mirror of
https://github.com/opnsense/src.git
synced 2026-06-13 10:40:19 -04:00
efe03b23a6
On OPNsense's 16.7 roadmap is HardenedBSD's ASLR code. This commit separates out the ASLR code from the rest of our exploit mitigation and system hardening code. Testing and verification still need to be performed. Initial testing (compile + boot + `procstat -v PIDofPIEapplication) has been performed. More thorough testing should occur. Shared object load order randomization in the RTLD is not included in this patch. That will be discussed with the fine folks at OPNsense at a later time. On i386, the stack isn't randomized enough to provide enough space for the VDSO to be randomized. Bump the stack randomization up to 14 for 32bit systems and lower the VDSO randomization to 8. This provides enough of a difference between the two to allow for both stack and VDSO randomization. Note that ASLR on 32bit systems is still rather weak. Not much entropy can be introduced into the stack and VDSO. Brute forcing the stack and VDSO is well within the realm of possibility. Users are strongly advised to migrate to 64bit systems. Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org> |
||
|---|---|---|
| .. | ||
| allwinner | ||
| arm | ||
| at91 | ||
| broadcom/bcm2835 | ||
| cavium/cns11xx | ||
| conf | ||
| freescale | ||
| include | ||
| lpc | ||
| mv | ||
| rockchip | ||
| samsung | ||
| ti | ||
| versatile | ||
| xilinx | ||
| xscale | ||