Message ID | 20191027174438.25795-1-hauke@hauke-m.de |
---|---|
Headers | show |
Series | buildsystem: Activate PIE ASLR for some packages | expand |
On 2019-10-27 18:44, Hauke Mehrtens wrote: > This is a follow up patch on this discussion on the mailing list: > https://patchwork.ozlabs.org/patch/1041647/ > > This allows to activate PIE only for some packages where we thing it is > necessary and not only globally for all of them. > > Hauke Mehrtens (6): > buildsystem: Make PIE ASLR option tristate > dnsmasq: Activate PIE by default > dropbear: Activate PIE by default > hostapd: Activate PIE by default > uhttpd: Activate PIE by default > lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers > > config/Config-build.in | 22 ++++++++++++++++---- > include/hardening.mk | 9 +++++++- > package/kernel/lantiq/ltq-adsl/Makefile | 1 - > package/kernel/lantiq/ltq-ifxos/Makefile | 1 - > package/kernel/lantiq/ltq-tapi/Makefile | 1 - > package/kernel/lantiq/ltq-vdsl-mei/Makefile | 2 -- > package/kernel/lantiq/ltq-vdsl/Makefile | 1 - > package/kernel/lantiq/ltq-vmmc/Makefile | 1 - > package/network/config/ltq-vdsl-app/Makefile | 1 - > package/network/services/dnsmasq/Makefile | 1 + > package/network/services/dropbear/Makefile | 1 + > package/network/services/hostapd/Makefile | 1 + > package/network/services/uhttpd/Makefile | 1 + > 13 files changed, 30 insertions(+), 13 deletions(-) I think ASLRs value needs to be evaluated especially due to the performance penalty (hostapd mainly in that regard) and not to forget size increase depending on for how long OpenWrt intends to keep 8Mbyte devices around as 4Mbyte devices are more or less unsupported by now. It's probably a better idea to only enable it on aarch64 and x86-64 where size isn't as much of a concern and where it probably(?) receives most exposure to avoid uncessary breakage. http://intx0x80.blogspot.com/2018/04/bypass-aslrnx-part-1.html https://svnweb.freebsd.org/base?view=revision&revision=343964 Might also be worth taking into consideration. Best regards, Daniel
On 10/28/19 10:14 AM, Daniel Engberg wrote: > On 2019-10-27 18:44, Hauke Mehrtens wrote: >> This is a follow up patch on this discussion on the mailing list: >> https://patchwork.ozlabs.org/patch/1041647/ >> >> This allows to activate PIE only for some packages where we thing it is >> necessary and not only globally for all of them. >> >> Hauke Mehrtens (6): >> buildsystem: Make PIE ASLR option tristate >> dnsmasq: Activate PIE by default >> dropbear: Activate PIE by default >> hostapd: Activate PIE by default >> uhttpd: Activate PIE by default >> lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers >> >> config/Config-build.in | 22 ++++++++++++++++---- >> include/hardening.mk | 9 +++++++- >> package/kernel/lantiq/ltq-adsl/Makefile | 1 - >> package/kernel/lantiq/ltq-ifxos/Makefile | 1 - >> package/kernel/lantiq/ltq-tapi/Makefile | 1 - >> package/kernel/lantiq/ltq-vdsl-mei/Makefile | 2 -- >> package/kernel/lantiq/ltq-vdsl/Makefile | 1 - >> package/kernel/lantiq/ltq-vmmc/Makefile | 1 - >> package/network/config/ltq-vdsl-app/Makefile | 1 - >> package/network/services/dnsmasq/Makefile | 1 + >> package/network/services/dropbear/Makefile | 1 + >> package/network/services/hostapd/Makefile | 1 + >> package/network/services/uhttpd/Makefile | 1 + >> 13 files changed, 30 insertions(+), 13 deletions(-) > > I think ASLRs value needs to be evaluated especially due to the > performance penalty (hostapd mainly in that regard) and not to forget > size increase depending on for how long OpenWrt intends to keep 8Mbyte > devices around as 4Mbyte devices are more or less unsupported by now. > It's probably a better idea to only enable it on aarch64 and x86-64 > where size isn't as much of a concern