ASLR work into -HEAD ?

classic Classic list List threaded Threaded
32 messages Options
12
Reply | Threaded
Open this post in threaded view
|

ASLR work into -HEAD ?

Adrian Chadd-2
Hi,

Apparently this is done but has stalled:

https://reviews.freebsd.org/D473

Does anyone have any strong objections to it landing in the tree as-is?


-adrian
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: ASLR work into -HEAD ?

Warner Losh

> On Mar 19, 2015, at 12:53 PM, Adrian Chadd <[hidden email]> wrote:
>
> Hi,
>
> Apparently this is done but has stalled:
>
> https://reviews.freebsd.org/D473
>
> Does anyone have any strong objections to it landing in the tree as-is?

There’s rather a lot of them specifically spelled out in the code review.

Many of the earlier ones were kinda blown off, so I’ve not been inclined
to take the time to re-review it. Glancing at it, I see several minor issues
that should be cleaned up.

Warner


signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ASLR work into -HEAD ?

Adrian Chadd-2
On 19 March 2015 at 12:56, Warner Losh <[hidden email]> wrote:

>
>> On Mar 19, 2015, at 12:53 PM, Adrian Chadd <[hidden email]> wrote:
>>
>> Hi,
>>
>> Apparently this is done but has stalled:
>>
>> https://reviews.freebsd.org/D473
>>
>> Does anyone have any strong objections to it landing in the tree as-is?
>
> There’s rather a lot of them specifically spelled out in the code review.
>
> Many of the earlier ones were kinda blown off, so I’ve not been inclined
> to take the time to re-review it. Glancing at it, I see several minor issues
> that should be cleaned up.

Cool. Thanks for taking the time to look at it again.

Shawn is in #freebsd on freenode irc, so if you/others want a more
interactive review then he's there during the day.



-a
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: ASLR work into -HEAD ?

Oliver Pinter-4
On Thu, Mar 19, 2015 at 9:04 PM, Adrian Chadd <[hidden email]> wrote:

> On 19 March 2015 at 12:56, Warner Losh <[hidden email]> wrote:
>>
>>> On Mar 19, 2015, at 12:53 PM, Adrian Chadd <[hidden email]> wrote:
>>>
>>> Hi,
>>>
>>> Apparently this is done but has stalled:
>>>
>>> https://reviews.freebsd.org/D473
>>>
>>> Does anyone have any strong objections to it landing in the tree as-is?
>>
>> There’s rather a lot of them specifically spelled out in the code review.
>>
>> Many of the earlier ones were kinda blown off, so I’ve not been inclined
>> to take the time to re-review it. Glancing at it, I see several minor issues
>> that should be cleaned up.
>
> Cool. Thanks for taking the time to look at it again.
>
> Shawn is in #freebsd on freenode irc, so if you/others want a more
> interactive review then he's there during the day.

Please CC the [hidden email] in future please, when you are
talking about this issue.

Adrian: do you able to review the MIPS or ARM part especially or test them?

>
>
>
> -a
> _______________________________________________
> [hidden email] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-arch
> To unsubscribe, send any mail to "[hidden email]"
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: ASLR work into -HEAD ?

Adrian Chadd-2
On 19 March 2015 at 13:31, Oliver Pinter <[hidden email]> wrote:

> On Thu, Mar 19, 2015 at 9:04 PM, Adrian Chadd <[hidden email]> wrote:
>> On 19 March 2015 at 12:56, Warner Losh <[hidden email]> wrote:
>>>
>>>> On Mar 19, 2015, at 12:53 PM, Adrian Chadd <[hidden email]> wrote:
>>>>
>>>> Hi,
>>>>
>>>> Apparently this is done but has stalled:
>>>>
>>>> https://reviews.freebsd.org/D473
>>>>
>>>> Does anyone have any strong objections to it landing in the tree as-is?
>>>
>>> There’s rather a lot of them specifically spelled out in the code review.
>>>
>>> Many of the earlier ones were kinda blown off, so I’ve not been inclined
>>> to take the time to re-review it. Glancing at it, I see several minor issues
>>> that should be cleaned up.
>>
>> Cool. Thanks for taking the time to look at it again.
>>
>> Shawn is in #freebsd on freenode irc, so if you/others want a more
>> interactive review then he's there during the day.
>
> Please CC the [hidden email] in future please, when you are
> talking about this issue.
>
> Adrian: do you able to review the MIPS or ARM part especially or test them?

I'm out of spare cycles to poke at the MIPS stuff, sorry.

All I can suggest in the short term is that you fire it up in a mips32
/ mips64 emulator environment. FreeBSD works fine in qemu-devel in all
four modes (32, 64 bit; big/little endian.) YOu should be able to get
high test coverage that way.



-adrian
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: ASLR work into -HEAD ?

