Most modern operating systems have ASLR to help mitigate yet-unknown vulnerabilities.
It would be very nice if FreeBSD shipped with ASLR features in the kernel (default off), that could be easily switched on with a sysctl variable.
I understand that in some production environments ASLR may make a system slower through memory fragmentation, but at least give people the option to turn ASLR on for those who actually want it. :)
Fix: This patch has been circulating the internet since FreeBSD 7.0-RELEASE at least. It looks like parts of it are from OpenBSD? (I could be wrong.) I've used it in production for many many years and it works like a champ.
The patch will just need the sysctl defaults inverted and the variable names possibly renamed for clarity.
Patch attached with submission follows:
new version of the patchset:
Wow... very nice. :)
----- Forwarded message from Oliver Pinter <firstname.lastname@example.org> -----
Date: Sat, 24 Aug 2013 23:40:15 +0200
From: Oliver Pinter <email@example.com>
To: Steven Lee <firstname.lastname@example.org>
Subject: Re: kern/181497: ASLR Feature Request - patch included
performance test on HEAD from Juni + ASLR patches:
----- End forwarded message -----
Over the past few months, I've had the pleasure of enhancing Oliver's original patch. I've added support for randomizing the address of the RTLD and changing the behavior of ASLR to be set on a per-jail basis. This means that if a user requires an application that doesn't support ASLR (crashes, exhibits bugs, etc.), then the affected application can simply be placed in a jail with ASLR turned off. The rest of the system and the rest of the jails would still have ASLR turned on.
Oliver had ported over PaX's ASLR to NetBSD a few years back, and these patches brings FreeBSD feature-for-feature complete with NetBSD's ASLR implementation. What's lacking, along with NetBSD's implementation, is exec base randomization. This needs to be done on a per-binary basis, for binaries compiled with -fPIE. Additionally, we might want to specifically mark executables with an ELF note, specifying that it's safe to relocate the exec base.
One known bug is that applications compiled with clang with -fPIC -fPIE -static combined could segfault. I can provide a sample binary (with sample code) if needed for a simple five-line test application.
I will continue to research exec base randomization, but this task might be a bit over my head skill-wise.
Attached is the patch against 11-current as of 02 Feb 2014. If I make more progress on exec base randomization, you can follow my GitHub repo at https://github.com/lattera/freebsd, branch soldierx/lattera/aslr.
I've try to patch 10.0 with the last attached patch, but it complains
because it didn't find file opt_pax.h (and I didn't see this file in the
I'm sorry, my patch actually wasn't right. It included other fixes I had in my branch for other features and didn't include some of the other ASLR bits. Attached is the right patch.
Attached is a patch that applies on top of the existing patch to fix a few minor bugs.
Attached is a combined patch.
Attached is a new patch with integrates ASLR into loading Position-Independent Executables (PIEs).
The attached patch provides better stability to the new PIE feature.
Created attachment 153731 [details]
New ASLR Patch
This is the same patch that was uploaded to Phabricator D473 on 01 March 2015.
any chance this can be backported to 9.x?
This bug report can be closed.
For bugs matching the following conditions:
- Status == In Progress
- Assignee == "bugs@FreeBSD.org"
- Last Modified Year <= 2017
- Set Status to "Open"
Feature request for AS*R is tracked in PR 228964.
Patches for review / testing are best handled in Phabricator (see D473 and D5603).