and where it probably(?) receives > most exposure to avoid uncessary breakage. > > http://intx0x80.blogspot.com/2018/04/bypass-aslrnx-part-1.html > https://svnweb.freebsd.org/base?view=revision&revision=343964 > Might also be worth taking into consideration. > > Best regards, > Daniel Yes ASLR is not preventing any exploits it just makes it harder for an attacker like most other mechanisms too. Especially on 32 bit platforms like MIPS 32 bit and ARM 32 bit we only use 8 bit of the address for ASLR, on 64 bit platforms this feature is a lot more useful as we have a lot more bits. I am wondering why the kernel takes CONFIG_ARCH_MMAP_RND_BITS_MIN as the default for CONFIG_ARCH_MMAP_RND_BITS and not the max value, on MIPS 32 bit min is 8 bits and max is 16 bit. https://elixir.bootlin.com/linux/v4.19.79/source/arch/Kconfig#L598 Do you know any benchmark results measuring the performance penalty of ASLR and PIE? Hauke
On 10/27/19 6:44 PM, Hauke Mehrtens wrote: > This is a follow up patch on this discussion on the mailing list: > https://patchwork.ozlabs.org/patch/1041647/ > > This allows to activate PIE only for some packages where we thing it is > necessary and not only globally for all of them. > > Hauke Mehrtens (6): > buildsystem: Make PIE ASLR option tristate > dnsmasq: Activate PIE by default > dropbear: Activate PIE by default > hostapd: Activate PIE by default > uhttpd: Activate PIE by default > lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers > > config/Config-build.in | 22 ++++++++++++++++---- > include/hardening.mk | 9 +++++++- > package/kernel/lantiq/ltq-adsl/Makefile | 1 - > package/kernel/lantiq/ltq-ifxos/Makefile | 1 - > package/kernel/lantiq/ltq-tapi/Makefile | 1 - > package/kernel/lantiq/ltq-vdsl-mei/Makefile | 2 -- > package/kernel/lantiq/ltq-vdsl/Makefile | 1 - > package/kernel/lantiq/ltq-vmmc/Makefile | 1 - > package/network/config/ltq-vdsl-app/Makefile | 1 - > package/network/services/dnsmasq/Makefile | 1 + > package/network/services/dropbear/Makefile | 1 + > package/network/services/hostapd/Makefile | 1 + > package/network/services/uhttpd/Makefile | 1 + > 13 files changed, 30 insertions(+), 13 deletions(-) > Hi, I would like to apply these patches to master? Are there any objections to this? I already activated LTO to reduce the size for all these components and the lantiq patch is already applied. Hauke
On Tue, Jan 7, 2020 at 2:21 PM Hauke Mehrtens <hauke@hauke-m.de> wrote: > > On 10/27/19 6:44 PM, Hauke Mehrtens wrote: > > This is a follow up patch on this discussion on the mailing list: > > https://patchwork.ozlabs.org/patch/1041647/ > > > > This allows to activate PIE only for some packages where we thing it is > > necessary and not only globally for all of them. > > > > Hauke Mehrtens (6): > > buildsystem: Make PIE ASLR option tristate > > dnsmasq: Activate PIE by default > > dropbear: Activate PIE by default > > hostapd: Activate PIE by default > > uhttpd: Activate PIE by default > > lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers > > > > config/Config-build.in | 22 ++++++++++++++++---- > > include/hardening.mk | 9 +++++++- > > package/kernel/lantiq/ltq-adsl/Makefile | 1 - > > package/kernel/lantiq/ltq-ifxos/Makefile | 1 - > > package/kernel/lantiq/ltq-tapi/Makefile | 1 - > > package/kernel/lantiq/ltq-vdsl-mei/Makefile | 2 -- > > package/kernel/lantiq/ltq-vdsl/Makefile | 1 - > > package/kernel/lantiq/ltq-vmmc/Makefile | 1 - > > package/network/config/ltq-vdsl-app/Makefile | 1 - > > package/network/services/dnsmasq/Makefile | 1 + > > package/network/services/dropbear/Makefile | 1 + > > package/network/services/hostapd/Makefile | 1 + > > package/network/services/uhttpd/Makefile | 1 + > > 13 files changed, 30 insertions(+), 13 deletions(-) > > > > Hi, > > I would like to apply these patches to master? > > Are there any objections to this? I already activated LTO to reduce the > size for all these components and the lantiq patch is already applied. ACK from me. > > Hauke >
Hauke Mehrtens <hauke@hauke-m.de> [2020-01-07 23:21:19]: Hi, thanks for your work. > > Hauke Mehrtens (6): > > buildsystem: Make PIE ASLR option tristate > > dnsmasq: Activate PIE by default > > dropbear: Activate PIE by default > > hostapd: Activate PIE by default > > uhttpd: Activate PIE by default > > lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers just wondering, if there is any particular reason for leaving odhcp6c and odhcpd out as this are network exposed services and running in default install. Thinking about it now, we should probably consider ubus, procd, rpcd and cgi-io (perhaps missed something) which might possibly process malicious inputs as well. BTW I'm wondering how does this work with the shared libraries, like musl libc, openssl, libubox? Don't they need PKG_ASLR_PIE_REGULAR enabled as well in order to get `TARGET_LDFLAGS += $(FPIC) -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs` ? > I would like to apply these patches to master? I don't know if you've something newer in your tree, just looked at your aslr branch in your staging tree: + default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK) Nice, that you've enabled this for !SMALL_FLASH devices. BTW what is the reason for !SDK? That way binary/library. > Are there any objections to this? I already activated LTO to reduce the > size for all these components and the lantiq patch is already applied. I don't have any objections, I welcome this additional hardening. Which branch can I use for runtime testing? I plan to test it and give you my Acked-by. -- ynezz
On 1/8/20 7:24 AM, Petr Štetiar wrote: > Hauke Mehrtens <hauke@hauke-m.de> [2020-01-07 23:21:19]: > > Hi, > > thanks for your work. > >>> Hauke Mehrtens (6): >>> buildsystem: Make PIE ASLR option tristate >>> dnsmasq: Activate PIE by default >>> dropbear: Activate PIE by default >>> hostapd: Activate PIE by default >>> uhttpd: Activate PIE by default >>> lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers > > just wondering, if there is any particular reason for leaving odhcp6c and > odhcpd out as this are network exposed services and running in default > install. I just didn't thought about them. We could just add an extra patch to activate it for them too. > Thinking about it now, we should probably consider ubus, procd, rpcd and > cgi-io (perhaps missed something) which might possibly process malicious > inputs as well. Then we have more or less everything. ;-) > BTW I'm wondering how does this work with the shared libraries, like musl > libc, openssl, libubox? Don't they need PKG_ASLR_PIE_REGULAR enabled as well > in order to get `TARGET_LDFLAGS += $(FPIC) > -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs` ? Shared libraries are always linked position independent and then the kernel is already loading them to random address offsets. >> I would like to apply these patches to master? > > I don't know if you've something newer in your tree, just looked at your aslr > branch in your staging tree: You can find the newest version here: https://git.openwrt.org/?p=openwrt/staging/hauke.git;a=shortlog;h=refs/heads/aslr > + default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK) > > Nice, that you've enabled this for !SMALL_FLASH devices. BTW what is the > reason for !SDK? That way binary/library. When something is build in the SDK I always want to use PKG_ASLR_PIE_REGULAR by default. In our build infrastructure we build packages common to multiple targets in the SDK and there I always want to use PKG_ASLR_PIE_REGULAR as default option to activate ASLR when the same package is used on a tiny and a normal target. I hope it will work like this. I want to prevent that some tiny target is used to build the additional packages and then this gets accidentally deactivated. >> Are there any objections to this? I already activated LTO to reduce the >> size for all these components and the lantiq patch is already applied. > > I don't have any objections, I welcome this additional hardening. Which branch > can I use for runtime testing? I plan to test it and give you my Acked-by. The disadvantage is that the size increases, otherwise I would activate it for all binaries. This is one example for dropbear: ------------------------------------------------------------------------ root@OpenWrt:/# cat /proc/1200/maps 5561e000-5564d000 r-xp 00000000 fe:00 1024 /usr/sbin/dropbear 5565d000-5565e000 r-xp 0002f000 fe:00 1024 /usr/sbin/dropbear 5565e000-5565f000 rwxp 00030000 fe:00 1024 /usr/sbin/dropbear 77e89000-77eab000 r-xp 00000000 fe:00 288 /lib/libgcc_s.so.1 77eab000-77eac000 r-xp 00012000 fe:00 288 /lib/libgcc_s.so.1 77eac000-77ead000 rwxp 00013000 fe:00 288 /lib/libgcc_s.so.1 77ead000-77f44000 r-xp 00000000 fe:00 286 /lib/libc.so 77f53000-77f55000 rwxp 00096000 fe:00 286 /lib/libc.so 77f55000-77f57000 rwxp 00000000 00:00 0 7fc95000-7fcb6000 rw-p 00000000 00:00 0 [stack] 7fefc000-7fefd000 r-xp 00000000 00:00 0 7ff70000-7ff72000 r--p 00000000 00:00 0 [vvar] 7ff72000-7ff73000 r-xp 00000000 00:00 0 [vdso] root@OpenWrt:/# /etc/init.d/dropbear restart root@OpenWrt:/# ps |grep dropbear 2299 root 1108 S /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p 2315 root 1212 S grep dropbear root@OpenWrt:/# cat /proc/2299/maps 55557000-55586000 r-xp 00000000 fe:00 1024 /usr/sbin/dropbear 55596000-55597000 r-xp 0002f000 fe:00 1024 /usr/sbin/dropbear 55597000-55598000 rwxp 00030000 fe:00 1024 /usr/sbin/dropbear 77f12000-77f34000 r-xp 00000000 fe:00 288 /lib/libgcc_s.so.1 77f34000-77f35000 r-xp 00012000 fe:00 288 /lib/libgcc_s.so.1 77f35000-77f36000 rwxp 00013000 fe:00 288 /lib/libgcc_s.so.1 77f36000-77fcd000 r-xp 00000000 fe:00 286 /lib/libc.so 77fdc000-77fde000 rwxp 00096000 fe:00 286 /lib/libc.so 77fde000-77fe0000 rwxp 00000000 00:00 0 7fcbc000-7fcdd000 rw-p 00000000 00:00 0 [stack] 7fefc000-7fefd000 r-xp 00000000 00:00 0 7ff73000-7ff75000 r--p 00000000 00:00 0 [vvar] 7ff75000-7ff76000 r-xp 00000000 00:00 0 [vdso] root@OpenWrt:/# ------------------------------------------------------------------------ All sections are loaded to different addresses the second time, except 7fefc000 ;-) Hauke
> On Jan 8, 2020, at 3:10 PM, Hauke Mehrtens <hauke@hauke-m.de> wrote: > > On 1/8/20 7:24 AM, Petr Štetiar wrote: >> Hauke Mehrtens <hauke@hauke-m.de> [2020-01-07 23:21:19]: >> >> Hi, >> >> thanks for your work. >> >>>> Hauke Mehrtens (6): >>>> buildsystem: Make PIE ASLR option tristate >>>> dnsmasq: Activate PIE by default >>>> dropbear: Activate PIE by default >>>> hostapd: Activate PIE by default >>>> uhttpd: Activate PIE by default >>>> lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers >> >> just wondering, if there is any particular reason for leaving odhcp6c and >> odhcpd out as this are network exposed services and running in default >> install. > > I just didn't thought about them. We could just add an extra patch to > activate it for them too. > >> Thinking about it now, we should probably consider ubus, procd, rpcd and >> cgi-io (perhaps missed something) which might possibly process malicious >> inputs as well. > > Then we have more or less everything. ;-) > >> BTW I'm wondering how does this work with the shared libraries, like musl >> libc, openssl, libubox? Don't they need PKG_ASLR_PIE_REGULAR