# HARDENED &  ASLR & SEGVGUARD & Grsecurity for FreeBSD 10 & 11



## bryn1u (May 14, 2014)

First of all: the latest versions are available below!

This is what I've been waiting for a long time!



> Hey All,
> 
> [NOTE: crossposting between freebsd-current@, freebsd-security@, and
> freebsd-stable@. Please forgive me if crossposting is frowned upon.]
> ...



Try it people! Now *I*'m getting to love freebsd FreeBSD much better!
https://www.soldierx.com/news/Administe ... wall-Rules


----------



## bryn1u (May 20, 2014)

*Re: ASLR, PIE, and segvguard patch! FreeBSD 10, 11*

I have been trying a patch for few minutes and must say that rocks! ASLR has implemented with ugidfw (mac_bsdextended.ko) which is the best solution.


```
root@ns4004894:~ # sysctl -a | grep pax
security.pax.aslr.status: 1
security.pax.aslr.debug: 0
security.pax.aslr.mmap_len: 21
security.pax.aslr.stack_len: 16
security.pax.aslr.exec_len: 21
security.pax.aslr.compat.status: 1
security.pax.aslr.compat.mmap_len: 8
security.pax.aslr.compat.stack_len: 6
security.pax.aslr.compat.exec_len: 6
security.pax.segvguard.status: 1
security.pax.segvguard.debug: 0
security.pax.segvguard.expiry_timeout: 120
security.pax.segvguard.suspend_timeout: 600
security.pax.segvguard.max_crashes: 5
root@ns4004894:~ #
```
Example using mac_bsdextended

```
root@ns4004894:~ # ugidfw add subject not uid root object uid root mode rxws paxflags a
0 subject not uid root object uid root mode rswx paxflags a
root@ns4004894:~ # ugidfw list
1 slots, 1 rules
0 subject not uid root object uid root mode rswx paxflags a
```


----------



## bryn1u (May 26, 2014)

*Re: ASLR, PIE, and segvguard patch! FreeBSD 10, 11*

New round of patches are there:

FreeBSD 11 - CURRENT -> http://www.crysys.hu/~op/freebsd/patches/20140524011327-freebsd-current-aslr-segvguard-SNAPSHOT.diff
FreeBSD 10 - STABLE -> http://www.crysys.hu/~op/freebsd/pa...reebsd-stable-10-aslr-segvguard-SNAPSHOT.diff



```
root@ns3306115:~ # umount /jails
[PAX ASLR] orig_addr=0x7fffffffafe0, new_addr=0x7ffffffd3fd0
root@ns3306115:~ # mount
[PAX ASLR] orig_addr=0x7fffffffafe0, new_addr=0x7fffffff4c78
root@ns3306115:~ # zpool create -f -O compress=lz4 jails ada0s1g
[PAX ASLR] orig_addr=0x7fffffffafe0, new_addr=0x7ffffff9fd00
```


----------



## bryn1u (Jun 30, 2014)

*Re: ASLR, PIE, and segvguard patch! FreeBSD 10, 11*

I have got on my mail a new version of secure patch under FreeBSD (ASLR & SEGVGUARD):

*Download:*

28.06.2014 - For FreeBSD 10 - STABLE
21.06.2014 - For FreeBSD 11 - CURRENT

*FreeBSD 10 - STABLE: http://oksymoron.edu.pl/~bryn1u/FreeBSD ... able.patch
FreeBSD 11 - CURRENT:: http://oksymoron.edu.pl/~bryn1u/FreeBSD ... rent.patch*



> Hey all,
> 
> Here's what's changed since our last our of patches on 24 May 2014:
> Shawn Webb:
> ...


----------



## bryn1u (Jul 2, 2014)

Exploit Mitigation Techniques: an Update After 10 Years

http://tech.yandex.com/events/ruBSD/2013/talks/103/


----------



## byuu (Jul 6, 2014)

Relevant is this awesome presentation on ASLR's implementation in FreeBSD by Shawn Webb: https://www.youtube.com/watch?v=jo8ObzR1tKQ
(edit: fixed speaker name, sorry for the mistake.)



			
				bryn1u said:
			
		

> Exploit Mitigation Techniques: an Update After 10 Years
> 
> http://tech.yandex.com/events/ruBSD/2013/talks/103/



(Wow, quite the condescension in that talk toward FreeBSD.)

Yeah, OpenBSD definitely had ASLR support before FreeBSD.

That totally makes up for OpenBSD's continued lack of GPT (let alone SecureBoot) support, for an installer that can't do whole-disk encryption, mirroring or striping, for having no SSD TRIM support, weaker SMP support, lack of memcontrol to configure memory sections, lack of binary nvidia drivers for best-in-class OpenGL support (leaving you with _hopelessly_ slow nv or resolution-crippled vesa), lack of many important ports such as brasero, xfburn4, clearlooks-phenix-theme, iboz-mozc (... and higan :cough, several conflict selections when installing binary packages, lack of support for USB audio devices such as the Creative X-Fi, lack of /usr/ports immediately after a full base install, lack of ZFS for volume management and software RAID, lack of DTrace for easier debugging, lack of a democratically-appointed rotating leadership team (instead following the Linux model of one leader with a tendency to scare off businesses and professionals with often very valid yet still quite crass comments), lack of Clang to replace GCC for a more permissively licensed system, on and on.

