Path: blob/main/website/content/en/status/report-2021-01-2021-03/mitigations.adoc
18096 views
=== Vulnerability Mitigations Contact: Ed Maste <[email protected]> + Contact: Konstantin Belousov <[email protected]> + Contact: Marcin Wojtas <[email protected]> + Contact: Dawid Górecki <[email protected]> We added support for enforcing a https://cgit.freebsd.org/src/commit/?id=2e1c94aa1fd582fb8ae0522f0827be719ff5fb67[write XOR execute] mapping policy. It is enabled by setting the `kern.elf64.allow_wx` and/or `kern.elf32.allow_wx` sysctls to 0 (for 64-bit and 32-bit binaries, respectively). Binaries can indicate that they requre writeable and executable mappings by setting the `NT_FREEBSD_FCTL_WXNEEDED` ELF feature bit, set via elfctl. In addition, elfctl received a few usability improvements to support use by ports, targeting different FreeBSD base system versions. We added a https://cgit.freebsd.org/src/commit/?id=f6d95a01103a49a94c876d5a51bb4be25c06d964[`-i` flag] to ignore unknown flags (so that the same elfctl invocation could be used on older FreeBSD versions) as well as the ability to https://cgit.freebsd.org/src/commit/?id=86f33b5fcf6087bf4439881011b920ff99e6e300[specify features by value]. Flags that request opt-out of a mitigation now have a `no` prefix to make the sense clearer. For example, the flag to indicate that the binary is not compatible with ASLR is now named `noaslr`. Unprefixed flag names are still supported, for backwards compatibility, but will emit a warning and will be removed in a later version. The next step is to introduce ports infrastructure to support tagging binaries in ports that require special flags. Details can be found in https://bugs.freebsd.org/252629[PR252629]. Another update is that the base system binaries are now built as position-independent executable (PIE) https://cgit.freebsd.org/src/commit/?id=9a227a2fd642ec057a0ec70d67d5699d65553294[by default], for 64-bit architectures. PIE executables are used in conjunction with address randomization (ASLR) as a mitigation for certain types of security vulnerabilities. The ASLR feature still remains opt-in, however the described change allows enabling it using only sysctl knobs, without a need to rebuild the image. Enabling PIE results in no material performance impact for most workloads. It is also worth mentioning that a certain number of ports inherit the base systems /usr/share/mk infrastructure, and some initially failed to build after toggling the PIE setting. All issues detected by executing the exp-run were addressed. The details can be found in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253275[PR253275]. The next step is to try enabling ASLR by default for 64-bit architectures. The https://reviews.freebsd.org/D27666[patch] is under discussion. Sponsor: The FreeBSD Foundation Sponsor: Stormshield