It’s nice to see independent verification of exploit mitigations, given that the verification procedure is correct.
On HardenedBSD, we have five deltas on 64-bit systems:
mmap
Stack
PIE base
VDSO
mmap(MAP_32BIT)
On 32-bit systems, we only use the first four deltas. I say that loosely as HardenedBSD is disinterested in 32-bit systems and does not actively develop or test on any 32-bit system. We don’t provide installation media nor packages for 32-bit systems. Personally, I’d like to see 32-bit systems die.
The author makes no mention of the fact that multiple deltas are used. In fact, the author infers that only a single delta is used:
It adds a random offset to the virtual memory layout of each program
HardenedBSD is the only BSD that is able to introduce 41 bits of entropy into the stack on amd64. When dealing with stack-based buffer overflows (as discussed in the paper), the stack delta is what’s most important. It’s also important that the deltas are maintained separate from each other and cannot be correlated with each other. Meaning, the value of the mmap delta is not somehow connected to the value of the stack delta.
Since HardenedBSD inherited jemalloc from its upstream, FreeBSD, you’ll notice that heap entropy is somewhat less. Using a different heap implementation, like OpenBSD’s, has the potential to increase heap entropy.
HardenedBSD is simply modifying the hint passed into the virtual memory (VM) subsystem. As such, the VM subsystem can further modify the hint to account for superpages or other constraints. We deliberately chose this method in order to not break superpage support. However, it does come at a cost of potentially reducing entropy.
There’s still room for improvement. If we hooked directly into the VM subsystem, we could likely find ways to increase entropy. Doing so would come at a cost of performance, though, due to increased locking in contentious sections of code. To increase heap entropy, like mentioned above, we could switch to a different heap implementation (preferably OpenBSD’s).
The paxtest application provides better insight into the deltas than this whitepaper.
It’s nice to see independent verification of exploit mitigations, given that the verification procedure is correct.
On HardenedBSD, we have five deltas on 64-bit systems:
On 32-bit systems, we only use the first four deltas. I say that loosely as HardenedBSD is disinterested in 32-bit systems and does not actively develop or test on any 32-bit system. We don’t provide installation media nor packages for 32-bit systems. Personally, I’d like to see 32-bit systems die.
The author makes no mention of the fact that multiple deltas are used. In fact, the author infers that only a single delta is used:
HardenedBSD is the only BSD that is able to introduce 41 bits of entropy into the stack on amd64. When dealing with stack-based buffer overflows (as discussed in the paper), the stack delta is what’s most important. It’s also important that the deltas are maintained separate from each other and cannot be correlated with each other. Meaning, the value of the mmap delta is not somehow connected to the value of the stack delta.
Since HardenedBSD inherited jemalloc from its upstream, FreeBSD, you’ll notice that heap entropy is somewhat less. Using a different heap implementation, like OpenBSD’s, has the potential to increase heap entropy.
HardenedBSD is simply modifying the hint passed into the virtual memory (VM) subsystem. As such, the VM subsystem can further modify the hint to account for superpages or other constraints. We deliberately chose this method in order to not break superpage support. However, it does come at a cost of potentially reducing entropy.
There’s still room for improvement. If we hooked directly into the VM subsystem, we could likely find ways to increase entropy. Doing so would come at a cost of performance, though, due to increased locking in contentious sections of code. To increase heap entropy, like mentioned above, we could switch to a different heap implementation (preferably OpenBSD’s).
The paxtest application provides better insight into the deltas than this whitepaper.
https://s3.amazonaws.com/cybersec-prod/secdev/wp-content/uploads/2017/06/25193948/ASLR-How-Robust-is-the-Randomness.pdf
found this too but don’t think it adds much to the actual paper especially without a video of the presentation