[CALL FOR TESTING] HardenedBSD's ASLR

[franco]

Hello everyone,

With the help of Shawn and Olivér from HardenedBSD we have finally incorporated the first piece of their wonderfully crafted improvements: Address Space Layout Randomization, or short ASLR. This change only affects the kernel and is now open for public testing.

Things to be aware of:

This is a call for testing that replaces the kernel. Use with care. The old kernel can still be booted from the early boot menu under option (5), selecting "kernel.old" and then continue the boot with option (1).

The kernel ABI changes, VMware and XEN plugins may not work at the moment. This problem can only be addressed once the kernel is in place and our packages use the new API. Manually compiled drivers may need to be recompiled against the current master of src.git

The impact of the patch is minimal, the system will boot ok, continue to function normally and ASLR will be enables as "opt-out", which means it will be on by default.

The next firmware upgrade will remove the test kernel and switch back to a vanilla version without ASLR. In those cases, the kernel needs to be reapplied.

To switch to the ASLR kernel:

# opnsense-update -kr 16.1.8-aslr && /usr/local/etc/rc.reboot

To switch back to the standard kernel:

# opnsense-update -k && /usr/local/etc/rc.reboot

I will ask Shawn to explain the impact of the patch a bit more as well as what it means for going forward.

On a more or less related note: consider me totally happy about this CFT


Have fun,
Franco

[lattera]

I'd first like to say thank you to Franco and the rest of the OPNsense team for working with me on this. Their continual focus on security and community development never ceases to impresses me. They have been a delight to work with.

The ASLR patch that OPNsense imported came directly from HardenedBSD. Last week, I took a few hours to backport our patch from 11-CURRENT to a format that OPNsense could import into 10-STABLE and 10.2-RELEASE. Franco was extremely kind to help in testing the backported patch. I'd like to thank him for his efforts and contributions.

There has recently become available a patch for FreeBSD for their own ASLR implementation. Being a fresh effort, it will require more work and peer review until it is going to be included in FreeBSD. And it is actually ASR, not ASLR. Due to being ASR, it has the potential to fragment the virtual address space. If the virtual address space is fragmented enough ASR could be disabled. FreeBSD's implementation also provides an API for non-root users to disable ASR for their own processes. HardenedBSD's implementation provides no such API and does not cause address space fragmentation issues. FreeBSD's patch under review can be found here: https://reviews.freebsd.org/D5603

No matter the architecture (amd64 vs i386 vs arm vs arm64, etc.), the HardenedBSD ASLR patch provides a performance impact so small that the authors of the patch (Oliver Pinter and myself) do not know how to accurately measure the impact.

As of this writing, OPNsense does not support building applications as Position-Independent Executables (PIEs). That will come soon. Compiling an application as a PIE allows that application to take full advantage of ASLR.

On amd64, compiling the application as a PIE incurs zero overhead. On i386, the performance impact could be as large as 12%. It's important to note that the overhead on i386 is _NOT_ due to HardenedBSD's ASLR implementation, but due to the i386 architecture. PIE on i386 places additional requirements that cause performance degradation.

HardenedBSD's ASLR implementation has proven to be rock solid over the multiple-year span it has been developed. It performs extremely well and, of all the BSD ASLR implementations, introduces the most entropy into the process' address space. I know of no other ASLR implementation that introduces 41 bits of entropy into the stack on amd64.

[sergey1984qq]

Hello everyone,

With the help of Shawn and Olivér from HardenedBSD we have finally incorporated the first piece of their wonderfully crafted improvements: Address Space Layout Randomization, or short ASLR. This change only affects the kernel and is now open for public testing.

Things to be aware of:

This is a call for testing that replaces the kernel. Use with care. The old kernel can still be booted from the early boot menu under option (5), selecting "kernel.old" and then continue the boot with option (1).

