Announcement

Collapse
No announcement yet.

FreeBSD does not have ASLR

Collapse
X
Collapse
 
  • Page of 3
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 template Next
  • #1

    FreeBSD does not have ASLR

    I was doing an analysis for my company who is looking to select a new operating system for their recently created server farm. I was analyzing FreeBSD when I found something alarming about it.

    I ran a program that I made called simplegets, and then I looked at it's layout in virtual memory while running and this is what I got:

    Code:
    doggoson@fbsd:/home/doggoson % ps aux | grep simplegets
doggoson 13381  0.0  0.1    9920   1416  0  I+    2:07PM  0:00.00 ./simplegets
doggoson 13398  0.0  0.1   16288   1776  1  S+    2:08PM  0:00.00 grep simplegets
doggoson@fbsd:/home/doggoson % cat /proc/13381/map
0x400000 0x401000 1 0 0xfffffe003c103828 r-x 1 0 0x1000 COW NC vnode /usr/home/doggoson/simplegets NCH -1
0x600000 0x800000 2 0 0xfffffe0016de89f8 rw- 1 0 0x3000 NCOW NNC default - CH 1001
0x800600000 0x800618000 24 0 0xfffffe00076ed658 r-x 90 0 0x1004 COW NC vnode /libexec/ld-elf.so.1 NCH -1
0x800618000 0x800639000 21 0 0xfffffe001e195828 rw- 1 0 0x3000 NCOW NNC default - CH 1001
0x800817000 0x800819000 2 0 0xfffffe0023bf22b8 rw- 1 0 0x3000 NCOW NNC default - CH 1001
0x800819000 0x800947000 258 0 0xfffffe00076ed000 r-x 166 76 0x1004 COW NC vnode /lib/libc.so.7 NCH -1
0x800947000 0x800b46000 0 0 0xfffffe005afdc9f8 --- 1 0 0x2000 NCOW NNC default - NCH -1
0x800b46000 0x800b51000 11 0 0xfffffe00374cd9f8 rw- 1 0 0x3000 COW NNC vnode /lib/libc.so.7 CH 1001
0x800b51000 0x800b6c000 8 0 0xfffffe0067d37740 rw- 2 0 0x3000 NCOW NNC default - CH 1001
0x800c00000 0x801000000 8 0 0xfffffe0067d37740 rw- 2 0 0x3000 NCOW NNC default - CH 1001
0x7ffffffdf000 0x7ffffffff000 3 0 0xfffffe00790363a0 rw- 1 0 0x3000 NCOW NNC default - CH 1001
0x7ffffffff000 0x800000000000 0 0 0xfffffe0007515cb0 r-x 94 0 0x4 COW NC default - NCH -1
doggoson@fbsd:/home/doggoson %
    The suprise came when I ran simplegets a second time:

    Code:
    doggoson@fbsd:/home/doggoson % ps aux | grep simplegets
doggoson 13446  0.0  0.1    9920   1416  0  S+    2:12PM  0:00.00 ./simplegets
doggoson 13449  0.0  0.1   16288   1776  1  S+    2:12PM  0:00.00 grep simplegets
doggoson@fbsd:/home/doggoson % cat /proc/13446/map
0x400000 0x401000 1 0 0xfffffe003c103828 r-x 1 0 0x1000 COW NC vnode /usr/home/doggoson/simplegets NCH -1
0x600000 0x800000 2 0 0xfffffe004a9b3910 rw- 1 0 0x3000 NCOW NNC default - CH 1001
0x800600000 0x800618000 24 0 0xfffffe00076ed658 r-x 90 0 0x1004 COW NC vnode /libexec/ld-elf.so.1 NCH -1
0x800618000 0x800639000 21 0 0xfffffe00660a13a0 rw- 1 0 0x3000 NCOW NNC default - CH 1001
0x800817000 0x800819000 2 0 0xfffffe00790390e8 rw- 1 0 0x3000 NCOW NNC default - CH 1001
0x800819000 0x800947000 258 0 0xfffffe00076ed000 r-x 166 76 0x1004 COW NC vnode /lib/libc.so.7 NCH -1
0x800947000 0x800b46000 0 0 0xfffffe00486fd910 --- 1 0 0x2000 NCOW NNC default - NCH -1
0x800b46000 0x800b51000 11 0 0xfffffe00600819f8 rw- 1 0 0x3000 COW NNC vnode /lib/libc.so.7 CH 1001
0x800b51000 0x800b6c000 8 0 0xfffffe00302672b8 rw- 2 0 0x3000 NCOW NNC default - CH 1001
0x800c00000 0x801000000 8 0 0xfffffe00302672b8 rw- 2 0 0x3000 NCOW NNC default - CH 1001
0x7ffffffdf000 0x7ffffffff000 3 0 0xfffffe007219f740 rw- 1 0 0x3000 NCOW NNC default - CH 1001
0x7ffffffff000 0x800000000000 0 0 0xfffffe0007515cb0 r-x 94 0 0x4 COW NC default - NCH -1
doggoson@fbsd:/home/doggoson %
    As you can see, all the memory addresses have not changed which shows that FreeBSD lacks Address Space Layout Randomization or ASLR, an important security feature that all other operating systems including Windows have.

