Re: Expanding the list of "Hardened Packages"

John Reiser <jreiser@xxxxxxxxxxxx> · Wed, 03 Apr 2013 09:00:17 -0700

> This proposal was originally at https://fedorahosted.org/fesco/ticket/1104

> http://fedoraproject.org/wiki/Hardened_Packages page mentions
> that "FESCo requires some packages to use PIE and relro hardening by
> default."

"Position independent executables" use a weak form of ASLR on Fedora-19-Alpha-TC3-i686.
The kernel always chooses the region below and *near* the stack.  The stack placement
is randomized (always, regardless of executable type), but the range for "a position-
independent executable" (ET_DYN with 0==PT_LOAD.p_vaddr) is only a small subset of
the address space.  Experiment suggests that the window is 1MiB (20 bits), but this
includes the 12 low-order bits which cannot be changed.  Thus the kernel uses only
256 possibilities.  See test program below.

Note that "gcc -fPIE" is for compiling.  Static linking requires "gcc -pie",
else the result has Elf32_Hdr.e_type == ET_EXEC, which is not eligible for ASLR.

$ cat where.c
#include <stdlib.h>
#include <sys/types.h>
#include <fcntl.h>

char buf[8192];

main()
{
	int const fd=open("/proc/self/maps", O_RDONLY);
	for (;;) {
		size_t len=read(fd, buf, sizeof(buf));
		if (-1==len) {
			perror("read"); exit(1);
		}
		if (0==len)
			break;
		write(1, buf, len);
	}
	return 0;
}
$ gcc -m32 -pie -fPIE -g -o where where.c   # -m32 is redundant on real i686
$ readelf --headers ./where | grep Type:
  Type:                              DYN (Shared object file)
$ readelf --headers ./where  |  grep LOAD
  LOAD           0x000000 0x00000000 0x00000000 0x0092c 0x0092c R E 0x1000
  LOAD           0x000ef0 0x00001ef0 0x00001ef0 0x00140 0x02170 RW  0x1000

$ ./where  # on i686 hardware
b750d000-b750e000 rw-p 00000000 00:00 0
b750e000-b76c6000 r-xp 00000000 08:3b 132197     /usr/lib/libc-2.17.so
b76c6000-b76c8000 r--p 001b7000 08:3b 132197     /usr/lib/libc-2.17.so
b76c8000-b76c9000 rw-p 001b9000 08:3b 132197     /usr/lib/libc-2.17.so
b76c9000-b76cc000 rw-p 00000000 00:00 0
b76e5000-b76e6000 rw-p 00000000 00:00 0
b76e6000-b76e7000 r-xp 00000000 00:00 0          [vdso]
b76e7000-b7706000 r-xp 00000000 08:3b 131776     /usr/lib/ld-2.17.so
b7706000-b7707000 r--p 0001e000 08:3b 131776     /usr/lib/ld-2.17.so
b7707000-b7708000 rw-p 0001f000 08:3b 131776     /usr/lib/ld-2.17.so
b7708000-b7709000 r-xp 00000000 08:3b 654566     /home/jreiser/where
b7709000-b770a000 r--p 00000000 08:3b 654566     /home/jreiser/where
b770a000-b770b000 rw-p 00001000 08:3b 654566     /home/jreiser/where
b770b000-b770d000 rw-p 00000000 00:00 0
bfa65000-bfa86000 rw-p 00000000 00:00 0          [stack]

$ for i in 0 1 2 3 4 5 6 7 8 9 0; do ./where | grep where | sed 1q; done
b7749000-b774a000 r-xp 00000000 08:3b 654566     /home/jreiser/where
b77f4000-b77f5000 r-xp 00000000 08:3b 654566     /home/jreiser/where
b7795000-b7796000 r-xp 00000000 08:3b 654566     /home/jreiser/where
b7719000-b771a000 r-xp 00000000 08:3b 654566     /home/jreiser/where
b775f000-b7760000 r-xp 00000000 08:3b 654566     /home/jreiser/where
b7785000-b7786000 r-xp 00000000 08:3b 654566     /home/jreiser/where
b77a3000-b77a4000 r-xp 00000000 08:3b 654566     /home/jreiser/where
b771a000-b771b000 r-xp 00000000 08:3b 654566     /home/jreiser/where
b776f000-b7770000 r-xp 00000000 08:3b 654566     /home/jreiser/where
b77d9000-b77da000 r-xp 00000000 08:3b 654566     /home/jreiser/where
b7768000-b7769000 r-xp 00000000 08:3b 654566     /home/jreiser/where
$

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel