• DevSummit
• 201708
• Security_mitigation

Mitigation Techniques

Reviewed mitigation technologies we should consider and attempted to decide if we should put effort into implementation.

W^X

• Basic implementation is perhaps 25 lines of unified diff
• Deployment question; how do we accommodate applications
• From CHERI, specify maximum permission
• Further discussion in Friday session
• Implementation strategy: add code to log W^X violations
  • ktrace / dtrace / audit / log entry
• What static analysis could be done to identify W^X violations?
• need ports infrastructure

noexec stack

• Get shared page support turned on everywhere to remove signal trampoline from stack.
• Should audit libraries in ports.
  • libffi impacts many programs and requires executable stacks currently

CFI

• Clang - does not play well with shared libraries
  • Now "functions" but is not effective across library boundaries
• Tiny bit of compiler-rt runtime
• Requires LTO
• PAX GPL+Patent Pending RAP

ASLR

• Two patches exist
  • HardenedBSD
    • vdso disabled after 3x
  • kib
    • also has disable-after-n-collisions
• javascript, python, ... issues
• Do we want it at all?
  • Yes, even if it can be bypassed it does increase work factor
• Malloc may reduce available key space
  • Does jemalloc 5 layout change have any impact?
• Next steps
  • Commit kib's patch (with or without process hierarchy control)
  • Extend control framework

KASLR

• Insufficient entropy
• We likely leak through entirely too many interfaces
  • Apple has been eliminating kernel address exposure
• Therefore KASLR is probably not worth implementing

SafeStack

• EPFL Has a fork of FreeBSD, patches to libc etc. to make this work
• (David) not sure this buys you very much

• HW vendors looking at implementing in HW what SafeStack does

• It's a really interesting research project, but likely we should bypass
• What is the implementation / maintenance cost?
  • setjmp, longjmp, ucontext
  • pthread interaction
  • applications that implement their own threading
• Perhaps we could provide it only for statically linked things?
  • Would require patched crt*.o, libc, etc

SW PAN emulation (UDREF)

• Fine if it shows up, but do not expect to direct effort on it

PAN, SMAP

• PAN is committed
• SMAP old GSOC to revive and do

PXN, SMEP

• PXN is committed
• SMEP unstarted

Live patching

• Interesting, but each patch requires significant, one-off effort.
• Project unlikely to have resources.

Refcount type / saturating or panic reference count

• Defend against refcount wrapping to 1 and then deleting on decrement.
• Already here (gleb)?

Mitigation control, deployment

• force on / force off / unspecified
• process, system, ELF object
• sticky or not across exec
• toolchain support - ld should be able to set these
• Integrating support into ports build - would allow interesting tests to be performed across 27k ports
• Report bad ports - pkg audit should report ports that don't specify nx stack or other mitigations

TODOs

• Add logging of W^X violations
• Commit ASLR patch
• Reconcile hardening list in installer with defaults
• Have installer run FreeBSD-update