Announcement

Collapse
No announcement yet.

FreeBSD does not have ASLR

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • FreeBSD does not have ASLR

    I was doing an analysis for my company who is looking to select a new operating system for their recently created server farm. I was analyzing FreeBSD when I found something alarming about it.

    I ran a program that I made called simplegets, and then I looked at it's layout in virtual memory while running and this is what I got:

    Code:
    doggoson@fbsd:/home/doggoson % ps aux | grep simplegets
    doggoson 13381  0.0  0.1    9920   1416  0  I+    2:07PM  0:00.00 ./simplegets
    doggoson 13398  0.0  0.1   16288   1776  1  S+    2:08PM  0:00.00 grep simplegets
    doggoson@fbsd:/home/doggoson % cat /proc/13381/map
    0x400000 0x401000 1 0 0xfffffe003c103828 r-x 1 0 0x1000 COW NC vnode /usr/home/doggoson/simplegets NCH -1
    0x600000 0x800000 2 0 0xfffffe0016de89f8 rw- 1 0 0x3000 NCOW NNC default - CH 1001
    0x800600000 0x800618000 24 0 0xfffffe00076ed658 r-x 90 0 0x1004 COW NC vnode /libexec/ld-elf.so.1 NCH -1
    0x800618000 0x800639000 21 0 0xfffffe001e195828 rw- 1 0 0x3000 NCOW NNC default - CH 1001
    0x800817000 0x800819000 2 0 0xfffffe0023bf22b8 rw- 1 0 0x3000 NCOW NNC default - CH 1001
    0x800819000 0x800947000 258 0 0xfffffe00076ed000 r-x 166 76 0x1004 COW NC vnode /lib/libc.so.7 NCH -1
    0x800947000 0x800b46000 0 0 0xfffffe005afdc9f8 --- 1 0 0x2000 NCOW NNC default - NCH -1
    0x800b46000 0x800b51000 11 0 0xfffffe00374cd9f8 rw- 1 0 0x3000 COW NNC vnode /lib/libc.so.7 CH 1001
    0x800b51000 0x800b6c000 8 0 0xfffffe0067d37740 rw- 2 0 0x3000 NCOW NNC default - CH 1001
    0x800c00000 0x801000000 8 0 0xfffffe0067d37740 rw- 2 0 0x3000 NCOW NNC default - CH 1001
    0x7ffffffdf000 0x7ffffffff000 3 0 0xfffffe00790363a0 rw- 1 0 0x3000 NCOW NNC default - CH 1001
    0x7ffffffff000 0x800000000000 0 0 0xfffffe0007515cb0 r-x 94 0 0x4 COW NC default - NCH -1
    doggoson@fbsd:/home/doggoson %
    The suprise came when I ran simplegets a second time:

    Code:
    doggoson@fbsd:/home/doggoson % ps aux | grep simplegets
    doggoson 13446  0.0  0.1    9920   1416  0  S+    2:12PM  0:00.00 ./simplegets
    doggoson 13449  0.0  0.1   16288   1776  1  S+    2:12PM  0:00.00 grep simplegets
    doggoson@fbsd:/home/doggoson % cat /proc/13446/map
    0x400000 0x401000 1 0 0xfffffe003c103828 r-x 1 0 0x1000 COW NC vnode /usr/home/doggoson/simplegets NCH -1
    0x600000 0x800000 2 0 0xfffffe004a9b3910 rw- 1 0 0x3000 NCOW NNC default - CH 1001
    0x800600000 0x800618000 24 0 0xfffffe00076ed658 r-x 90 0 0x1004 COW NC vnode /libexec/ld-elf.so.1 NCH -1
    0x800618000 0x800639000 21 0 0xfffffe00660a13a0 rw- 1 0 0x3000 NCOW NNC default - CH 1001
    0x800817000 0x800819000 2 0 0xfffffe00790390e8 rw- 1 0 0x3000 NCOW NNC default - CH 1001
    0x800819000 0x800947000 258 0 0xfffffe00076ed000 r-x 166 76 0x1004 COW NC vnode /lib/libc.so.7 NCH -1
    0x800947000 0x800b46000 0 0 0xfffffe00486fd910 --- 1 0 0x2000 NCOW NNC default - NCH -1
    0x800b46000 0x800b51000 11 0 0xfffffe00600819f8 rw- 1 0 0x3000 COW NNC vnode /lib/libc.so.7 CH 1001
    0x800b51000 0x800b6c000 8 0 0xfffffe00302672b8 rw- 2 0 0x3000 NCOW NNC default - CH 1001
    0x800c00000 0x801000000 8 0 0xfffffe00302672b8 rw- 2 0 0x3000 NCOW NNC default - CH 1001
    0x7ffffffdf000 0x7ffffffff000 3 0 0xfffffe007219f740 rw- 1 0 0x3000 NCOW NNC default - CH 1001
    0x7ffffffff000 0x800000000000 0 0 0xfffffe0007515cb0 r-x 94 0 0x4 COW NC default - NCH -1
    doggoson@fbsd:/home/doggoson %
    As you can see, all the memory addresses have not changed which shows that FreeBSD lacks Address Space Layout Randomization or ASLR, an important security feature that all other operating systems including Windows have.

