Skip to content

Commit

Permalink
HBSD: Change ASLR defaults for 32bit systems.
Browse files Browse the repository at this point in the history 
On i386, the stack isn't randomized enough to provide enough space for
the VDSO to be randomized. Bump the stack randomization up to 14 for
32bit systems and lower the VDSO randomization to 8. This provides
enough of a difference between the two to allow for both stack and
VDSO randomization.

Note that ASLR on 32bit systems is still rather weak. Not much entropy
can be introduced into the stack and VDSO. Brute forcing the stack and
VDSO is well within the realm of possibility. Users are strongly
advised to migrate to 64bit systems.

Signed-off-by:	Shawn Webb <shawn.webb@hardenedbsd.org>
  • Loading branch information
@lattera @fichtner
lattera authored and fichtner committed May 19, 2016
1 parent e13c0d4 commit ec93b44
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions sys/hardenedbsd/hbsd_pax_aslr.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,11 +69,11 @@ __FBSDID("$FreeBSD$");
* +-------+--------+--------+--------+
* | MMAP | 14 bit | 30 bit | 14 bit |
* +-------+--------+--------+--------+
* | STACK | 10 bit | 42 bit | 10 bit |
* | STACK | 14 bit | 42 bit | 14 bit |
* +-------+--------+--------+--------+
* | EXEC | 14 bit | 30 bit | 14 bit |
* +-------+--------+--------+--------+
* | VDSO | 10 bit | 28 bit | 10 bit |
* | VDSO | 8 bit | 28 bit | 8 bit |
* +-------+--------+--------+--------+
* | M32B | N.A. | 18 bit | N.A. |
* +-------+--------+--------+--------+
Expand Down Expand Up @@ -140,15 +140,15 @@ __FBSDID("$FreeBSD$");
#endif /* PAX_ASLR_DELTA_MMAP_DEF_LEN */

#ifndef PAX_ASLR_DELTA_STACK_DEF_LEN
#define PAX_ASLR_DELTA_STACK_DEF_LEN 10
#define PAX_ASLR_DELTA_STACK_DEF_LEN 14
#endif /* PAX_ASLR_DELTA_STACK_DEF_LEN */

#ifndef PAX_ASLR_DELTA_EXEC_DEF_LEN
#define PAX_ASLR_DELTA_EXEC_DEF_LEN 14
#endif /* PAX_ASLR_DELTA_EXEC_DEF_LEN */

#ifndef PAX_ASLR_DELTA_VDSO_DEF_LEN
#define PAX_ASLR_DELTA_VDSO_DEF_LEN 10
#define PAX_ASLR_DELTA_VDSO_DEF_LEN 8
#endif /* PAX_ASLR_DELTA_VDSO_DEF_LEN */

#endif /* __LP64__ */
Expand Down Expand Up @@ -178,15 +178,15 @@ __FBSDID("$FreeBSD$");
#endif /* PAX_ASLR_COMPAT_DELTA_MMAP_DEF_LEN */

#ifndef PAX_ASLR_COMPAT_DELTA_STACK_DEF_LEN
#define PAX_ASLR_COMPAT_DELTA_STACK_DEF_LEN 10
#define PAX_ASLR_COMPAT_DELTA_STACK_DEF_LEN 14
#endif /* PAX_ASLR_COMPAT_DELTA_STACK_DEF_LEN */

#ifndef PAX_ASLR_COMPAT_DELTA_EXEC_DEF_LEN
#define PAX_ASLR_COMPAT_DELTA_EXEC_DEF_LEN 14
#endif /* PAX_ASLR_COMPAT_DELTA_EXEC_DEF_LEN */

#ifndef PAX_ASLR_COMPAT_DELTA_VDSO_DEF_LEN
#define PAX_ASLR_COMPAT_DELTA_VDSO_DEF_LEN 10
#define PAX_ASLR_COMPAT_DELTA_VDSO_DEF_LEN 8
#endif /* PAX_ASLR_COMPAT_DELTA_VDSO_DEF_LEN */

#endif
Expand Down

0 comments on commit ec93b44

Please sign in to comment.