Warner Losh
In reply to this post by Oliver Pinter-4

> On Mar 19, 2015, at 2:31 PM, Oliver Pinter <[hidden email]> wrote:
>
> On Thu, Mar 19, 2015 at 9:04 PM, Adrian Chadd <[hidden email]> wrote:
>> On 19 March 2015 at 12:56, Warner Losh <[hidden email]> wrote:
>>>
>>>> On Mar 19, 2015, at 12:53 PM, Adrian Chadd <[hidden email]> wrote:
>>>>
>>>> Hi,
>>>>
>>>> Apparently this is done but has stalled:
>>>>
>>>> https://reviews.freebsd.org/D473
>>>>
>>>> Does anyone have any strong objections to it landing in the tree as-is?
>>>
>>> There’s rather a lot of them specifically spelled out in the code review.
>>>
>>> Many of the earlier ones were kinda blown off, so I’ve not been inclined
>>> to take the time to re-review it. Glancing at it, I see several minor issues
>>> that should be cleaned up.
>>
>> Cool. Thanks for taking the time to look at it again.
>>
>> Shawn is in #freebsd on freenode irc, so if you/others want a more
>> interactive review then he's there during the day.
>
> Please CC the [hidden email] in future please, when you are
> talking about this issue.
>
> Adrian: do you able to review the MIPS or ARM part especially or test them?
Adrian: Do not commit the changes.

I’ve gone back and re-read Robert Watson’s rather long review and it appears
that virtually none of that has been addressed. Until it is, do not commit it. This
code interacts with dangerous parts of the system, and the default cannot be
to just let it in because no one has objected recently. Objections have been made,
they have been quantified, they haven’t been answered or acted upon. Until that
changes, you can assume the objections remain in place and asking again without
fixing them isn’t going to change the answer.

Warner

signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ASLR work into -HEAD ?

Shawn Webb-3
On Fri, 2015-03-20 at 09:28 -0600, Warner Losh wrote:

> > On Mar 19, 2015, at 2:31 PM, Oliver Pinter <[hidden email]> wrote:
> >
> > On Thu, Mar 19, 2015 at 9:04 PM, Adrian Chadd <[hidden email]> wrote:
> >> On 19 March 2015 at 12:56, Warner Losh <[hidden email]> wrote:
> >>>
> >>>> On Mar 19, 2015, at 12:53 PM, Adrian Chadd <[hidden email]> wrote:
> >>>>
> >>>> Hi,
> >>>>
> >>>> Apparently this is done but has stalled:
> >>>>
> >>>> https://reviews.freebsd.org/D473
> >>>>
> >>>> Does anyone have any strong objections to it landing in the tree as-is?
> >>>
> >>> There’s rather a lot of them specifically spelled out in the code review.
> >>>
> >>> Many of the earlier ones were kinda blown off, so I’ve not been inclined
> >>> to take the time to re-review it. Glancing at it, I see several minor issues
> >>> that should be cleaned up.
> >>
> >> Cool. Thanks for taking the time to look at it again.
> >>
> >> Shawn is in #freebsd on freenode irc, so if you/others want a more
> >> interactive review then he's there during the day.
> >
> > Please CC the [hidden email] in future please, when you are
> > talking about this issue.
> >
> > Adrian: do you able to review the MIPS or ARM part especially or test them?
>
> Adrian: Do not commit the changes.
>
> I’ve gone back and re-read Robert Watson’s rather long review and it appears
> that virtually none of that has been addressed. Until it is, do not commit it. This
> code interacts with dangerous parts of the system, and the default cannot be
> to just let it in because no one has objected recently. Objections have been made,
> they have been quantified, they haven’t been answered or acted upon. Until that
> changes, you can assume the objections remain in place and asking again without
> fixing them isn’t going to change the answer.
>
> Warner
Warner,

We've fixed the vast majority of the concerns raised in that review. To
say "virtually none of that has been addressed" and "they haven't been
answered or acted upon" is a blatant lie. The fact that there are so
many revisions of the patch is proof. We even made our ASLR
implementation for FreeBSD less secure by providing a mechanism in
ptrace() to disable it as requested by a member of the FreeBSD
Foundation. (This "feature" doesn't exist in HardenedBSD's
implementation.) If comments like these continue, I will remove the diff
from Phabricator and close the BugZilla ticket. FreeBSD can feel free to
pull from us, but we won't make any effort to proactively upstream our
work.

With that said, I have missed a few of the concerns raised. There's so
many comments/concerns in that review that it's easy to miss a few. I
will address them tonight and upload a new patch tomorrow.

Thanks,

Shawn Webb
HardenedBSD

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ASLR work into -HEAD ?

Shawn Webb-3
On Fri, 2015-03-20 at 14:17 -0400, Shawn Webb wrote:

> On Fri, 2015-03-20 at 09:28 -0600, Warner Losh wrote:
> > > On Mar 19, 2015, at 2:31 PM, Oliver Pinter <[hidden email]> wrote:
> > >
> > > On Thu, Mar 19, 2015 at 9:04 PM, Adrian Chadd <[hidden email]> wrote:
> > >> On 19 March 2015 at 12:56, Warner Losh <[hidden email]> wrote:
> > >>>
> > >>>> On Mar 19, 2015, at 12:53 PM, Adrian Chadd <[hidden email]> wrote:
> > >>>>
> > >>>> Hi,
> > >>>>
> > >>>> Apparently this is done but has stalled:
> > >>>>
> > >>>> https://reviews.freebsd.org/D473
> > >>>>
> > >>>> Does anyone have any strong objections to it landing in the tree as-is?
> > >>>
> > >>> There’s rather a lot of them specifically spelled out in the code review.
> > >>>
> > >>> Many of the earlier ones were kinda blown off, so I’ve not been inclined
> > >>> to take the time to re-review it. Glancing at it, I see several minor issues
> > >>> that should be cleaned up.
> > >>
> > >> Cool. Thanks for taking the time to look at it again.
> > >>
> > >> Shawn is in #freebsd on freenode irc, so if you/others want a more
> > >> interactive review then he's there during the day.
> > >
> > > Please CC the [hidden email] in future please, when you are
> > > talking about this issue.
> > >
> > > Adrian: do you able to review the MIPS or ARM part especially or test them?
> >
> > Adrian: Do not commit the changes.
> >
> > I’ve gone back and re-read Robert Watson’s rather long review and it appears
> > that virtually none of that has been addressed. Until it is, do not commit it. This
> > code interacts with dangerous parts of the system, and the default cannot be
> > to just let it in because no one has objected recently. Objections have been made,
> > they have been quantified, they haven’t been answered or acted upon. Until that
> > changes, you can assume the objections remain in place and asking again without
> > fixing them isn’t going to change the answer.
> >
> > Warner
>
> Warner,
>
> We've fixed the vast majority of the concerns raised in that review. To
> say "virtually none of that has been addressed" and "they haven't been
> answered or acted upon" is a blatant lie. The fact that there are so
> many revisions of the patch is proof. We even made our ASLR
> implementation for FreeBSD less secure by providing a mechanism in
> ptrace() to disable it as requested by a member of the FreeBSD
> Foundation. (This "feature" doesn't exist in HardenedBSD's
> implementation.) If comments like these continue, I will remove the diff
> from Phabricator and close the BugZilla ticket. FreeBSD can feel free to
> pull from us, but we won't make any effort to proactively upstream our
> work.
>
> With that said, I have missed a few of the concerns raised. There's so
> many comments/concerns in that review that it's easy to miss a few. I
> will address them tonight and upload a new patch tomorrow.
I've updated the patch. Is there anything I've missed?

Thanks,

Shawn Webb
HardenedBSD

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ASLR work into -HEAD ?

Warner Losh

> On Mar 20, 2015, at 1:05 PM, Shawn Webb <[hidden email]> wrote:
>
> On Fri, 2015-03-20 at 14:17 -0400, Shawn Webb wrote:
>> On Fri, 2015-03-20 at 09:28 -0600, Warner Losh wrote:
>>>> On Mar 19, 2015, at 2:31 PM, Oliver Pinter <[hidden email]> wrote:
>>>>
>>>> On Thu, Mar 19, 2015 at 9:04 PM, Adrian Chadd <[hidden email]> wrote:
>>>>> On 19 March 2015 at 12:56, Warner Losh <[hidden email]> wrote:
>>>>>>
>>>>>>> On Mar 19, 2015, at 12:53 PM, Adrian Chadd <[hidden email]> wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Apparently this is done but has stalled:
>>>>>>>
>>>>>>> https://reviews.freebsd.org/D473
>>>>>>>
>>>>>>> Does anyone have any strong objections to it landing in the tree as-is?
>>>>>>
>>>>>> There’s rather a lot of them specifically spelled out in the code review.
>>>>>>
>>>>>> Many of the earlier ones were kinda blown off, so I’ve not been inclined
>>>>>> to take the time to re-review it. Glancing at it, I see several minor issues
>>>>>> that should be cleaned up.
>>>>>
>>>>> Cool. Thanks for taking the time to look at it again.
>>>>>
>>>>> Shawn is in #freebsd on freenode irc, so if you/others want a more
>>>>> interactive review then he's there during the day.
>>>>
>>>> Please CC the [hidden email] in future please, when you are
>>>> talking about this issue.
>>>>
>>>> Adrian: do you able to review the MIPS or ARM part especially or test them?
>>>
>>> Adrian: Do not commit the changes.
>>>
>>> I’ve gone back and re-read Robert Watson’s rather long review and it appears
>>> that virtually none of that has been addressed. Until it is, do not commit it. This
>>> code interacts with dangerous parts of the system, and the default cannot be
>>> to just let it in because no one has objected recently. Objections have been made,
>>> they have been quantified, they haven’t been answered or acted upon. Until that
>>> changes, you can assume the objections remain in place and asking again without
>>> fixing them isn’t going to change the answer.
>>>
>>> Warner
>>
>> Warner,
>>
>> We've fixed the vast majority of the concerns raised in that review. To
>> say "virtually none of that has been addressed" and "they haven't been
>> answered or acted upon" is a blatant lie. The fact that there are so
>> many revisions of the patch is proof. We even made our ASLR
>> implementation for FreeBSD less secure by providing a mechanism in
>> ptrace() to disable it as requested by a member of the FreeBSD
>> Foundation. (This "feature" doesn't exist in HardenedBSD's
>> implementation.) If comments like these continue, I will remove the diff
>> from Phabricator and close the BugZilla ticket. FreeBSD can feel free to
>> pull from us, but we won't make any effort to proactively upstream our
>> work.
>>
>> With that said, I have missed a few of the concerns raised. There's so
>> many comments/concerns in that review that it's easy to miss a few. I
>> will address them tonight and upload a new patch tomorrow.
>
> I've updated the patch. Is there anything I've missed?
I’ve taken a look at the updated patch and see that it addressed the
issues I raised. It almost looks like the update to the review a month
ago was the wrong version, since so many more of the original
comments appear to be addressed than when I looked. Thanks!

