FreeBSD And HardenedBSD Feature Comparisons

FreeBSD ASR and HardenedBSD ASLR

  • Address Space Randomization (ASR) applies a different randomization every call to mmap. For pages that can be coalesced, coalescing is performed. ASR results in a fragmented virtual Address Space (AS).
  • Entropy pulled at least once, at most five times, per call to mmap. When the AS is fragmented enough, FreeBSD's ASR implementation will have troubles finding a randomized allocation. The logic for applying ASR can be applied up to five times.
  • If the ASR logic hits the limit of five tries, on the sixth try, ASR will be permanently disabled for the process. Any memory exhaustion attack, such as CVE-2016-6304, could be used to attack FreeBSD ASR, disabling it for the lifetime of the process.
  • An abusable, non-root API for disabling ASR on a per-execution basis. The reasoning for this feature is to disable ASR when debugging an application with lldb or gdb. However, properly implemented ASLR does not need to be disabled for debugging.
  • The stack and VDSO are not randomized. FreeBSD considers stack and VDSO randomization outside the scope of ASLR/ASR.
  • ASR enabled only for amd64 and i386.
  • No applications are compiled as Position-Independent Executables (PIEs).
  • This implementation of ASR might be vulnerable to the offset2lib attack.
  • The ASR implementation is not yet in HEAD (12-CURRENT), but is only available as a patch.
  • Based off of PaX's ASLR design with active discussion from the original PaX ASLR author. PaX's implementation has been proven reliable and efficient for close to fifteen years.
  • Address Space Layout Randomization (ASLR) calculates deltas at execve(2) time:
    • Position-Independent Executable (PIE) execution base
    • Stack
    • VDSO
    • mmap
    • mmap(MAP_32BIT)
  • The deltas are used during the application's lifecycle. No need to continuously pull entropy.
  • Shared library load order randomization. ROP gadget generation utilities often require shared libraries to be loaded in the same order. This helps frustrate ROP gadget generation.
  • True stack randomization with an additional randomized gap. With our stack randomization implementation, HardenedBSD can introduce 41 bits of entropy into the stack on amd64.
  • Only root can disable ASLR on a per-binary basis using specialized applications. No official normal user accessible API that can be abused for disabling ASLR.
  • Developed and refined over the span of multiple years.
  • Nearly all of base compiled as PIEs on amd64, i386, and arm64.
  • ASLR enabled for all architectures on both 11-CURRENT and 10-STABLE.
  • Individual jails can have ASLR enabled/disabled for their jailed environment.
  • Not vulnerable to the offset2lib attack due to using different deltas and due to the share library load order randomization feature.
  • Wider adoption through OPNsense.