But hey, it had a security feature that sometimes mitigates certain classes of exploits sooner. So it's totally worth calling out and denigrating the competition instead of working together to make a single BSD OS that is great at everything, right? =)


----------



## wblock@ (Jul 6, 2014)

byuu said:
			
		

> Relevant is this awesome presentation on ASLR's implementation in FreeBSD by Andrew Ross: https://www.youtube.com/watch?v=jo8ObzR1tKQ



The talk is actually by Shawn Webb.  Andrew Ross is the guy responsible for creating so many of these high-quality videos of conference presentations.


----------



## CoTones (Jul 6, 2014)

byuu said:
			
		

> That totally makes up for OpenBSD's continued lack of GPT (let alone SecureBoot) support, for an installer that can't do whole-disk encryption, mirroring or striping, for having no SSD TRIM support, weaker SMP support, lack of memcontrol to configure memory sections, lack of binary nvidia drivers for best-in-class OpenGL support (leaving you with _hopelessly_ slow nv or resolution-crippled vesa), lack of many important ports such as brasero, xfburn4, clearlooks-phenix-theme, iboz-mozc (... and higan :cough, several conflict selections when installing binary packages, lack of support for USB audio devices such as the Creative X-Fi, lack of /usr/ports immediately after a full base install, lack of ZFS for volume management and software RAID, lack of DTrace for easier debugging, lack of a democratically-appointed rotating leadership team (instead following the Linux model of one leader with a tendency to scare off businesses and professionals with often very valid yet still quite crass comments), lack of Clang to replace GCC for a more permissively licensed system, on and on.
> 
> But hey, it had a security feature that sometimes mitigates certain classes of exploits sooner. So it's totally worth calling out and denigrating the competition instead of working together to make a single BSD OS that is great at everything, right? =)



Surprise surprise - OpenBSD "lacks" so many usefull things, still, developers do all the work in the same OS.
According you, FreeBSD is so feature rich, when comparing with OpenBSD, still most ( if not all ) developers refuse to work in FreeBSD - they use Apple's MAC OS X and run FreeBSD virtually.

See preferences and patterns? Who cares about super duper technology, if its pain in ass to use


----------



## wblock@ (Jul 6, 2014)

Let's not take any of this personally, okay?  It's reasonable that FreeBSD and OpenBSD have different features, because they concentrate on and value different things.  Each can point at the other and say "look at the silly priorities those guys have".


----------



## byuu (Jul 6, 2014)

Yeah sorry, I wasn't meaning to derail. Was just kind of annoyed at that linked video commentary at the end.

I split off my comparison to the off-topic area, so if you want to delete these posts, please feel free.

And CoTones, is Oko your alt-account, or perhaps a good friend of yours? Just curious.


----------



## CoTones (Jul 7, 2014)

byuu said:
			
		

> And CoTones, is Oko your alt-account, or perhaps a good friend of yours? Just curious.



No, but both we use BSDs and brains ( no offense! )  :e


----------



## byuu (Jul 7, 2014)

Ah. You both seem to have an almost identical one is all. Same grammatical style, same OpenBSD position, and the same concern about what kind of laptops others are using. Nothing wrong with that, but the resemblence is uncanny!


----------



## bryn1u (Dec 23, 2014)

Security FreeBSD vs OpenBSD !
http://networkfilter.blogspot.com/2014/12/security-openbsd-vs-freebsd.html

About features of freebsd hardened:
Short Summary
The HardenedBSD project aims to continuously add advanced exploit mitigation technologies and security hardening features to FreeBSD. We have implemented Address Space Layout Randomization (ASLR), mprotect(exec) hardening, PTrace restrictions, among other features. Will will work to upstream to FreeBSD most features we implement in HardenedBSD.

The HardenedBSD project officially launched in August 2014. In just these past few months, development has really taken off. We are in need of a new server to automate the build process and unify development.

*What We've Accomplished*
We've already implemented these features in HardenedBSD:
Address Space Layout Randomization (ASLR)
Basic mprotect hardening
PTrace restrictions
OpenBSD's getentropy system call
Migration of arc4random to chacha20
SegvGuard
Framework in the base system to create Position-Independent Executables (PIEs)
Custom package repository

*What We're Currently Working On
We're actively working on quite a few projects:*
Upstreaming ASLR to FreeBSD
Advanced mprotect hardening
Kernel W^X, KERNEXEC, and UDEREF
Removal of obsolete image activators (such as a.out)
Improvements to ASLR: VDSO randomization and efficient shared stack randomization
Self-validating build automation with Jenkins, ZFS, and bhyve
The full grsecurity patchset
secfw, an intelligent replacement for ugidfw
Ports framework support for PIE


----------



## gkbsd (Dec 23, 2014)

Impressive work, can't wait to see it stable and rock solid, and upstreamed to FreeBSD.

