- Address Space Randomization (ASR) applies a different randomization every call to mmap. For pages that can be clustered, clustering is performed. ASR results in a fragmented virtual Address Space (AS).
- Entropy pulled at least once, at most five times, per call to mmap. When the AS is fragmented enough, FreeBSD's ASR implementation will have troubles finding a randomized allocation. The logic for applying ASR can be applied up to five times and will disable further attempts at randomization for the rest of the process' lifecycle.
- If the ASR logic hits the limit of five tries, on the sixth try, ASR will be permanently disabled for the process. Any memory exhaustion attack, such as CVE-2016-6304, could be used to attack FreeBSD ASR, disabling it for the lifetime of the process.
- An abusable, non-root API for disabling ASR on a per-execution basis. The reasoning for this feature is to disable ASR when debugging an application with lldb or gdb. However, properly implemented ASLR does not need to be disabled for debugging.
- The shared page is not randomized. The stack randomization is based on a small random-sized gap.
- Only applications in 14-CURRENT base can be compiled as PIEs. Only a few ports are built as PIEs.
- Too many sysctl nodes to toggle that can lead to a confused sysadmin not properly applying ASR.
- Enabled by default for 64-bit systems on 14-CURRENT.
|
- Based off of PaX's ASLR design with active discussion from the original PaX ASLR author. PaX's implementation has been proven reliable and efficient for close to two decades.
- Address Space Layout Randomization (ASLR) calculates deltas at execve(2) time:
- Position-Independent Executable (PIE) execution base
- Stack
- VDSO
- mmap
- mmap(MAP_32BIT)
- Per-thread stack
- The deltas are used during the application's lifecycle. No need to continuously pull entropy.
- Shared library load order randomization. ROP gadget generation utilities often require shared libraries to be loaded in the same order. This helps frustrate ROP gadget generation.
- True stack randomization with an additional randomized gap. With our stack randomization implementation, HardenedBSD can introduce 41 bits of entropy into the stack on amd64 and arm64.
- Only root can disable ASLR on a per-binary basis using specialized applications. No official normal user accessible API that can be abused for disabling ASLR.
- Developed and refined over the span of multiple years.
- Nearly all of base compiled as PIEs on amd64 and arm64.
- ASLR enabled by default for all supported architectures.
- Individual jails can have ASLR enabled/disabled for their jailed environment.
- Not vulnerable to the offset2lib attack due to using different deltas and due to the share library load order randomization feature.
- The PaX ASLR stack randomization design enables it to introduce 42 bits of entropy into the stack.
|