    Linux has ASLR as shown when simplegets is executed once:

    Code:
    doggoson@bluebook ~ $ ps aux | grep simplegets
    doggoson   4134  0.0  0.0   4080   348 pts/0    S+   13:59   0:00 ./simplegets
    doggoson   4145  0.0  0.0   8052   916 pts/1    S+   13:59   0:00 grep --colour=auto simplegets
    doggoson@bluebook ~ $ cat /proc/4134/maps 
    00400000-00401000 r-xp 00000000 08:06 261421                             /home/doggoson/Workspace/CC+/simplegets
    00600000-00601000 rw-p 00000000 08:06 261421                             /home/doggoson/Workspace/CC+/simplegets
    7f704e324000-7f704e4c6000 r-xp 00000000 08:08 4461920                    /lib/x86_64-linux-gnu/libc-2.17.so
    7f704e4c6000-7f704e6c6000 ---p 001a2000 08:08 4461920                    /lib/x86_64-linux-gnu/libc-2.17.so
    7f704e6c6000-7f704e6ca000 r--p 001a2000 08:08 4461920                    /lib/x86_64-linux-gnu/libc-2.17.so
    7f704e6ca000-7f704e6cc000 rw-p 001a6000 08:08 4461920                    /lib/x86_64-linux-gnu/libc-2.17.so
    7f704e6cc000-7f704e6d0000 rw-p 00000000 00:00 0 
    7f704e6d0000-7f704e6f1000 r-xp 00000000 08:08 4461916                    /lib/x86_64-linux-gnu/ld-2.17.so
    7f704e8d0000-7f704e8d3000 rw-p 00000000 00:00 0 
    7f704e8ee000-7f704e8f1000 rw-p 00000000 00:00 0 
    7f704e8f1000-7f704e8f2000 r--p 00021000 08:08 4461916                    /lib/x86_64-linux-gnu/ld-2.17.so
    7f704e8f2000-7f704e8f4000 rw-p 00022000 08:08 4461916                    /lib/x86_64-linux-gnu/ld-2.17.so
    7fffdca09000-7fffdca2a000 rw-p 00000000 00:00 0                          [stack]
    7fffdca49000-7fffdca4b000 r-xp 00000000 00:00 0                          [vdso]
    ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
    doggoson@bluebook ~ $
    and again

    Code:
    doggoson@bluebook ~ $ ps aux | grep simplegets
    doggoson   4173  0.0  0.0   4080   348 pts/0    S+   14:02   0:00 ./simplegets
    doggoson   4176  0.0  0.0   8052   916 pts/1    S+   14:02   0:00 grep --colour=auto simplegets
    doggoson@bluebook ~ $ cat /proc/4173/maps 
    00400000-00401000 r-xp 00000000 08:06 261421                             /home/doggoson/Workspace/CC+/simplegets
    00600000-00601000 rw-p 00000000 08:06 261421                             /home/doggoson/Workspace/CC+/simplegets
    7f1e449ac000-7f1e44b4e000 r-xp 00000000 08:08 4461920                    /lib/x86_64-linux-gnu/libc-2.17.so
    7f1e44b4e000-7f1e44d4e000 ---p 001a2000 08:08 4461920                    /lib/x86_64-linux-gnu/libc-2.17.so
    7f1e44d4e000-7f1e44d52000 r--p 001a2000 08:08 4461920                    /lib/x86_64-linux-gnu/libc-2.17.so
    7f1e44d52000-7f1e44d54000 rw-p 001a6000 08:08 4461920                    /lib/x86_64-linux-gnu/libc-2.17.so
    7f1e44d54000-7f1e44d58000 rw-p 00000000 00:00 0 
    7f1e44d58000-7f1e44d79000 r-xp 00000000 08:08 4461916                    /lib/x86_64-linux-gnu/ld-2.17.so
    7f1e44f58000-7f1e44f5b000 rw-p 00000000 00:00 0 
    7f1e44f76000-7f1e44f79000 rw-p 00000000 00:00 0 
    7f1e44f79000-7f1e44f7a000 r--p 00021000 08:08 4461916                    /lib/x86_64-linux-gnu/ld-2.17.so
    7f1e44f7a000-7f1e44f7c000 rw-p 00022000 08:08 4461916                    /lib/x86_64-linux-gnu/ld-2.17.so
    7fff4049f000-7fff404c0000 rw-p 00000000 00:00 0                          [stack]
    7fff405fe000-7fff40600000 r-xp 00000000 00:00 0                          [vdso]
    ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
    doggoson@bluebook ~ $
    As you can see, not only is the address space layout of simplegets neater and simpler but more importantly, the memory addresses have changed showing that Linux is well protected using ASLR.

    It just goes to show, FreeBSD is not safer then Linux but rather the other way round.

    It also shows that it is possible that the FreeBSD project is cooperating with the NSA and CIA so that they can easily access FreeBSD hosts more easily.
    Last edited by doggobot; 10-17-2013, 11:51 PM.

  • #2
    Originally posted by doggobot View Post
    I was doing an analysis for my company who is looking to select a new operating system for their recently created server farm. I was analyzing FreeBSD when I found something alarming about it.

    I ran a program that I made called simplegets, and then I looked at it's layout in virtual memory while running and this is what I got:

    [...]

    As you can see, not only is the address space layout of simplegets neater and simpler but more importantly, the memory addresses have changed showing that Linux is well protected using ASLR.

    It just goes to show, FreeBSD is not safer then Linux but rather the other way round.

    It also shows that it is possible that the FreeBSD project is cooperating with the NSA and CIA so that they can easily access FreeBSD hosts more easily.
    I believe FreeBSD 10 will be including ASLR with it enabled by default. Alternatively, you could very easily add it in yourself-- there is a patch for FreeBSD 9 that is already widely available.

    Regarding FreeBSD vs Linux safety-- that is entirely a subjective matter. However, even I am baffled at the idea that you consider the omission of ASLR to render any other benefit moot in its absence.

    As for the last sentence, that is so laughable as to be scarcely worth even trying to refute. But I will say this: If FreeBSD was cooperating with the NSA and the CIA, you'd know about it. FreeBSD is open-source. That's why I can tell you that your 3-letter-agencies were involved with SELinux amongst other Linux projects. Furthermore, the absence of ASLR does not affect the ease of 'accessing FreeBSD hosts'.

    Comment


    • #3
      FreeBSD does not have ASLR
      Are you fucking kidding me
      It’s 2014 and this shit doesn’t even have basic protect.

      “More secure then Linux” Bullshit

      Comment


      • #4
        Originally posted by JX8p View Post
        I believe FreeBSD 10 will be including ASLR with it enabled by default. Alternatively, you could very easily add it in yourself-- there is a patch for FreeBSD 9 that is already widely available.

        Regarding FreeBSD vs Linux safety-- that is entirely a subjective matter. However, even I am baffled at the idea that you consider the omission of ASLR to render any other benefit moot in its absence.