Regards,
Guillaume


----------



## bryn1u (Feb 24, 2015)

New step in future of FreeBSD-11-HARDENEDBSD
Mode: kiddie:

```
[root@Indyferentny ~/paxtest-0.9.11]# ./paxtest
usage: paxtest [kiddie|blackhat]
[root@Indyferentny ~/paxtest-0.9.11]# ./paxtest kiddie
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Mode: kiddie
FreeBSD Indyferentny.pl 11.0-CURRENT FreeBSD 11.0-CURRENT #9 193deb4(hardened/current/master)-dirty: Tue Feb 24 02:49:24 CET 2015     bryn1u@Indyferent                                                                              ny.pl:/usr/obj/usr/src/sys/HARDENEDBSD  amd64

Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect)              : Killed
Anonymous mapping randomisation test     : 30 bits (guessed)
Heap randomisation test (ET_EXEC)        : 20 bits (guessed)
Heap randomisation test (PIE)            : 21 bits (guessed)
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (PIE)      : 21 bits (guessed)
Shared library randomisation test        : 30 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 19 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 19 bits (guessed)
Arg/env randomisation test (SEGMEXEC)    : 20 bits (guessed)
Arg/env randomisation test (PAGEEXEC)    : 20 bits (guessed)
Randomization under memory exhaustion @~0: 31 bits (guessed)
Randomization under memory exhaustion @0 : 30 bits (guessed)
Return to function (strcpy)              : paxtest: return address contains a NULL byte.
Return to function (strcpy, PIE)         : paxtest: return address contains a NULL byte.
Return to function (memcpy)              : Killed
Return to function (memcpy, PIE)         : Killed
Executable shared library bss            : Killed
Executable shared library data           : Killed
Writable text segments                   : Vulnerable
```
Mode: blackhat:

```
[root@Indyferentny ~/paxtest-0.9.11]# ./paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Mode: blackhat
FreeBSD Indyferentny.pl 11.0-CURRENT FreeBSD 11.0-CURRENT #9 193deb4(hardened/current/master)-dirty: Tue Feb 24 02:49:24 CET 2015     bryn1u@Indyferentny.pl:/usr/obj/usr/src                                                        /sys/HARDENEDBSD  amd64

Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect)              : Killed
Anonymous mapping randomisation test     : 30 bits (guessed)
Heap randomisation test (ET_EXEC)        : 20 bits (guessed)
Heap randomisation test (PIE)            : 20 bits (guessed)
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (PIE)      : 21 bits (guessed)
Shared library randomisation test        : 30 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 19 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 19 bits (guessed)
Arg/env randomisation test (SEGMEXEC)    : 20 bits (guessed)
Arg/env randomisation test (PAGEEXEC)    : 20 bits (guessed)
Randomization under memory exhaustion @~0: 30 bits (guessed)
Randomization under memory exhaustion @0 : 30 bits (guessed)
Return to function (strcpy)              : paxtest: return address contains a NULL byte.
Return to function (strcpy, PIE)         : paxtest: return address contains a NULL byte.
Return to function (memcpy)              : Killed
Return to function (memcpy, PIE)         : Killed
Executable shared library bss            : Killed
Executable shared library data           : Killed
Writable text segments                   : Vulnerable

[root@Indyferentny ~/paxtest-0.9.11]#
```



> Add PAX_ASLR and PAX_SYSCTLS options to your kernel config. Recompile and install world and kernel. Reboot and execute a shell, running procstat -v <pid> inside of it to see that the process' memory is randomized.
> Or execute paxtest from this link: https://github.com/HardenedBSD/tool...test-freebsd/paxtest-0.9.11-fbsd64-Hunger.tgz


My sysctl hardening:

```
[root@Indyferentny ~/paxtest-0.9.11]# sysctl hardening
hardening.pax.aslr.status: 2
hardening.pax.aslr.mmap_len: 30
hardening.pax.aslr.stack_len: 20
hardening.pax.aslr.exec_len: 21
hardening.pax.aslr.compat.status: 2
hardening.pax.aslr.compat.mmap_len: 8
hardening.pax.aslr.compat.stack_len: 8
hardening.pax.aslr.compat.exec_len: 8
hardening.pax.segvguard.status: 1
hardening.pax.segvguard.debug: 0
hardening.pax.segvguard.expiry_timeout: 120
hardening.pax.segvguard.suspend_timeout: 600
hardening.pax.segvguard.max_crashes: 5
hardening.version: 16
hardening.log.log: 1
hardening.log.ulog: 0
hardening.allow_map32bit: 0
hardening.mprotect_exec_harden: 1
hardening.procfs_harden: 1
hardening.ptrace_hardening.status: 1
hardening.ptrace_hardening.gid: 50000
[root@Indyferentny ~/paxtest-0.9.11]#
```


----------

