Over the July 4th weekend, we implemented randomization of the VDSO (Virtual Dynamic Shared Object). The VDSO is a spot in memory that is shared between the kernel and userland memory. It contains the signal trampoline and time-related code (like gettimeofday(2)
). Even though the amount of code is small in the VDSO, it could still theoretically be used to generate ROP gadgets. Removing that piece of determinism makes generating ROP gadgets based on code in the VDSO more difficult. Randomizing the VDSO was the last piece of the address space to randomize.
Now that VDSO randomization is implemented, our ASLR implementation is now complete. You'll notice a new sysctl(8)
: hardening.pax.aslr.vdso_len
. That controls the amount of entropy applied to the VDSO base. Our version of ASLR is the strongest form ever implemented in any BSD operating system.
Our ASLR implementation features:
- Execution base randomization of Position-Independent Executables (PIEs)
- Full stack randomization in addition to a random stack gap
- RTLD base randomization
- mmap randomization
- VDSO randomization
- Shared object load order randomization
You will still see further improvements. We are looking into making our shared object load order randomization more efficient with help from Michael Zandi. We need to update our aslr(4)
manpage. We need to clarify some of the inline comments. These improvements are mostly cosmetic and result in no functionality changes.
UPDATE 2015-07-13: We've identified and fixed a couple of issues with our stack randomization and VDSO randomization implementations. The stack randomization fix pertains to the ARM architecture and reverts a band-aid fix that was done at EuroBSDcon. That fix is not needed anymore now that we have true stack randomization. The VDSO randomization fix provides better stability. It enforces that the VDSO is placed after the stack start address and before the max userland virtual memory address.