        As for the last sentence, that is so laughable as to be scarcely worth even trying to refute. But I will say this: If FreeBSD was cooperating with the NSA and the CIA, you'd know about it. FreeBSD is open-source. That's why I can tell you that your 3-letter-agencies were involved with SELinux amongst other Linux projects. Furthermore, the absence of ASLR does not affect the ease of 'accessing FreeBSD hosts'.
        Yes this guy was laughing also when he wrote this: http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

        My NDA with the FBI has recently expired, and I wanted to make you
        aware of the fact that the FBI implemented a number of backdoors and
        side channel key leaking mechanisms into the OCF, for the express
        purpose of monitoring the site to site VPN encryption system
        implemented by EOUSA, the parent organization to the FBI. Jason
        Wright and several other developers were responsible for those
        backdoors, and you would be well advised to review any and all code
        commits by Wright as well as the other developers he worked with
        originating from NETSEC.

        Comment


        • #5
          Originally posted by endman View Post
          Are you fucking kidding me
          It’s 2014 and this shit doesn’t even have basic protect.

          “More secure then Linux” Bullshit
          Nice job there answering yourself, loser...
          This idiot did this post on October 18; apparently no body gave a f*ck so now he is forced to post it here; he wants attention: http://aboutthebsds.wordpress.com/20...d-is-insecure/
          Go get a life, loser.

          Comment


          • #6
            Originally posted by ACiD View Post
            Yes this guy was laughing also when he wrote this: http://marc.info/?l=openbsd-tech&m=129236621626462&w=2
            You're telling me what I was doing? Because in fact I hadn't seen that post. Very presumptuous of you. However if those allegations are true you have a lot more than OpenBSD that is potentially compromised. Mind you, I find the allegations dubious in the extreme -- they reek of FUD and are totally unsubstantiated by any fact. Furthermore OpenBSD and the code derived from it (as used in many other projects which include Linux-related projects) is frequently audited, and something like this is unlikely to go unnoticed. By the way, people generally don't get 10yr NDAs that expire and allow you to talk at will afterwards.

            Anyway, if by some chance this whole silliness is totally true, then one need only file an FoI request to see about this man's NDA.

            Are you fucking kidding me
            It’s 2014 and this shit doesn’t even have basic protect.

            “More secure then Linux” Bullshit
            Sorry mate, that's really just not how it works. You can't take one little thing and try and extrapolate from it the total state of a project. In any case, ASLR is mainly something for the very paranoid; remote holes are what are generally important for security.

            Comment


            • #7
              Originally posted by JX8p View Post
              You're telling me what I was doing? Because in fact I hadn't seen that post. Very presumptuous of you. However if those allegations are true you have a lot more than OpenBSD that is potentially compromised. Mind you, I find the allegations dubious in the extreme -- they reek of FUD and are totally unsubstantiated by any fact. Furthermore OpenBSD and the code derived from it (as used in many other projects which include Linux-related projects) is frequently audited, and something like this is unlikely to go unnoticed. By the way, people generally don't get 10yr NDAs that expire and allow you to talk at will afterwards.

              Anyway, if by some chance this whole silliness is totally true, then one need only file an FoI request to see about this man's NDA.



              Sorry mate, that's really just not how it works. You can't take one little thing and try and extrapolate from it the total state of a project. In any case, ASLR is mainly something for the very paranoid; remote holes are what are generally important for security.
              Uhm the BSD backdoors were widely public after they were discovered.

              Comment


              • #8
                Originally posted by JX8p View Post
                Sorry mate, that's really just not how it works. You can't take one little thing and try and extrapolate from it the total state of a project. In any case, ASLR is mainly something for the very paranoid; remote holes are what are generally important for security.
                It's not one little thing. It's one of the most important things. Even windows has it. Furthermore, Linux provides much more security mechanisms and is much more frequently audited.

                Comment


                • #9
                  Originally posted by Sergio View Post
                  Nice job there answering yourself, loser...
                  This idiot did this post on October 18; apparently no body gave a f*ck so now he is forced to post it here; he wants attention: http://aboutthebsds.wordpress.com/20...d-is-insecure/
                  Go get a life, loser.
                  All kudos goes to you Sergio! Nice job. You have advertised his blog at Phoronix and now the world will hear how bsd sucks! You are marked as bsd traitor now and trolls from bsd camps will try to hunt you down. You've been warned.

                  Comment


                  • #10
                    Originally posted by Pawlerson View Post
                    It's not one little thing. It's one of the most important things. Even windows has it. Furthermore, Linux provides much more security mechanisms and is much more frequently audited.
                    Riiiiiight, Pawlerson (aka kraftman, aka BSDSucksDicks, aka endman, etc, etc)...