The kernel ABI changes, VMware and XEN plugins may not work at the moment. This problem can only be addressed once the kernel is in place and our packages use the new API. Manually compiled drivers may need to be recompiled against the current master of src.git

The impact of the patch is minimal, the system will boot ok, continue to function normally and ASLR will be enables as "opt-out", which means it will be on by default.

The next firmware upgrade will remove the test kernel and switch back to a vanilla version without ASLR. In those cases, the kernel needs to be reapplied.

To switch to the ASLR kernel:

# opnsense-update -kr 16.1.8-aslr && /usr/local/etc/rc.reboot

To switch back to the standard kernel:

# opnsense-update -k && /usr/local/etc/rc.reboot

I will ask Shawn to explain the impact of the patch a bit more as well as what it means for going forward.

On a more or less related note: consider me totally happy about this CFT


Have fun,
Franco

Thank you! I am trying it now.
Hopefully these https://pkg.opnsense.org/snapshots/hbsd-exp-09/ has going to be released as an option like SSL library changing and we able to switch in between vanilla and hardenedbsd firmwares. Most likely I would like to see these feature.

Its funny but pfsense developers released 2.3 alpha too  it would be great to see how competition between two would progress as the time passing by.

[sergey1984qq]

OK I am now under new kernel and how do I look what kernel I used up?
The following commands does't provide any detailed information about if it is "hardened" or not:

Code: [Select]

root@home_gateway:~ # ps aux | grep kernel
root       0   0.0  0.0      0   160  -  DLs  12:56PM 0:00.01 [kernel]
root   55148   0.0  0.2  18728  2244  0  S+   12:58PM 0:00.00 grep kernel
root@home_gateway:~ # ps aux | grep kernel | more
root       0   0.0  0.0      0   160  -  DLs  12:56PM 0:00.01 [kernel]
root   55465   0.0  0.2  18728  2248  0  S+   12:58PM 0:00.00 grep kernel
root@home_gateway:~ # freebsd-version -k
10.2-RELEASE-p14
root@home_gateway:~ # freebsd-version -u
10.2-RELEASE-p14
root@home_gateway:~ # uname -mrs
FreeBSD 10.2-RELEASE-p14 amd64
root@home_gateway:~ # getconf LONG_BIT
64
root@home_gateway:~ # uname -a
FreeBSD home_gateway.home 10.2-RELEASE-p14 FreeBSD 10.2-RELEASE-p14 #0 eda6bf2(master): Wed Mar 30 06:11:42 CEST 2016     root@sensey64:/usr/obj/usr/src/sys/SMP  amd64


Can I issue some special command to see if I use hardened kernel over vanilla one? I just google some commands but all of them returns me somehow default results which is not represents the current state of "hardened" or not.

Anyway it's runs normal for me as the home gateway user.

Thank you!

[franco]

Code: [Select]

# dmesg | grep HBSD
[HBSD ASLR (compat)] status: opt-out
[HBSD ASLR (compat)] mmap: 14 bit
[HBSD ASLR (compat)] exec base: 14 bit
[HBSD ASLR (compat)] stack: 14 bit
[HBSD ASLR (compat)] vdso: 8 bit
[HBSD LOG] logging to system: enabled
[HBSD LOG] logging to user: disabled
[HBSD ASLR] status: opt-out
[HBSD ASLR] mmap: 30 bit
[HBSD ASLR] exec base: 30 bit
[HBSD ASLR] stack: 42 bit
[HBSD ASLR] vdso: 28 bit
[HBSD ASLR] map32bit: 18 bit
[HBSD ASLR] disallow MAP_32BIT mode mmap: opt-in
It'll show you some basic info about the implementation. If everything continues to work that is about all that there is to it from the user perspective. The next step will be to (selectively) add PIE to main executables in order to take advantage of the full scope of ASLR.

There will be more HardenedBSD additions in the future. OPNsense will likely stay on 10.x for a bit longer than HardenedBSD builds with OPNsense (these use 11-CURRENT), but eventually the two paths will become more similar. As we keep integrating additions and go forward with FreeBSD progress adoption.

Thank you for testing.

