FreeBSD ASR and HardenedBSD ASLR FreeBSD ASR HardenedBSD ASLR Address Space Randomization (ASR) applies a different randomization every call to mmap. For pages that can be clustered, clustering is performed. ASR results in a fragmented virtual Address Space (AS). Entropy pulled at least once, at most five times, per call to mmap. When the AS is fragmented enough, FreeBSD's ASR implementation will have troubles finding a randomized allocation. The logic for applying ASR can be applied up to five times. If the ASR logic hits the limit of five tries, on the sixth try, ASR will be permanently disabled for the process. Any memory exhaustion attack, such as CVE-2016-6304, could be used to attack FreeBSD ASR, disabling it for the lifetime of the process. An abusable, non-root API for disabling ASR on a per-execution basis. The reasoning for this feature is to disable ASR when debugging an application with lldb or gdb. However, properly implemented ASLR does not need to be disabled for debugging. The stack and VDSO are not randomized. FreeBSD considers stack and VDSO randomization outside the scope of ASLR/ASR. No applications are compiled as Position-Independent Executables (PIEs). Disabled by default. This implementation of ASR might be vulnerable to the offset2lib attack. Based off of PaX's ASLR design with active discussion from the original PaX ASLR author. PaX's implementation has been proven reliable and efficient for close to two decades. Address Space Layout Randomization (ASLR) calculates deltas at execve(2) time: Position-Independent Executable (PIE) execution base Stack VDSO mmap mmap(MAP_32BIT) The deltas are used during the application's lifecycle. No need to continuously pull entropy. Shared library load order randomization. ROP gadget generation utilities often require shared libraries to be loaded in the same order. This helps frustrate ROP gadget generation. True stack randomization with an additional randomized gap. With our stack randomization implementation, HardenedBSD can introduce 41 bits of entropy into the stack on amd64 and arm64. Only root can disable ASLR on a per-binary basis using specialized applications. No official normal user accessible API that can be abused for disabling ASLR. Developed and refined over the span of multiple years. Nearly all of base compiled as PIEs on amd64, i386, and arm64. ASLR enabled by default for all supported architectures. Individual jails can have ASLR enabled/disabled for their jailed environment. Not vulnerable to the offset2lib attack due to using different deltas and due to the share library load order randomization feature.