of "hardened" or not.
Anyway it's runs normal for me as the home gateway user.
Thank you!
-
# dmesg | grep HBSD
[HBSD ASLR (compat)] status: opt-out
[HBSD ASLR (compat)] mmap: 14 bit
[HBSD ASLR (compat)] exec base: 14 bit
[HBSD ASLR (compat)] stack: 14 bit
[HBSD ASLR (compat)] vdso: 8 bit
[HBSD LOG] logging to system: enabled
[HBSD LOG] logging to user: disabled
[HBSD ASLR] status: opt-out
[HBSD ASLR] mmap: 30 bit
[HBSD ASLR] exec base: 30 bit
[HBSD ASLR] stack: 42 bit
[HBSD ASLR] vdso: 28 bit
[HBSD ASLR] map32bit: 18 bit
[HBSD ASLR] disallow MAP_32BIT mode mmap: opt-in
It'll show you some basic info about the implementation. If everything continues to work that is about all that there is to it from the user perspective. The next step will be to (selectively) add PIE to main executables in order to take advantage of the full scope of ASLR.
There will be more HardenedBSD additions in the future. OPNsense will likely stay on 10.x for a bit longer than HardenedBSD builds with OPNsense (these use 11-CURRENT), but eventually the two paths will become more similar. As we keep integrating additions and go forward with FreeBSD progress adoption.
Thank you for testing. :)
-
Hi, somebody has a documentation for this proyect? thanks.
-
Just FYI I'm testing this new kernel as well.
Hi, somebody has a documentation for this proyect? thanks.
HardenedBSD Website (https://hardenedbsd.org/)
HardenedBSD github wiki (https://github.com/HardenedBSD/hardenedBSD/wiki/)
-
# dmesg | grep HBSD
[HBSD ASLR (compat)] status: opt-out
[HBSD ASLR (compat)] mmap: 14 bit
[HBSD ASLR (compat)] exec base: 14 bit
[HBSD ASLR (compat)] stack: 14 bit
[HBSD ASLR (compat)] vdso: 8 bit
[HBSD LOG] logging to system: enabled
[HBSD LOG] logging to user: disabled
[HBSD ASLR] status: opt-out
[HBSD ASLR] mmap: 30 bit
[HBSD ASLR] exec base: 30 bit
[HBSD ASLR] stack: 42 bit
[HBSD ASLR] vdso: 28 bit
[HBSD ASLR] map32bit: 18 bit
[HBSD ASLR] disallow MAP_32BIT mode mmap: opt-in
It'll show you some basic info about the implementation. If everything continues to work that is about all that there is to it from the user perspective. The next step will be to (selectively) add PIE to main executables in order to take advantage of the full scope of ASLR.
There will be more HardenedBSD additions in the future. OPNsense will likely stay on 10.x for a bit longer than HardenedBSD builds with OPNsense (these use 11-CURRENT), but eventually the two paths will become more similar. As we keep integrating additions and go forward with FreeBSD progress adoption.
Thank you for testing. :)
Yepp I see the same output and its work now on my machine, thank you.
# dmesg | grep HBSD
[HBSD ASLR (compat)] status: opt-out
[HBSD ASLR (compat)] mmap: 14 bit
[HBSD ASLR (compat)] exec base: 14 bit
[HBSD ASLR (compat)] stack: 14 bit
[HBSD ASLR (compat)] vdso: 8 bit
[HBSD LOG] logging to system: enabled
[HBSD LOG] logging to user: disabled
[HBSD ASLR] status: opt-out
[HBSD ASLR] mmap: 30 bit
[HBSD ASLR] exec base: 30 bit
[HBSD ASLR] stack: 42 bit
[HBSD ASLR] vdso: 28 bit
[HBSD ASLR] map32bit: 18 bit
[HBSD ASLR] disallow MAP_32BIT mode mmap: opt-in
-
been working great so far on the new kernel.
-
I didn't notice any problems with OPNsense 16.1.8 when using the kernel based on HBSD ASLR.