    Linux has ASLR as shown when simplegets is executed once:

    Code:
    doggoson@bluebook ~ $ ps aux | grep simplegets
doggoson   4134  0.0  0.0   4080   348 pts/0    S+   13:59   0:00 ./simplegets
doggoson   4145  0.0  0.0   8052   916 pts/1    S+   13:59   0:00 grep --colour=auto simplegets
doggoson@bluebook ~ $ cat /proc/4134/maps 
00400000-00401000 r-xp 00000000 08:06 261421                             /home/doggoson/Workspace/CC+/simplegets
00600000-00601000 rw-p 00000000 08:06 261421                             /home/doggoson/Workspace/CC+/simplegets
7f704e324000-7f704e4c6000 r-xp 00000000 08:08 4461920                    /lib/x86_64-linux-gnu/libc-2.17.so
7f704e4c6000-7f704e6c6000 ---p 001a2000 08:08 4461920                    /lib/x86_64-linux-gnu/libc-2.17.so
7f704e6c6000-7f704e6ca000 r--p 001a2000 08:08 4461920                    /lib/x86_64-linux-gnu/libc-2.17.so
7f704e6ca000-7f704e6cc000 rw-p 001a6000 08:08 4461920                    /lib/x86_64-linux-gnu/libc-2.17.so
7f704e6cc000-7f704e6d0000 rw-p 00000000 00:00 0 
7f704e6d0000-7f704e6f1000 r-xp 00000000 08:08 4461916                    /lib/x86_64-linux-gnu/ld-2.17.so
7f704e8d0000-7f704e8d3000 rw-p 00000000 00:00 0 
7f704e8ee000-7f704e8f1000 rw-p 00000000 00:00 0 
7f704e8f1000-7f704e8f2000 r--p 00021000 08:08 4461916                    /lib/x86_64-linux-gnu/ld-2.17.so
7f704e8f2000-7f704e8f4000 rw-p 00022000 08:08 4461916                    /lib/x86_64-linux-gnu/ld-2.17.so
7fffdca09000-7fffdca2a000 rw-p 00000000 00:00 0                          [stack]
7fffdca49000-7fffdca4b000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
doggoson@bluebook ~ $
    and again

