[OpenWrt-Devel] [PATCH 0/6] buildsystem: Activate PIE ASLR for some packages

Hauke Mehrtens hauke at hauke-m.de
Wed Oct 30 11:30:12 EDT 2019


On 10/28/19 10:14 AM, Daniel Engberg wrote:
> On 2019-10-27 18:44, Hauke Mehrtens wrote:
>> This is a follow up patch on this discussion on the mailing list:
>> https://patchwork.ozlabs.org/patch/1041647/
>>
>> This allows to activate PIE only for some packages where we thing it is
>> necessary and not only globally for all of them.
>>
>> Hauke Mehrtens (6):
>>   buildsystem: Make PIE ASLR option tristate
>>   dnsmasq: Activate PIE by default
>>   dropbear: Activate PIE by default
>>   hostapd: Activate PIE by default
>>   uhttpd: Activate PIE by default
>>   lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers
>>
>>  config/Config-build.in                       | 22 ++++++++++++++++----
>>  include/hardening.mk                         |  9 +++++++-
>>  package/kernel/lantiq/ltq-adsl/Makefile      |  1 -
>>  package/kernel/lantiq/ltq-ifxos/Makefile     |  1 -
>>  package/kernel/lantiq/ltq-tapi/Makefile      |  1 -
>>  package/kernel/lantiq/ltq-vdsl-mei/Makefile  |  2 --
>>  package/kernel/lantiq/ltq-vdsl/Makefile      |  1 -
>>  package/kernel/lantiq/ltq-vmmc/Makefile      |  1 -
>>  package/network/config/ltq-vdsl-app/Makefile |  1 -
>>  package/network/services/dnsmasq/Makefile    |  1 +
>>  package/network/services/dropbear/Makefile   |  1 +
>>  package/network/services/hostapd/Makefile    |  1 +
>>  package/network/services/uhttpd/Makefile     |  1 +
>>  13 files changed, 30 insertions(+), 13 deletions(-)
> 
> I think ASLRs value needs to be evaluated especially due to the
> performance penalty (hostapd mainly in that regard) and not to forget
> size increase depending on for how long OpenWrt intends to keep 8Mbyte
> devices around as 4Mbyte devices are more or less unsupported by now.
> It's probably a better idea to only enable it on aarch64 and x86-64
> where size isn't as much of a concern and where it probably(?) receives
> most exposure to avoid uncessary breakage.
> 
> http://intx0x80.blogspot.com/2018/04/bypass-aslrnx-part-1.html
> https://svnweb.freebsd.org/base?view=revision&revision=343964
> Might also be worth taking into consideration.
> 
> Best regards,
> Daniel

Yes ASLR is not preventing any exploits it just makes it harder for an
attacker like most other mechanisms too. Especially on 32 bit platforms
like MIPS 32 bit and ARM 32 bit we only use 8 bit of the address for
ASLR, on 64 bit platforms this feature is a lot more useful as we have a
lot more bits.

I am wondering why the kernel takes CONFIG_ARCH_MMAP_RND_BITS_MIN as the
default for CONFIG_ARCH_MMAP_RND_BITS and not the max value, on MIPS 32
bit min is 8 bits and max is 16 bit.
https://elixir.bootlin.com/linux/v4.19.79/source/arch/Kconfig#L598

Do you know any benchmark results measuring the performance penalty of
ASLR and PIE?

Hauke

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 484 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20191030/113121c0/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list