[arch-dev-public] Proposal: enabling full ASLR on x86_64 via hardening-wrapper

Daniel Micay danielmicay at gmail.com
Fri Dec 19 19:49:04 UTC 2014 

On 19/12/14 03:50 AM, Lukas Jirkovsky wrote:
>
> No matter how much I like the idea of making Arch more secure, there
> is one thing that makes compiling the whole system with ASLR one big
> no-go for me (please correct me if I'm wrong). As far as I know, the
> ASLR makes core dumps completely useless, and also makes it impossible
> to make any sense from addresses in backtrace (assume that you get a
> backtrace from an application without debugging symbols). I guess the
> same thing would happen with valgrind, too.
> 
> I would be OK with building things from core with ASLR, as they should
> very stable, but not whole Arch.
> 
> Lukas

The address of dynamic libraries, the stack and the heap (both sbrk and
the mmap base) is already randomized today so the backtrace is already
going to include randomized addresses for anything defined in a library.

PIE makes it possible for the executable base to be relocated, which
*also* randomizes the code and data defined in the executable and some
global data structures like the GOT / PLT. ASLR needs PIE to be a truly
useful exploit mitigation but it's still there without it.

An executable is compiled as PIE is compatible with full ASLR but it
doesn't force users to use it. ASLR can be disabled by setting
/proc/sys/kernel/randomize_va_space to 0. It's also possible to do it
for a single process (far better idea), which this wrapper tool will do:

#include <sys/personality.h>
#include <unistd.h>

int main(int argc, char **argv) {
    if (argc < 2)
        errx(1, "not enough arguments");
    int orig_personality = personality(0xffffffff);
    if (orig_personality == -1)
        err(1, "personality");
    if (personality(orig_personality|ADDR_NO_RANDOMIZE) == -1)
        err(1, "personality");
    execvp(argv[1], argv + 1);
    err(1, "execvp");
}

This will actually be done by gdb already unless `set
disable-randomization off` is used.

There are already a few security conscious packages already enabling
this on their own, and this will likely become more common. Here's an
incomplete list for anyone curious:

* colord
* chromium
* cups
* playpen
* openssh
* qemu
* sudo
* systemd
* upower
* tor
* wireshark

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20141219/1f7cb871/attachment.bin>

More information about the arch-dev-public mailing list