                    Comment


                    • #11
                      @Sergio
                      Excuse me but I have no idea who endman is.

                      The reason why I wrote this post was because I presented the same problem to forums.freebsd.org to tell them that it is a serious problem in today’s situation with software security. I also asked them for any simple work arounds but all they just did was ban me and removed my post like as if they are doing some cover up. Thus I was fustrated and shock by such a community and their software that I posted here instead hoping for a solution to show people this situation.

                      The reason why I was doing this was because we had a new CTO (now fired) who demanded our company to migrate our Linux servers (which we were well familiar with) to FreeBSD servers (which I and other sysadmins don’t have much technical expertise). That CTO didn’t gave any reason for such a risky and unessasary switch. An argument broke out between him and other corparate officers and to resolve the issue, I was asked to use, get familiar with and analyze FreeBSD and do simple tests to see how secure it is.

                      After a few days of using it and reading the handbook, me and other sysadmins found that FreeBSD seriously inadequate for running our company’s servers. As per our company’s policy on who should report to who, we submitted our findings to the CTO and his response was abusive demanding that we migrate our servers immediately and learn who to use FreeBSD or be fired. Me and my fellow sysadmins knew that we would be violating the company policy governing migration of servers between software platforms if we obeyed him. Worse is that the company’s proficiency in IT would be severly deminished if our servers were using FreeBSD instead of Linux. We decided to report this to the other corperate officers and they (unlike the CTO) seriously considered our report. They then had the CTO fired for his misconduct.

                      The reason why this article was also at http://aboutthebsds.wordpress.com/ was because a UNIX engineer on contract at our company approached me to ask if he could publish part of my report on FreeBSD’s lack of ASLR on his blog which I agreed to as I felt that this situation should be made known to the public.


                      @JX8p
                      Thanks for the work around but our company is trying to avoid solutions involving the recompilation of an OS kernel as that would take a long time and is subseptible to complications. Furthermore, I searched around and found no evidence of FreeBSD RELEASE-10 having ASLR enabled by default. I know OpenBSD has ASLR but it is not very random and I’ve seen it hacked much more quickly and easily that either Linux or Windows. NetBSD has userland ASLR in which you have to do a “paxctl +A <binary file>“ on every binary file to make them have ASLR which is time consuming and introduces the risk of some binary files not having ASLR.


                      Kind regards
                      Felix Doggoson

                      Comment


                      • #12
                        @Sergio
                        Excuse me but I have no idea who endman is.

                        The reason why I wrote this post was because I presented the same problem to forums.freebsd.org to tell them that it is a serious problem in today’s situation with software security. I also asked them for any simple work arounds but all they just did was ban me and removed my post like as if they are doing some cover up. Thus I was fustrated and shock by such a community and their software that I posted here instead hoping for a solution to show people this situation.

                        The reason why I was doing this was because we had a new CTO (now fired) who demanded our company to migrate our Linux servers (which we were well familiar with) to FreeBSD servers (which I and other sysadmins don’t have much technical expertise). That CTO didn’t gave any reason for such a risky and unessasary switch. An argument broke out between him and other corparate officers and to resolve the issue, I was asked to use, get familiar with and analyze FreeBSD and do simple tests to see how secure it is.

                        After a few days of using it and reading the handbook, me and other sysadmins found that FreeBSD seriously inadequate for running our company’s servers. As per our company’s policy on who should report to who, we submitted our findings to the CTO and his response was abusive demanding that we migrate our servers immediately and learn who to use FreeBSD or be fired. Me and my fellow sysadmins knew that we would be violating the company policy governing migration of servers between software platforms if we obeyed him. Worse is that the company’s proficiency in IT would be severly deminished if our servers were using FreeBSD instead of Linux. We decided to report this to the other corperate officers and they (unlike the CTO) seriously considered our report. They then had the CTO fired for his misconduct.

                        The reason why this article was also at http://aboutthebsds.wordpress.com/ was because a UNIX engineer on contract at our company approached me to ask if he could publish part of my report on FreeBSD’s lack of ASLR on his blog which I agreed to as I felt that this situation should be made known to the public.