-
Hm I ran into an issue today with my core server. WDS is no longer functioning on the network after the upgrade. Clients arent getting the PXE response. Has anyone had similar issues or any tips I can look at?
-
Can we see the DHCP log (PM if sensitive)?
We'll also need to confirm that the two are related. Can you revert to the release version?
# opnsense-update -bk && /usr/local/etc/rc.reboot
Cheers,
Franco
-
Hi Franco, Thanks for the reply. I havent ran into any issues with the new build since the update so I tried to investigate a bit further on my own before I took up any more of your time. I found the issue completely by accident. I went to jack into the core switch with my work laptop which boots by PXE by default. It worked flawless. I went over to the 48 port that does our distribution and it failed. I swapped it out with an old cisco 24 port and it worked flawless. looks like something happened with the switch that our PXE machines use. No worries sorry for the trouble!
-
Better safe than sorry. No worries. :)
The update will also wipe the test kernel, I kind of forgot to mention.
Although it says "16.1.8-aslr" it's really all of 16.1.9 so testing can continue for a bit more.
But looking at the smooth run it's merge time soon if Shawn agrees.
-
But looking at the smooth run it's merge time soon if Shawn agrees.
I tried finding a meme for "But of course!" but I couldn't really find one that fit my groove. So: YES! And yay!
-
Super. :) So to go the extra mile before releasing it to the public, there is one last ASLR test kernel based on the current kernel (16.1.9 as 16.1.10 has no new kernel):
# opnsense-update -kr 16.1.9-aslr && /usr/local/etc/rc.reboot
Report back, even if ok. Thanks everyone!!!
-
I actually cant :/ I cant access my router VIA putty, Im certain the password for root is correct and even logged in via the GUI to change it incase it wasnt and yet I still receive Access Denied when attempting to login via SSH
-
Is password authentication enabled and allowed?
-
found it, It was; but allow root login wasn't checked.
-
I'm using the ASLR based kernel with OPNsense 16.1.10. I'll report back in a few days if I notice any issues.
-
Hello everyone,
All the commits have been moved into place for the new kernel with ASLR.
There is one final testing kernel that y'all can try out and report back. It would be nice to get a note in the form of "now running amd64 ASLR" or "now running i386 ASLR" respectively so we know that when there are no more reports about issues that we can go full-speed ahead.
The kernel is identical to 16.1.14 except for the ASLR additions. You can upgrade like this:
# opnsense-update -hkr 16.1.14-aslr && /usr/local/etc/rc.reboot
(-h is new, it will register the kernel as 16.1.14 instead so it is not lost on firmware upgrades that do not update the kernel.)
FWIW, now running amd64 ASLR :)
Cheers,
Franco
PS: You can confirm ASLR using the following command...
# dmesg | grep HBSD
-
Would be great to have a branch on Github for people who compile their own kernel :)
-
The commits have been on the master branch of src.git for almost two months now.
The stable branches have been adjusted yesterday to build ASLR too.
I am unsure what you are referring to?
-
The commits have been on the master branch of src.git for almost two months now.
I saw 2 commits in March, but didn't know if changes were made after that.
The stable branches have been adjusted yesterday to build ASLR too.
I built "stable/16.1" yesterday, but didn't get a kernel with ASLR. I see now that there was a new commit made after my build, so will try again :)
-
There were no changes after the merge on March 28. The only thing I had to change was to move the build options out of GENERIC (that was the third commit actually).
Build errors can happen on the master branches, questions can always be asked. For master there is still a bit of work to do with ports (e.g. the impending mpd4 removal) yet some things need to be stuck in order for stable to still work in the first place. Lots of bits and bolts, but nothing that a conversation and a manual edit can't solve.
Let me know how your build goes. :)
-
Building went fine. Same warnings were shown. I didn't see any new messages.
Same when running it, same old problems, nothing new so far :)
-
Oh yeah and I can't wait for PIE :)