Warner

signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ASLR work into -HEAD ?

Shawn Webb-3
On Friday, March 20, 2015 03:14:30 PM Warner Losh wrote:
> > On Mar 20, 2015, at 1:05 PM, Shawn Webb <[hidden email]>
> > wrote:
> >
> > On Fri, 2015-03-20 at 14:17 -0400, Shawn Webb wrote:
> >> On Fri, 2015-03-20 at 09:28 -0600, Warner Losh wrote:
> >>>> On Mar 19, 2015, at 2:31 PM, Oliver Pinter
> >>>> <[hidden email]> wrote:>>>>
> >>>> On Thu, Mar 19, 2015 at 9:04 PM, Adrian Chadd <[hidden email]>
wrote:

> >>>>> On 19 March 2015 at 12:56, Warner Losh <[hidden email]> wrote:
> >>>>>>> On Mar 19, 2015, at 12:53 PM, Adrian Chadd <[hidden email]>
> >>>>>>> wrote:
> >>>>>>>
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> Apparently this is done but has stalled:
> >>>>>>>
> >>>>>>> https://reviews.freebsd.org/D473
> >>>>>>>
> >>>>>>> Does anyone have any strong objections to it landing in the tree
> >>>>>>> as-is?
> >>>>>>
> >>>>>> There’s rather a lot of them specifically spelled out in the code
> >>>>>> review.
> >>>>>>
> >>>>>> Many of the earlier ones were kinda blown off, so I’ve not been
> >>>>>> inclined
> >>>>>> to take the time to re-review it. Glancing at it, I see several minor
> >>>>>> issues that should be cleaned up.
> >>>>>
> >>>>> Cool. Thanks for taking the time to look at it again.
> >>>>>
> >>>>> Shawn is in #freebsd on freenode irc, so if you/others want a more
> >>>>> interactive review then he's there during the day.
> >>>>
> >>>> Please CC the [hidden email] in future please, when you are
> >>>> talking about this issue.
> >>>>
> >>>> Adrian: do you able to review the MIPS or ARM part especially or test
> >>>> them?
> >>>
> >>> Adrian: Do not commit the changes.
> >>>
> >>> I’ve gone back and re-read Robert Watson’s rather long review and it
> >>> appears that virtually none of that has been addressed. Until it is, do
> >>> not commit it. This code interacts with dangerous parts of the system,
> >>> and the default cannot be to just let it in because no one has objected
> >>> recently. Objections have been made, they have been quantified, they
> >>> haven’t been answered or acted upon. Until that changes, you can assume
> >>> the objections remain in place and asking again without fixing them
> >>> isn’t going to change the answer.
> >>>
> >>> Warner
> >>
> >> Warner,
> >>
> >> We've fixed the vast majority of the concerns raised in that review. To
> >> say "virtually none of that has been addressed" and "they haven't been
> >> answered or acted upon" is a blatant lie. The fact that there are so
> >> many revisions of the patch is proof. We even made our ASLR
> >> implementation for FreeBSD less secure by providing a mechanism in
> >> ptrace() to disable it as requested by a member of the FreeBSD
> >> Foundation. (This "feature" doesn't exist in HardenedBSD's
> >> implementation.) If comments like these continue, I will remove the diff
> >> from Phabricator and close the BugZilla ticket. FreeBSD can feel free to
> >> pull from us, but we won't make any effort to proactively upstream our
> >> work.
> >>
> >> With that said, I have missed a few of the concerns raised. There's so
> >> many comments/concerns in that review that it's easy to miss a few. I
> >> will address them tonight and upload a new patch tomorrow.
> >
> > I've updated the patch. Is there anything I've missed?
>
> I’ve taken a look at the updated patch and see that it addressed the
> issues I raised. It almost looks like the update to the review a month
> ago was the wrong version, since so many more of the original
> comments appear to be addressed than when I looked. Thanks!
>
> Warner
I've updated the patch again. Please let me know if there's anything I've
missed. Otherwise, I'd love to see this committed in HEAD. :-)

--
Shawn Webb
HardenedBSD

GPG Key ID:                0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ASLR work into -HEAD ?