    Code:
    doggoson@bluebook ~ $ ps aux | grep simplegets
doggoson   4173  0.0  0.0   4080   348 pts/0    S+   14:02   0:00 ./simplegets
doggoson   4176  0.0  0.0   8052   916 pts/1    S+   14:02   0:00 grep --colour=auto simplegets
doggoson@bluebook ~ $ cat /proc/4173/maps 
00400000-00401000 r-xp 00000000 08:06 261421                             /home/doggoson/Workspace/CC+/simplegets
00600000-00601000 rw-p 00000000 08:06 261421                             /home/doggoson/Workspace/CC+/simplegets
7f1e449ac000-7f1e44b4e000 r-xp 00000000 08:08 4461920                    /lib/x86_64-linux-gnu/libc-2.17.so
7f1e44b4e000-7f1e44d4e000 ---p 001a2000 08:08 4461920                    /lib/x86_64-linux-gnu/libc-2.17.so
7f1e44d4e000-7f1e44d52000 r--p 001a2000 08:08 4461920                    /lib/x86_64-linux-gnu/libc-2.17.so
7f1e44d52000-7f1e44d54000 rw-p 001a6000 08:08 4461920                    /lib/x86_64-linux-gnu/libc-2.17.so
7f1e44d54000-7f1e44d58000 rw-p 00000000 00:00 0 
7f1e44d58000-7f1e44d79000 r-xp 00000000 08:08 4461916                    /lib/x86_64-linux-gnu/ld-2.17.so
7f1e44f58000-7f1e44f5b000 rw-p 00000000 00:00 0 
7f1e44f76000-7f1e44f79000 rw-p 00000000 00:00 0 
7f1e44f79000-7f1e44f7a000 r--p 00021000 08:08 4461916                    /lib/x86_64-linux-gnu/ld-2.17.so
7f1e44f7a000-7f1e44f7c000 rw-p 00022000 08:08 4461916                    /lib/x86_64-linux-gnu/ld-2.17.so
7fff4049f000-7fff404c0000 rw-p 00000000 00:00 0                          [stack]
7fff405fe000-7fff40600000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
doggoson@bluebook ~ $
    As you can see, not only is the address space layout of simplegets neater and simpler but more importantly, the memory addresses have changed showing that Linux is well protected using ASLR.

    It just goes to show, FreeBSD is not safer then Linux but rather the other way round.

    It also shows that it is possible that the FreeBSD project is cooperating with the NSA and CIA so that they can easily access FreeBSD hosts more easily.
    Last edited by doggobot; 17 October 2013, 11:51 PM.
    Tags: None
  • #2
    Originally posted by doggobot View Post
    I was doing an analysis for my company who is looking to select a new operating system for their recently created server farm. I was analyzing FreeBSD when I found something alarming about it.

    I ran a program that I made called simplegets, and then I looked at it's layout in virtual memory while running and this is what I got:

    [...]

    As you can see, not only is the address space layout of simplegets neater and simpler but more importantly, the memory addresses have changed showing that Linux is well protected using ASLR.

    It just goes to show, FreeBSD is not safer then Linux but rather the other way round.

    It also shows that it is possible that the FreeBSD project is cooperating with the NSA and CIA so that they can easily access FreeBSD hosts more easily.
    I believe FreeBSD 10 will be including ASLR with it enabled by default. Alternatively, you could very easily add it in yourself-- there is a patch for FreeBSD 9 that is already widely available.

    Regarding FreeBSD vs Linux safety-- that is entirely a subjective matter. However, even I am baffled at the idea that you consider the omission of ASLR to render any other benefit moot in its absence.

    As for the last sentence, that is so laughable as to be scarcely worth even trying to refute. But I will say this: If FreeBSD was cooperating with the NSA and the CIA, you'd know about it. FreeBSD is open-source. That's why I can tell you that your 3-letter-agencies were involved with SELinux amongst other Linux projects. Furthermore, the absence of ASLR does not affect the ease of 'accessing FreeBSD hosts'.

    Comment

    • #3
      FreeBSD does not have ASLR
      Are you fucking kidding me
      It’s 2014 and this shit doesn’t even have basic protect.

      “More secure then Linux” Bullshit

      Comment

      • #4
        Originally posted by JX8p View Post
        I believe FreeBSD 10 will be including ASLR with it enabled by default. Alternatively, you could very easily add it in yourself-- there is a patch for FreeBSD 9 that is already widely available.

        Regarding FreeBSD vs Linux safety-- that is entirely a subjective matter. However, even I am baffled at the idea that you consider the omission of ASLR to render any other benefit moot in its absence.

        As for the last sentence, that is so laughable as to be scarcely worth even trying to refute. But I will say this: If FreeBSD was cooperating with the NSA and the CIA, you'd know about it. FreeBSD is open-source. That's why I can tell you that your 3-letter-agencies were involved with SELinux amongst other Linux projects. Furthermore, the absence of ASLR does not affect the ease of 'accessing FreeBSD hosts'.
        Yes this guy was laughing also when he wrote this: http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

        My NDA with the FBI has recently expired, and I wanted to make you
        aware of the fact that the FBI implemented a number of backdoors and
        side channel key leaking mechanisms into the OCF, for the express
        purpose of monitoring the site to site VPN encryption system
        implemented by EOUSA, the parent organization to the FBI. Jason
        Wright and several other developers were responsible for those
        backdoors, and you would be well advised to review any and all code
        commits by Wright as well as the other developers he worked with
        originating from NETSEC.

