Over the July 4th weekend, we implemented randomization of the VDSO (Virtual Dynamic Shared Object). The VDSO is a spot in memory that is shared between the kernel and userland memory. It contains the signal trampoline and time-related code (like gettimeofday(2)). Even though the amount of code is small in the VDSO, it could still theoretically be used to generate ROP gadgets. Removing that piece of determinism makes generating ROP gadgets based on code in the VDSO more difficult. Randomizing the VDSO was the last piece of the address space to randomize.
Now that VDSO randomization is implemented, our ASLR implementation is now complete. You'll notice a new
hardening.pax.aslr.vdso_len. That controls the amount of entropy applied to the VDSO base. Our version of ASLR is the strongest form ever implemented in any BSD operating system.
Our ASLR implementation features:
You will still see further improvements. We are looking into making our shared object load order randomization more efficient with help from Michael Zandi. We need to update our
aslr(4) manpage. We need to clarify some of the inline comments. These improvements are mostly cosmetic and result in no functionality changes.
When we first implemented ASLR for FreeBSD, we implemented the stack randomization portion as a random gap. This means that the base address for the stack remained constant, but where applications started utilizing the stack would change randomly. We have now implemented true stack randomization. The base address for the stack is now randomized. We still utilize a random stack gap on top of true stack randomization to provide further entropy and security. This means that we can effectively achieve 42 bits of entropy for the stack. Compare that to OpenBSD, which utilizes only a gap with 14 bits of entropy. This change breaks both ABI and API and we have bumped the HardenedBSD version up to 26 with this change. We will be doing a new package build to ensure packages are up-to-date with this change.
Due to some changes to google voice, RoboAmp 1.00 (public Defcon 22 release) stopped working. RoboAmp has been updated to adapt to these changes, as well as a few other minor changes. You can get the new version here. If you would like to see more changes to RoboAmp or any of our other SX Labs releases, please drop by for our IRC meeting tomorrow at 4 PM EST.
Just a heads up to all, we are working to make the site faster. We've already made some database changes that should have increased the site speed quite a bit. We hope these optimizations will increase the current usage of the forums. We also have plans to move to newer hardware, but we're still working those details out due to our limited budget. Please contact me if you notice any particularly slow areas of the site that you'd like to be faster.
For those who are VIP, I have released 0.1.7 and it has now been made available in the SX Labs section of the site for testing.
Also, on May 1st at 6 PM EST I will be doing a meeting to discuss the OFACE Roadmap in IRC. I highly encourage VIP members to attend as well as we want to hear what you think of the Roadmap we are planning.
Unfortunately shortly after his induction into the SX Crew, Shinobi has gone missing. As a result, n0 has been stepping up to fill his shoes. The high council has finally finished discussing meeting issues, crew issues, and project issues. As a result, we will be having a major IRC meeting tomorrow (04-16-2015) from noon to two (12:00-14:00) EST. We hope that all the crew will be able to attend, as well as many of our more committed community members. If you're a VIP member, please check out the forums for news on some major releases