Shawn Webb-3
On Sat, 2015-03-21 at 10:43 -0400, Shawn Webb wrote:

> On Friday, March 20, 2015 03:14:30 PM Warner Losh wrote:
> > > On Mar 20, 2015, at 1:05 PM, Shawn Webb <[hidden email]>
> > > wrote:
> > >
> > > On Fri, 2015-03-20 at 14:17 -0400, Shawn Webb wrote:
> > >> On Fri, 2015-03-20 at 09:28 -0600, Warner Losh wrote:
> > >>>> On Mar 19, 2015, at 2:31 PM, Oliver Pinter
> > >>>> <[hidden email]> wrote:>>>>
> > >>>> On Thu, Mar 19, 2015 at 9:04 PM, Adrian Chadd <[hidden email]>
> wrote:
> > >>>>> On 19 March 2015 at 12:56, Warner Losh <[hidden email]> wrote:
> > >>>>>>> On Mar 19, 2015, at 12:53 PM, Adrian Chadd <[hidden email]>
> > >>>>>>> wrote:
> > >>>>>>>
> > >>>>>>> Hi,
> > >>>>>>>
> > >>>>>>> Apparently this is done but has stalled:
> > >>>>>>>
> > >>>>>>> https://reviews.freebsd.org/D473
> > >>>>>>>
> > >>>>>>> Does anyone have any strong objections to it landing in the tree
> > >>>>>>> as-is?
> > >>>>>>
> > >>>>>> There’s rather a lot of them specifically spelled out in the code
> > >>>>>> review.
> > >>>>>>
> > >>>>>> Many of the earlier ones were kinda blown off, so I’ve not been
> > >>>>>> inclined
> > >>>>>> to take the time to re-review it. Glancing at it, I see several minor
> > >>>>>> issues that should be cleaned up.
> > >>>>>
> > >>>>> Cool. Thanks for taking the time to look at it again.
> > >>>>>
> > >>>>> Shawn is in #freebsd on freenode irc, so if you/others want a more
> > >>>>> interactive review then he's there during the day.
> > >>>>
> > >>>> Please CC the [hidden email] in future please, when you are
> > >>>> talking about this issue.
> > >>>>
> > >>>> Adrian: do you able to review the MIPS or ARM part especially or test
> > >>>> them?
> > >>>
> > >>> Adrian: Do not commit the changes.
> > >>>
> > >>> I’ve gone back and re-read Robert Watson’s rather long review and it
> > >>> appears that virtually none of that has been addressed. Until it is, do
> > >>> not commit it. This code interacts with dangerous parts of the system,
> > >>> and the default cannot be to just let it in because no one has objected
> > >>> recently. Objections have been made, they have been quantified, they
> > >>> haven’t been answered or acted upon. Until that changes, you can assume
> > >>> the objections remain in place and asking again without fixing them
> > >>> isn’t going to change the answer.
> > >>>
> > >>> Warner
> > >>
> > >> Warner,
> > >>
> > >> We've fixed the vast majority of the concerns raised in that review. To
> > >> say "virtually none of that has been addressed" and "they haven't been
> > >> answered or acted upon" is a blatant lie. The fact that there are so
> > >> many revisions of the patch is proof. We even made our ASLR
> > >> implementation for FreeBSD less secure by providing a mechanism in
> > >> ptrace() to disable it as requested by a member of the FreeBSD
> > >> Foundation. (This "feature" doesn't exist in HardenedBSD's
> > >> implementation.) If comments like these continue, I will remove the diff
> > >> from Phabricator and close the BugZilla ticket. FreeBSD can feel free to
> > >> pull from us, but we won't make any effort to proactively upstream our
> > >> work.
> > >>
> > >> With that said, I have missed a few of the concerns raised. There's so
> > >> many comments/concerns in that review that it's easy to miss a few. I
> > >> will address them tonight and upload a new patch tomorrow.
> > >
> > > I've updated the patch. Is there anything I've missed?
> >
> > I’ve taken a look at the updated patch and see that it addressed the
> > issues I raised. It almost looks like the update to the review a month
> > ago was the wrong version, since so many more of the original
> > comments appear to be addressed than when I looked. Thanks!
> >
> > Warner
>
> I've updated the patch again. Please let me know if there's anything I've
> missed. Otherwise, I'd love to see this committed in HEAD. :-)
>
Does anyone have any updates since I last updated the patch over a month
ago? What's needed to get this patch in?

Thanks,

Shawn

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ASLR work into -HEAD ?

Adrian Chadd-2
Robert's been busy on a conference presentation. That's happening this
week, so I'll poke him about it later in the week and see if he has
some more cycles to review things.

Thanks!


-a


On 20 May 2015 at 08:20, Shawn Webb <[hidden email]> wrote:

> On Sat, 2015-03-21 at 10:43 -0400, Shawn Webb wrote:
>> On Friday, March 20, 2015 03:14:30 PM Warner Losh wrote:
>> > > On Mar 20, 2015, at 1:05 PM, Shawn Webb <[hidden email]>
>> > > wrote:
>> > >
>> > > On Fri, 2015-03-20 at 14:17 -0400, Shawn Webb wrote:
>> > >> On Fri, 2015-03-20 at 09:28 -0600, Warner Losh wrote:
>> > >>>> On Mar 19, 2015, at 2:31 PM, Oliver Pinter
>> > >>>> <[hidden email]> wrote:>>>>
>> > >>>> On Thu, Mar 19, 2015 at 9:04 PM, Adrian Chadd <[hidden email]>
>> wrote:
>> > >>>>> On 19 March 2015 at 12:56, Warner Losh <[hidden email]> wrote:
>> > >>>>>>> On Mar 19, 2015, at 12:53 PM, Adrian Chadd <[hidden email]>
>> > >>>>>>> wrote:
>> > >>>>>>>
>> > >>>>>>> Hi,
>> > >>>>>>>
>> > >>>>>>> Apparently this is done but has stalled:
>> > >>>>>>>
>> > >>>>>>> https://reviews.freebsd.org/D473
>> > >>>>>>>
>> > >>>>>>> Does anyone have any strong objections to it landing in the tree
>> > >>>>>>> as-is?
>> > >>>>>>
>> > >>>>>> There’s rather a lot of them specifically spelled out in the code
>> > >>>>>> review.
>> > >>>>>>
>> > >>>>>> Many of the earlier ones were kinda blown off, so I’ve not been
>> > >>>>>> inclined
>> > >>>>>> to take the time to re-review it. Glancing at it, I see several minor
>> > >>>>>> issues that should be cleaned up.
>> > >>>>>
>> > >>>>> Cool. Thanks for taking the time to look at it again.
>> > >>>>>
>> > >>>>> Shawn is in #freebsd on freenode irc, so if you/others want a more
>> > >>>>> interactive review then he's there during the day.
>> > >>>>
>> > >>>> Please CC the [hidden email] in future please, when you are
>> > >>>> talking about this issue.
>> > >>>>
>> > >>>> Adrian: do you able to review the MIPS or ARM part especially or test
>> > >>>> them?
>> > >>>
>> > >>> Adrian: Do not commit the changes.
>> > >>>
>> > >>> I’ve gone back and re-read Robert Watson’s rather long review and it
>> > >>> appears that virtually none of that has been addressed. Until it is, do
>> > >>> not commit it. This code interacts with dangerous parts of the system,
>> > >>> and the default cannot be to just let it in because no one has objected
>> > >>> recently. Objections have been made, they have been quantified, they
>> > >>> haven’t been answered or acted upon. Until that changes, you can assume
>> > >>> the objections remain in place and asking again without fixing them
>> > >>> isn’t going to change the answer.
>> > >>>
>> > >>> Warner
>> > >>
>> > >> Warner,
>> > >>
>> > >> We've fixed the vast majority of the concerns raised in that review. To
>> > >> say "virtually none of that has been addressed" and "they haven't been
>> > >> answered or acted upon" is a blatant lie. The fact that there are so
>> > >> many revisions of the patch is proof. We even made our ASLR
>> > >> implementation for FreeBSD less secure by providing a mechanism in
>> > >> ptrace() to disable it as requested by a member of the FreeBSD
>> > >> Foundation. (This "feature" doesn't exist in HardenedBSD's
>> > >> implementation.) If comments like these continue, I will remove the diff
>> > >> from Phabricator and close the BugZilla ticket. FreeBSD can feel free to
>> > >> pull from us, but we won't make any effort to proactively upstream our
>> > >> work.
>> > >>
>> > >> With that said, I have missed a few of the concerns raised. There's so
>> > >> many comments/concerns in that review that it's easy to miss a few. I
>> > >> will address them tonight and upload a new patch tomorrow.
>> > >
>> > > I've updated the patch. Is there anything I've missed?
>> >
>> > I’ve taken a look at the updated patch and see that it addressed the
>> > issues I raised. It almost looks like the update to the review a month
>> > ago was the wrong version, since so many more of the original
>> > comments appear to be addressed than when I looked. Thanks!
>> >
>> > Warner
>>
>> I've updated the patch again. Please let me know if there's anything I've
>> missed. Otherwise, I'd love to see this committed in HEAD. :-)
>>
>
> Does anyone have any updates since I last updated the patch over a month
> ago? What's needed to get this patch in?
>
> Thanks,
>
> Shawn
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: ASLR work into -HEAD ?

Shawn Webb-3
On Wed, 2015-05-20 at 08:32 -0700, Adrian Chadd wrote:
> Robert's been busy on a conference presentation. That's happening this
> week, so I'll poke him about it later in the week and see if he has
> some more cycles to review things.
>
> Thanks!
>
>
> -a

Sounds good. Thanks for the quick update.

Thanks,

Shawn

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ASLR work into -HEAD ?

Pedro Giffuni-4
In reply to this post by Adrian Chadd-2
Hello Shawn;

What ever happened to the performance, does it still have a
noticeable effect even when disabled?

I have no technical opinion on the patch, but ...

TBH, the problem I see is that ASLR is so widespread that every
potential attacker already knows how to defeat it. Yes, it is meant
only as a mitigation technique but if it only buys you 5 min.
(at most) I don't see much advantage in obfuscating the VM.

Just IMHO ... I am not a player in that area and I don't maintain
the underlying code so I don't approve or reject anything.

Pedro.
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: ASLR work into -HEAD ?

Oliver Pinter-4
On 5/20/15, Pedro Giffuni <[hidden email]> wrote:
> Hello Shawn;
>
> What ever happened to the performance, does it still have a
> noticeable effect even when disabled?

We should ask to run an exp-run again with/without/disabled ASLR.