        Comment

        • #5
          Originally posted by endman View Post
          Are you fucking kidding me
          It?s 2014 and this shit doesn?t even have basic protect.

          ?More secure then Linux? Bullshit
          Nice job there answering yourself, loser...
          This idiot did this post on October 18; apparently no body gave a f*ck so now he is forced to post it here; he wants attention: http://aboutthebsds.wordpress.com/20...d-is-insecure/
          Go get a life, loser.

          Comment

          • #6
            Originally posted by ACiD View Post
            Yes this guy was laughing also when he wrote this: http://marc.info/?l=openbsd-tech&m=129236621626462&w=2
            You're telling me what I was doing? Because in fact I hadn't seen that post. Very presumptuous of you. However if those allegations are true you have a lot more than OpenBSD that is potentially compromised. Mind you, I find the allegations dubious in the extreme -- they reek of FUD and are totally unsubstantiated by any fact. Furthermore OpenBSD and the code derived from it (as used in many other projects which include Linux-related projects) is frequently audited, and something like this is unlikely to go unnoticed. By the way, people generally don't get 10yr NDAs that expire and allow you to talk at will afterwards.

            Anyway, if by some chance this whole silliness is totally true, then one need only file an FoI request to see about this man's NDA.

            Are you fucking kidding me
            It?s 2014 and this shit doesn?t even have basic protect.

            ?More secure then Linux? Bullshit
            Sorry mate, that's really just not how it works. You can't take one little thing and try and extrapolate from it the total state of a project. In any case, ASLR is mainly something for the very paranoid; remote holes are what are generally important for security.

            Comment

            • #7
              Originally posted by JX8p View Post
              You're telling me what I was doing? Because in fact I hadn't seen that post. Very presumptuous of you. However if those allegations are true you have a lot more than OpenBSD that is potentially compromised. Mind you, I find the allegations dubious in the extreme -- they reek of FUD and are totally unsubstantiated by any fact. Furthermore OpenBSD and the code derived from it (as used in many other projects which include Linux-related projects) is frequently audited, and something like this is unlikely to go unnoticed. By the way, people generally don't get 10yr NDAs that expire and allow you to talk at will afterwards.

              Anyway, if by some chance this whole silliness is totally true, then one need only file an FoI request to see about this man's NDA.



              Sorry mate, that's really just not how it works. You can't take one little thing and try and extrapolate from it the total state of a project. In any case, ASLR is mainly something for the very paranoid; remote holes are what are generally important for security.
              Uhm the BSD backdoors were widely public after they were discovered.

              Comment

              • #8
                Originally posted by JX8p View Post
                Sorry mate, that's really just not how it works. You can't take one little thing and try and extrapolate from it the total state of a project. In any case, ASLR is mainly something for the very paranoid; remote holes are what are generally important for security.
                It's not one little thing. It's one of the most important things. Even windows has it. Furthermore, Linux provides much more security mechanisms and is much more frequently audited.

                Comment

                • #9
                  Originally posted by Sergio View Post
                  Nice job there answering yourself, loser...
                  This idiot did this post on October 18; apparently no body gave a f*ck so now he is forced to post it here; he wants attention: http://aboutthebsds.wordpress.com/20...d-is-insecure/
                  Go get a life, loser.
                  All kudos goes to you Sergio! Nice job. You have advertised his blog at Phoronix and now the world will hear how bsd sucks! You are marked as bsd traitor now and trolls from bsd camps will try to hunt you down. You've been warned.

                  Comment

                  • #10
                    Originally posted by Pawlerson View Post
                    It's not one little thing. It's one of the most important things. Even windows has it. Furthermore, Linux provides much more security mechanisms and is much more frequently audited.
                    Riiiiiight, Pawlerson (aka kraftman, aka BSDSucksDicks, aka endman, etc, etc)...

                    Comment

                    Previous 1 2 3 template Next
                    Working...
                    X