[klausneil]

Hi, somebody has a documentation for this proyect? thanks.

[packet loss]

Just FYI I'm testing this new kernel as well.

Hi, somebody has a documentation for this proyect? thanks.

HardenedBSD Website
HardenedBSD github wiki

[sergey1984qq]

Code: [Select]

# dmesg | grep HBSD
[HBSD ASLR (compat)] status: opt-out
[HBSD ASLR (compat)] mmap: 14 bit
[HBSD ASLR (compat)] exec base: 14 bit
[HBSD ASLR (compat)] stack: 14 bit
[HBSD ASLR (compat)] vdso: 8 bit
[HBSD LOG] logging to system: enabled
[HBSD LOG] logging to user: disabled
[HBSD ASLR] status: opt-out
[HBSD ASLR] mmap: 30 bit
[HBSD ASLR] exec base: 30 bit
[HBSD ASLR] stack: 42 bit
[HBSD ASLR] vdso: 28 bit
[HBSD ASLR] map32bit: 18 bit
[HBSD ASLR] disallow MAP_32BIT mode mmap: opt-in
It'll show you some basic info about the implementation. If everything continues to work that is about all that there is to it from the user perspective. The next step will be to (selectively) add PIE to main executables in order to take advantage of the full scope of ASLR.

There will be more HardenedBSD additions in the future. OPNsense will likely stay on 10.x for a bit longer than HardenedBSD builds with OPNsense (these use 11-CURRENT), but eventually the two paths will become more similar. As we keep integrating additions and go forward with FreeBSD progress adoption.

Thank you for testing.

Yepp I see the same output and its work now on my machine, thank you.

Code: [Select]

# dmesg | grep HBSD
[HBSD ASLR (compat)] status: opt-out
[HBSD ASLR (compat)] mmap: 14 bit
[HBSD ASLR (compat)] exec base: 14 bit
[HBSD ASLR (compat)] stack: 14 bit
[HBSD ASLR (compat)] vdso: 8 bit
[HBSD LOG] logging to system: enabled
[HBSD LOG] logging to user: disabled
[HBSD ASLR] status: opt-out
[HBSD ASLR] mmap: 30 bit
[HBSD ASLR] exec base: 30 bit
[HBSD ASLR] stack: 42 bit
[HBSD ASLR] vdso: 28 bit
[HBSD ASLR] map32bit: 18 bit
[HBSD ASLR] disallow MAP_32BIT mode mmap: opt-in


[Solaris17]

been working great so far on the new kernel.

[packet loss]

I didn't notice any problems with OPNsense 16.1.8 when using the kernel based on HBSD ASLR.

[Solaris17]

Hm I ran into an issue today with my core server. WDS is no longer functioning on the network after the upgrade. Clients arent getting the PXE response. Has anyone had similar issues or any tips I can look at?

[franco]

Can we see the DHCP log (PM if sensitive)?

We'll also need to confirm that the two are related. Can you revert to the release version?

# opnsense-update -bk && /usr/local/etc/rc.reboot


Cheers,
Franco

[Solaris17]

Hi Franco, Thanks for the reply. I havent ran into any issues with the new build since the update so I tried to investigate a bit further on my own before I took up any more of your time. I found the issue completely by accident. I went to jack into the core switch with my work laptop which boots by PXE by default. It worked flawless. I went over to the 48 port that does our distribution and it failed. I swapped it out with an old cisco 24 port and it worked flawless. looks like something happened with the switch that our PXE machines use. No worries sorry for the trouble!

[franco]

Better safe than sorry. No worries.

The update will also wipe the test kernel, I kind of forgot to mention.

Although it says "16.1.8-aslr" it's really all of 16.1.9 so testing can continue for a bit more.

But looking at the smooth run it's merge time soon if Shawn agrees.

[lattera]

But looking at the smooth run it's merge time soon if Shawn agrees.

I tried finding a meme for "But of course!" but I couldn't really find one that fit my groove. So: YES! And yay!