>
> I have no technical opinion on the patch, but ...
>
> TBH, the problem I see is that ASLR is so widespread that every
> potential attacker already knows how to defeat it. Yes, it is meant
> only as a mitigation technique but if it only buys you 5 min.
> (at most) I don't see much advantage in obfuscating the VM.

Hi Pedro!

Explain the situation, when someone release an exploit against one
system without ASLR. The attacker hard code the address of the
specific code, and try it against the whole internet.
In this case all of the try will success. Then explain the other
situation, when the system has ASLR. In this case the exploit in the
majority fails, and the attacker must to try multiple times to attack
the system. This is very large cost on their side...

Sometimes this 5 minutes means that the attacker could break in or
not. Most of the average attackers does not have the knowledge, how to
bypass the ASLR. Yes, there exists automated ROP generator and other
tools, and articles about blink ROP effectiveness, but in the real
life the ASLR is a must have.

The ASLR would much more efficient, when segvguard or similar brute
force prevention solution existing in the system.


>
> Just IMHO ... I am not a player in that area and I don't maintain
> the underlying code so I don't approve or reject anything.
>
> Pedro.
> _______________________________________________
> [hidden email] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-arch
> To unsubscribe, send any mail to "[hidden email]"
>
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: ASLR work into -HEAD ?

Pedro Giffuni-4


On 05/20/15 11:31, Oliver Pinter wrote:
> On 5/20/15, Pedro Giffuni <[hidden email]> wrote:
>> Hello Shawn;
>>
>> What ever happened to the performance, does it still have a
>> noticeable effect even when disabled?
> We should ask to run an exp-run again with/without/disabled ASLR.
>
So there's not much done in that sense :(.

>> I have no technical opinion on the patch, but ...
>>
>> TBH, the problem I see is that ASLR is so widespread that every
>> potential attacker already knows how to defeat it. Yes, it is meant
>> only as a mitigation technique but if it only buys you 5 min.
>> (at most) I don't see much advantage in obfuscating the VM.
> Hi Pedro!
>
> Explain the situation, when someone release an exploit against one
> system without ASLR. The attacker hard code the address of the
> specific code, and try it against the whole internet.
> In this case all of the try will success. Then explain the other
> situation, when the system has ASLR. In this case the exploit in the
> majority fails, and the attacker must to try multiple times to attack
> the system. This is very large cost on their side...

My claim is that the majority of "professional" breachers and
governments already have ASLR workarounds pre-coded and ready
to launch. Finding an exploit is more difficult than beating
ASLR so they are not going to hint everyone that they have
an exploit until they can take all the linux/windows/MacOSX
at the same time.

The cost for the NSA and/or anonymous to step on
ASLR is zero.

> Sometimes this 5 minutes means that the attacker could break in or
> not. Most of the average attackers does not have the knowledge, how to
> bypass the ASLR. Yes, there exists automated ROP generator and other
> tools, and articles about blink ROP effectiveness, but in the real
> life the ASLR is a must have.

I think (and see it's just my opinion), that it was a must have
5 years ago, but now any such measure is futile. Capsicum
everywhere would be better spent effort.

> The ASLR would much more efficient, when segvguard or similar brute
> force prevention solution existing in the system.
>

Define efficient .. performance with PIE and other measures is
certainly hit and very likely there is an energy cost as well, so
energetically you could consider it a waste of resources.

And, just to clarify, I am not in any way against your work:
I would personally like to have the option to use ASLR but
off by default. If I do turn it on sometime, I won't want any
one else to turn it off (even for debugging).

Pedro.

_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: ASLR work into -HEAD ?

Shawn Webb-3
In reply to this post by Oliver Pinter-4
On Wed, 2015-05-20 at 18:31 +0200, Oliver Pinter wrote:

> On 5/20/15, Pedro Giffuni <[hidden email]> wrote:
> > Hello Shawn;
> >
> > What ever happened to the performance, does it still have a
> > noticeable effect even when disabled?
>
> We should ask to run an exp-run again with/without/disabled ASLR.
>
> >
> > I have no technical opinion on the patch, but ...
> >
> > TBH, the problem I see is that ASLR is so widespread that every
> > potential attacker already knows how to defeat it. Yes, it is meant
> > only as a mitigation technique but if it only buys you 5 min.
> > (at most) I don't see much advantage in obfuscating the VM.
>
> Hi Pedro!
>
> Explain the situation, when someone release an exploit against one
> system without ASLR. The attacker hard code the address of the
> specific code, and try it against the whole internet.
> In this case all of the try will success. Then explain the other
> situation, when the system has ASLR. In this case the exploit in the
> majority fails, and the attacker must to try multiple times to attack
> the system. This is very large cost on their side...
>
> Sometimes this 5 minutes means that the attacker could break in or
> not. Most of the average attackers does not have the knowledge, how to
> bypass the ASLR. Yes, there exists automated ROP generator and other
> tools, and articles about blink ROP effectiveness, but in the real
> life the ASLR is a must have.
>
> The ASLR would much more efficient, when segvguard or similar brute
> force prevention solution existing in the system.
Pedro,

I'd like to echo what Oliver just said above and provide some additional
insight.