enabled as well >> in order to get `TARGET_LDFLAGS += $(FPIC) >> -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs` ? > > Shared libraries are always linked position independent and then the > kernel is already loading them to random address offsets. > >>> I would like to apply these patches to master? >> >> I don't know if you've something newer in your tree, just looked at your aslr >> branch in your staging tree: > > You can find the newest version here: > https://git.openwrt.org/?p=openwrt/staging/hauke.git;a=shortlog;h=refs/heads/aslr > >> + default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK) >> >> Nice, that you've enabled this for !SMALL_FLASH devices. BTW what is the >> reason for !SDK? That way binary/library. > > When something is build in the SDK I always want to use > PKG_ASLR_PIE_REGULAR by default. In our build infrastructure we build > packages common to multiple targets in the SDK and there I always want > to use PKG_ASLR_PIE_REGULAR as default option to activate ASLR when the > same package is used on a tiny and a normal target. I hope it will work > like this. I want to prevent that some tiny target is used to build the > additional packages and then this gets accidentally deactivated. > >>> Are there any objections to this? I already activated LTO to reduce the >>> size for all these components and the lantiq patch is already applied. >> >> I don't have any objections, I welcome this additional hardening. Which branch >> can I use for runtime testing? I plan to test it and give you my Acked-by. > > The disadvantage is that the size increases, otherwise I would activate > it for all binaries. > > This is one example for dropbear: > ------------------------------------------------------------------------ > root@OpenWrt:/# cat /proc/1200/maps > 5561e000-5564d000 r-xp 00000000 fe:00 1024 /usr/sbin/dropbear > 5565d000-5565e000 r-xp 0002f000 fe:00 1024 /usr/sbin/dropbear > 5565e000-5565f000 rwxp 00030000 fe:00 1024 /usr/sbin/dropbear > 77e89000-77eab000 r-xp 00000000 fe:00 288 /lib/libgcc_s.so.1 > 77eab000-77eac000 r-xp 00012000 fe:00 288 /lib/libgcc_s.so.1 > 77eac000-77ead000 rwxp 00013000 fe:00 288 /lib/libgcc_s.so.1 > 77ead000-77f44000 r-xp 00000000 fe:00 286 /lib/libc.so > 77f53000-77f55000 rwxp 00096000 fe:00 286 /lib/libc.so > 77f55000-77f57000 rwxp 00000000 00:00 0 > 7fc95000-7fcb6000 rw-p 00000000 00:00 0 [stack] > 7fefc000-7fefd000 r-xp 00000000 00:00 0 > 7ff70000-7ff72000 r--p 00000000 00:00 0 [vvar] > 7ff72000-7ff73000 r-xp 00000000 00:00 0 [vdso] > root@OpenWrt:/# /etc/init.d/dropbear restart > root@OpenWrt:/# ps |grep dropbear > 2299 root 1108 S /usr/sbin/dropbear -F -P > /var/run/dropbear.1.pid -p > 2315 root 1212 S grep dropbear > root@OpenWrt:/# cat /proc/2299/maps > 55557000-55586000 r-xp 00000000 fe:00 1024 /usr/sbin/dropbear > 55596000-55597000 r-xp 0002f000 fe:00 1024 /usr/sbin/dropbear > 55597000-55598000 rwxp 00030000 fe:00 1024 /usr/sbin/dropbear > 77f12000-77f34000 r-xp 00000000 fe:00 288 /lib/libgcc_s.so.1 > 77f34000-77f35000 r-xp 00012000 fe:00 288 /lib/libgcc_s.so.1 > 77f35000-77f36000 rwxp 00013000 fe:00 288 /lib/libgcc_s.so.1 > 77f36000-77fcd000 r-xp 00000000 fe:00 286 /lib/libc.so > 77fdc000-77fde000 rwxp 00096000 fe:00 286 /lib/libc.so > 77fde000-77fe0000 rwxp 00000000 00:00 0 > 7fcbc000-7fcdd000 rw-p 00000000 00:00 0 [stack] > 7fefc000-7fefd000 r-xp 00000000 00:00 0 > 7ff73000-7ff75000 r--p 00000000 00:00 0 [vvar] > 7ff75000-7ff76000 r-xp 00000000 00:00 0 [vdso] > root@OpenWrt:/# > ------------------------------------------------------------------------ > > All sections are loaded to different addresses the second time, except > 7fefc000 ;-) Yousong has a patch that gets rid of that. What happened to it? > > Hauke >