I've been quite silent on here lately. That's because I've been hard at work. I've been working closely with a few developers and users to get this ASLR work rock solid. I've implemented execbase randomization for position-independent executables (PIEs). I've added support for building PIEs in FreeBSD's base. Oliver Pinter, who was the person whose patches I based my work off of, has been extremely active as well. We've teamed up together to fix some bugs in the PIE implementation. He did some amazing work in adding support for ASLR for all architectures FreeBSD supports. We're both tackling the challenges that come with having to support 32bit applications (less bits to randomize: more prone to errors).
As far as testing is concerned, Oliver only has access to Intel-based machines (so amd64 and x86). I have a raspberry pi (rpi). As of today, I've started testing ASLR on ARM with my raspberry pi. On Sunday, I will have one or more sparc64 boxes in my possession. I hope to kick out regular builds (nightly? weekly?) for the rpi, sparc64, and x86, and amd64 soon. I will only have binary (pkgng) packages for amd64. Please be gentle on my bandwidth. I only have so much.
Here's a list of immediate TODO items, in no particular order:
- Fix linuxulator
- Fix PIE on ARM. Currently, compiling an application with PIE will cause that application to segfault once it needs to actually accomplish something worthwhile.
- Merge in paxctl from another developer
- Finish adding PIE support to applications in base
Once these things are done, I'll submit another all-inclusive patch upstream. I'll then email the FreeBSD security team to start pushing getting this merged upstream. I'm really excited about all of this. It's coming together really nicely.
Here's a sneak peak of ASLR + PIE working on ARM: