HardenedBSD and the Offset2lib Attack

The recently disclosed offset2lib attack against Linux's default ASLR implementation has generated a lot of chatter. As mentioned in the paper, ASLR implementations based off of PaX's--which is the case for HardenedBSD--are generally secured against this attack. Our whitepaper describes how we calculate separate offsets for the execution base, mmap, and the stack. For Position-Independent Executables (PIEs), the shared objects have a different randomization offset than the executable itself.

While HardenedBSD is secure against this particular attack, further additions to our implementation can help strengthen it. Since each shared object is randomized with the same delta, the same attack could theoretically be carried out in between libraries. Research is being done in HardenedBSD to randomize the base address of each shared object independent of the other shared objects. This would strengthen HardenedBSD against similar attacks. Additional research is being done to randomize the load order of shared libraries as well. OpenBSD does this to further frustrate an attacker as he or she will not be able to know beforehand in which order the libraries will be loaded.