There's no "end-all-be-all" solution to security. Proper security
solutions implement layer upon layer to make life frustrating for an
attacker. It's about buying time and forcing your adversary to spend
time and resources to successfully exploit a vulnerability. No
knowledgeable security researcher claims ASLR is unexploitable. It's
simply another layer. Since it's very effective at making an attacker
spend resources for successful exploitation, it's generally one of the
first exploit mitigation techniques implemented. It provides a great
foundation on which to implement further exploit mitigation techniques.

Some say ASLR is useless as there are techniques to defeat it ([B]ROP).
Those techniques aren't 100% effective and often crash applications they
attempt to exploit prior to successful exploitation. As Oliver pointed
out, use of SEGVGUARD (which HardenedBSD has, but is not included in our
ASLR patch) in conjunction with ASLR is an effective countermeasure.
Again, we're not marketing ASLR as the end-all-be-all solution for
exploit mitigation. It's simply an effective layer of that delicious
security onion we've all come to love. Let's frustrate our adversaries
and force them to peel back more layers!

I agree that FreeBSD ought to do EXP-RUNs with ASLR enabled, disabled,
and completely removed for comparison. FreeBSD last year ran a ports
EXP-RUN with ASLR enabled versus vanilla FreeBSD with the results
showing no measurable overhead.

Thanks,

Shawn Webb

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ASLR work into -HEAD ?

Bryan Drewery-6
In reply to this post by Pedro Giffuni-4
On 5/20/2015 12:24 PM, Pedro Giffuni wrote:
> My claim is that the majority of "professional" breachers and
> governments already have ASLR workarounds pre-coded and ready
> to launch. Finding an exploit is more difficult than beating
> ASLR so they are not going to hint everyone that they have
> an exploit until they can take all the linux/windows/MacOSX
> at the same time.
>
> The cost for the NSA and/or anonymous to step on
> ASLR is zero.

This sort of argument easily turns into "why bother with security?".
Please be careful with it. Every layer and mitigation helps. The real
world is not just NSA or China. It's also full of script kiddies. Should
we just stop using SSL because NSA might have cracked it? Should we just
hand over root ssh keys to China because they probably have it all
hacked anyway? Should we just give up since billions of dollars pour
into security breaking research? Should I just post my CC here since
it's surely leaked from the hundreds of places I use it at anyway? No.

I've had very basic security checks, that could be easily circumvented,
stop actual script kiddies before. Had they persisted longer I would
have been in major trouble. If I explained what it is you would surely
laugh it off and tell me to not bother. Well it worked. ASLR has its
place too.

--
Regards,
Bryan Drewery


signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ASLR work into -HEAD ?

Poul-Henning Kamp
--------
In message <[hidden email]>, Bryan Drewery writes:

>This sort of argument easily turns into "why bother with security?".

That would be an extremely uninformed reaction.

The correct reaction is:  This is not something we can fix with
technology, it needs to be fixed at the political level.

For the USAnians that should be particularly evident, because
every bit of technology you roll out will be defeated with your
own tax-money.

Engage in politics, that's the only place these problems can be solved.

PS: And don't give me the "There's nobody to vote for", that just means
that you have to become a candidate yourself.


--
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
[hidden email]         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: ASLR work into -HEAD ?

Pedro Giffuni-4
In reply to this post by Bryan Drewery-6


On 05/22/15 18:40, Bryan Drewery wrote:

> On 5/20/2015 12:24 PM, Pedro Giffuni wrote:
>> My claim is that the majority of "professional" breachers and
>> governments already have ASLR workarounds pre-coded and ready
>> to launch. Finding an exploit is more difficult than beating
>> ASLR so they are not going to hint everyone that they have
>> an exploit until they can take all the linux/windows/MacOSX
>> at the same time.
>>
>> The cost for the NSA and/or anonymous to step on
>> ASLR is zero.
> This sort of argument easily turns into "why bother with security?".

I don't think you can blame me of that since I proposed, and
am actually mentoring, a project to add yet another security
layer (which is hopefully zero-cost).

> Please be careful with it. Every layer and mitigation helps. The real
> world is not just NSA or China. It's also full of script kiddies. Should
> we just stop using SSL because NSA might have cracked it? Should we just
> hand over root ssh keys to China because they probably have it all
> hacked anyway? Should we just give up since billions of dollars pour
> into security breaking research? Should I just post my CC here since
> it's surely leaked from the hundreds of places I use it at anyway? No.

I think there is a real danger that just because we add something
like ASLR, someone will think they are actually protected.
AFAICT there is not even one attack today that can be prevented
by ASLR.

Even then, it might be worth it, but I just don't find acceptable any
performance hit even when turned off.

> I've had very basic security checks, that could be easily circumvented,
> stop actual script kiddies before. Had they persisted longer I would
> have been in major trouble. If I explained what it is you would surely
> laugh it off and tell me to not bother. Well it worked. ASLR has its
> place too.
>

The fact that SONY pictures was breached in, doesn't mean I am
turning off my firewall, but I won't be deploying anything based
on enigma, just because "it's better than nothing".

Pedro.

_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
12