Whitepaper - Introducing ASLR for FreeBSD

Introducing ASLR For FreeBSD
Shawn Webb
Oliver Pinter
10 July 2014

[ 1. Introduction ]
Security in FreeBSD is based primarily in policy-based technologies. Existing
tools such as jails, Capsicum, vnet/vimage, and the MAC framework, can make
FreeBSD-based systems quite resilient against attacks. FreeBSD lacks basic
low-level exploit mitigation, such as Address Space Layout Randomization
(ASLR)[1]. ASLR randomizes the address space layout of an application, making
exploitation difficult for an attacker. This paper and the associated
implementation aim to provide a secure, robust, extensible, and easily-managed
form of ASLR fit for production use within FreeBSD.

New Reverse Engineering Tutorial from Kohelet

Kohelet has just posted his first tutorial, Teach Me How To Reverse (Part 0). It covers patching an unpacked binary to bypass a password requirement. This should be the first of a series of reverse engineering tutorials from Kohelet. If you're interested in reverse engineering - you should definitely give it a look. It even has pictures Smile

In other news, we've created a "SX Archives" section and will be moving old content there in an effort to reduce site clutter. We will also be adding old content that has previously been removed to this archive section as well. Overall, this should be a great way to access content that is no longer relevant or up to date enough to be on the main sections of the site.

lattera Replaces Kayin in High Council, Effective Immediately

It is with great honor that I would like to announce the New Order's decision to promote lattera to the status of High Council member of SOLDIERX. He will be taking Kayin's position of High Council member in charge of Research and Development. During the past year, lattera has worked night after night getting ASLR support on FreeBSD. He's also spent considerable work planning and delivering speeches about his research. He's done all of this in the name of SOLDIERX, which has really helped to give us a more positive public image. As a result, we feel that lattera is the perfect replacement for Kayin in the High Council. We hope to see even more positive changes come to SOLDIERX as a result of this organizational change. As with all members promoted to the status of High Council, we hope that lattera will continue his efforts and show the same enthusiasm and workmanship that he showed during his regular crew status. Congratulations lattera!

Kayin will be retiring from the crew rather than stepping down to regular crew. We wish him the best on his endeavors and thank him for his years of service to our group.

New Buffer Overflow Tutorial from xAMNESIAx

xAMNESIAx has posted his first tutorial, Buffer Overflow Exploitation for Beginners. It's not near as extensive as jip's Stack Smashing on a Modern Linux System Tutorial, but it's a nice tutorial for people who aren't interested in modern exploitation and would rather have a simpler look at older unprotected systems. It's worth a look if you're interested in buffer overflows, but have found previous tutorials to be a bit too challenging or involved. We hope to have xAMNESIAx work with other members of our crew to revamp and expand the Neophyte's Guide. In other news, OFACE has been released to all VIP members.

Shinobi Now an Inductee, Looking For Recruits

I'm happy to announce that after months of operations work (and other tasks), Shinobi has been promoted to inductee. He's now moving to get our group reorganized and restructured for maximum efficiency. We're now out of recruits (again), so we're looking for talented individuals to apply Wink. As mentioned in the FAQ, if you are serious about joining SOLDIERX, you should have at least 5-10 hours of time to give to the group each week. The first step in becoming a member is to become a recruit. In order to become a recruit you need to email the following information to RaT:
Contact Information (AIM, yahoo, etc):
Skills (reverse engineering, writing, programming, etc):
Hours Available:
Why You Want To Join SOLDIERX:
What You Will Do For Your First Project:

Position-Independent Executable Support Added to FreeBSD

Ever since my presentation at BSDCan, I've been working with a talented individual named Bryan Drewery to help get the ASLR work merged into FreeBSD. We've now merged in one major part of the ASLR work: Position-Independent Executable (PIE) support. Adding this feature makes it so that normal executables can be relocated in memory and still run. Normally, without PIE, an executable tells the operating system at what address it expects to be loaded. If the executable isn't loaded at that address, things can (and likely will) go wrong. However, when compiled as a PIE, the executable tells the operating system that it can be loaded anywhere, and it'll make do. Essentially, it turns your executable from a normal executable (ELF type ET_EXEC) to a shared object (ELF type ET_DYN).

FreeBSD has supported loading PIEs for a while now, but the applications in base weren't compiled as PIEs. Given that ASLR is useless without PIE, getting base compiled with PIE support is a mandatory first step in proper ASLR support. I had to make some exceptions (certain applications don't support being compiled as a PIE mainly due to statically linking in libraries), but most applications in base can now be compiled as a PIE. If you're tracking 11-CURRENT, then all you have to do is add WITH_PIE=1 to your /etc/{make,src}.conf. I've tested these binaries on i386, amd64, sparc64, and ARM.

My next goal is to make our ASLR patches fit with FreeBSD's kernel coding style guidelines. We'll likely do one more Call For Testing (CFT) and get sign-offs from a number of FreeBSD developers. We still have a ways to go, but we're getting closer each day. I'd like to thank Bryan Drewery for sponsoring this work on FreeBSD's side. He's really fun to work with and is taking the blunt edge of the sword for some of this work. It's truly an honor to work with him.

Syndicate content