                        @JX8p
                        Thanks for the work around but our company is trying to avoid solutions involving the recompilation of an OS kernel as that would take a long time and is subseptible to complications. Furthermore, I searched around and found no evidence of FreeBSD RELEASE-10 having ASLR enabled by default. I know OpenBSD has ASLR but it is not very random and I’ve seen it hacked much more quickly and easily that either Linux or Windows. NetBSD has userland ASLR in which you have to do a “paxctl +A <binary file>“ on every binary file to make them have ASLR which is time consuming and introduces the risk of some binary files not having ASLR.


                        Kind regards
                        Felix Doggoson

                        Comment


                        • #13
                          Originally posted by doggobot View Post
                          @Sergio
                          Excuse me but I have no idea who endman is.

                          The reason why I wrote this post was because I presented the same problem to forums.freebsd.org to tell them that it is a serious problem in today’s situation with software security. I also asked them for any simple work arounds but all they just did was ban me and removed my post like as if they are doing some cover up. Thus I was fustrated and shock by such a community and their software that I posted here instead hoping for a solution to show people this situation.

                          The reason why I was doing this was because we had a new CTO (now fired) who demanded our company to migrate our Linux servers (which we were well familiar with) to FreeBSD servers (which I and other sysadmins don’t have much technical expertise). That CTO didn’t gave any reason for such a risky and unessasary switch. An argument broke out between him and other corparate officers and to resolve the issue, I was asked to use, get familiar with and analyze FreeBSD and do simple tests to see how secure it is.

                          After a few days of using it and reading the handbook, me and other sysadmins found that FreeBSD seriously inadequate for running our company’s servers. As per our company’s policy on who should report to who, we submitted our findings to the CTO and his response was abusive demanding that we migrate our servers immediately and learn who to use FreeBSD or be fired. Me and my fellow sysadmins knew that we would be violating the company policy governing migration of servers between software platforms if we obeyed him. Worse is that the company’s proficiency in IT would be severly deminished if our servers were using FreeBSD instead of Linux. We decided to report this to the other corperate officers and they (unlike the CTO) seriously considered our report. They then had the CTO fired for his misconduct.

                          The reason why this article was also at http://aboutthebsds.wordpress.com/ was because a UNIX engineer on contract at our company approached me to ask if he could publish part of my report on FreeBSD’s lack of ASLR on his blog which I agreed to as I felt that this situation should be made known to the public.


                          @JX8p
                          Thanks for the work around but our company is trying to avoid solutions involving the recompilation of an OS kernel as that would take a long time and is subseptible to complications. Furthermore, I searched around and found no evidence of FreeBSD RELEASE-10 having ASLR enabled by default. I know OpenBSD has ASLR but it is not very random and I’ve seen it hacked much more quickly and easily that either Linux or Windows. NetBSD has userland ASLR in which you have to do a “paxctl +A <binary file>“ on every binary file to make them have ASLR which is time consuming and introduces the risk of some binary files not having ASLR.


                          Kind regards
                          Felix Doggoson
                          Do you have any proof to back up your situation? I mean, that whole story sounds fishy and unlikely to occur in any workplace. I'd also like you to show the evidence of where OpenBSD ASLR can be hacked 'more easily'.

                          Comment


                          • #14
                            Originally posted by doggobot View Post
                            I know OpenBSD has ASLR but it is not very random and I’ve seen it hacked much more quickly and easily that either Linux or Windows. NetBSD has userland ASLR in which you have to do a “paxctl +A <binary file>“ on every binary file to make them have ASLR which is time consuming and introduces the risk of some binary files not having ASLR.
                            This is simply hilarious... It can only come from one person: The BSD troll (Pawlerson, kraftman, endman, BSDSucksDicks, etc, etc). Loser.

                            Comment


                            • #15
                              Originally posted by Sergio View Post
                              Riiiiiight, Pawlerson (aka kraftman, aka BSDSucksDicks, aka endman, etc, etc)...
                              It seems you still didn't take your medicine. Sergio (aka: VimUser, kebbabert, Thomas Abthorpe, Eitan Adler, Shunsuke Akiyama, Monthadar Al Jaberi etc, etc)...

                              Comment

                              Working...
                              X