FreeBSD/SSP

Index:

• What is it, technically speaking ?
• How to use it?
• New GCC options
• Short story
• Thanks to...
• I WANT MORE SECURITY ON FREEBSD!
• Bugs
• FAQ about FreeBSD/SSP (YOU SHOULD REALLY READ THIS AS WELL)

Theses patches intend to use the ProPolice stack-smashing protection (SSP) on FreeBSD 6-STABLE, 7-STABLE and 8-CURRENT. ProPolice basically prevents exploits that use stack-based buffer overflows by setting a random integer (called the "canary") in the stack right before the return address. It is set in the function's prologue and verified during the epilogue ; if it has changed, then a buffer overflow has occured and the program commits suicide by killing himself with SIGABRT. Both userland and kernel may be protected.

Furthermore local automatic variables are reordered so that overflowing an array would not overwrite other automatic scalar variables belonging to the same function scope. Only functions containing arrays are protected. There is an option to activate the protection for every functions (see below), tough there is no obvious reason to do so.

The performance loss incurred this security feature is really small: it has been measured to be in an order of 2 or 3 percent.
ProPolice's author performed a serious performance overhead analysis which is available at http://www.trl.ibm.com/projects/security/ssp/node5.html.
I have personally ran a classical but quite representative benchmark, making buildworld thrice:

	WITHOUT_SSP	WITH_SSP (world+kernel)	Overhead (%)
real	319m45.465s	323m31.551s	1.1%
user	180m5.823s	182m48.844s	1.5%
sys	23m18.855s	23m50.322s	2.2%

OpenBSD has integrated ProPolice into his source-tree in December 2002 and this is used to compile the whole system by default so far. DragonFlyBSD also has imported ProPolice into its tree since December 2003.

Patchset

Patchsets #10 exist both for CURRENT, RELENG_7 and RELENG_6:

How To...

1. Apply the patch against your FreeBSD source tree:
   • On RELENG_6:

     % cd /usr/src
     % fetch http://tataz.chchile.org/~tataz/FreeBSD/SSP/fbsd6-ssp-propolice.patch
     % fetch http://tataz.chchile.org/~tataz/FreeBSD/SSP/fbsd6-ssp-glue.patch
     % patch -p0 < fbsd6-ssp-propolice.patch
     % patch -p0 < fbsd6-ssp-glue.patch
     

   • On RELENG_7/CURRENT:

     % cd /usr/src
     % fetch http://tataz.chchile.org/~tataz/FreeBSD/SSP/fbsd7-ssp-glue.patch
     % patch -p0 < fbsd7-ssp-glue.patch
     

2. Build your world as usually, using either:
   • ENABLE_SSP=YES in make.conf(5) on RELENG_6:

     % echo "ENABLE_SSP=yes" >> /etc/make.conf
     % make buildworld
     

   • on RELENG_7/CURRENT:

     % make buildworld
     

3. Your kernel can also make the best of the stack-smashing protection.
   • On RELENG_6, you must enable the SSP_SUPPORT option in your kernel configuration file, because linkage won't succeed otherwise (OK, I admit I could have removed the necessity of this option, but I don't intend to change the RELENG_6 patch anymore; however I'd be glad to receive an updated patch):

     % echo "options SSP_SUPPORT" >> /sys/i386/conf/MYKERNEL
     % make buildkernel installkernel KERNCONF=MYKERNEL
     

   • On RELENG_7/CURRENT:

     % make buildkernel installkernel KERNCONF=MYKERNEL
     

4. Install your world:

   % make installworld
   

5. To protect your ports with ProPolice, use the USE_SSP knob:

   % cd /usr/port/some/port
   % make -DUSE_SSP install clean
   

   You can add the following line to your make.conf(5) to compile all your ports with ProPolice:

   USE_SSP=yes
   

   Note however that some ports are known to fail to build or run with SSP. See the FAQ for more informations.
   

NOTE: If you want to go back to a non-SSP system, you should use a trick described in FAQ, because of the nature of this patch.

Patchset history

(2008.04.15) #10 released.

• I've contacted Rusland Ermilov (build infrastructure master) in order to review the patch and eventually get it committed in 8-CURRENT. This new patch for CURRENT includes his comments.

(2008.03.02) #9 released.

• On RELENG_6, libc is now built early among other libraries, so there is no need to patch it any more. Reported by Marc Schneider.
• As for RELENG_7/CURRENT patchset, make it applicable with "patch -p0" as stated in the installation HowTo. Also don't forget to install bsd.ssp.mk in share/mk/Makefile. Reported by Marc Schneider.

(2008.02.20) #8 released.

• When building ports, check that ${USE_SSP} is defined and contains "yes", so it is possible to disable it from command-line when enabled from make.conf(5).

(2007.12.11) #7 released.

• Add back a patch for RELENG_7/CURRENT. I thought it was enabled by default, but someone pointed to me this wasn't the case.

(2007.08.09) #6 released.

• Merge latest conflicts in RELENG_6 which happened in a few Makefile.
• FreeBSD-CURRENT now has GCC-4.2 where ProPolice is provided by default. Therefore this patch is no longer needed.

(2007.01.21) #5 released.

• Rong-En Fan imported ncurses 5.6 into -CURRENT and changed directory name meanwhile. Fix the resulting conflict.

(2006.11.19) #4 released. Differences with previous patchset:

• libelf(3) has been imported and leaded to a conflict in lib/Makefike.
• Ruslan Ermilov commited a patch that prevents from leaking src/ build stuff into the ports/ environment, therefore the WITH_SSP knob won't work any more for them. I've replaced it with a more logical knob called USE_SSP. Note that it should belongs to the ports/ tree, but as I distribute FreeBSD/SSP as a patch, it is easier to provide it from the src/ tree for now.

(2006.10.22) #3 released. Differences with previous patchset:

• Include bsd.own.mk in kern.pre.mk instead of including src.conf(5) directly, so the kernel is compiled with ProPolice flags when WITH_SSP is defined.

(2006.10.05) #2 released. Differences with previous patchsets, which were preventing the patch from being applied cleanly:

• GCC 3.4.6 has been imported (leading to a conflict in contrib/gcc/version.c).
• RELENG_6's make.conf(5) has been shuffled to match HEAD's (leading to a conflict in share/man/man5/make.conf.5).
• BSM has been MFC'ed to RELENG_6 (leading to a conflict in lib/Makefile).
• CURRENT's libc_r is no longer built (leading to a conflict in lib/Makefile).
• fbsd?-ssp-propolice.patch has been renamed to fbsd?-ssp-glue.patch.

(2006.08.22) #1 released. Differences with previous patchset:

• Sparc64 support (thanks to Allen Hewes for testing).
• Modify GCC's version.c (thanks to Allen Hewes).

(2006.05.29) #0 released.

Once the ProPolice/SSP patch is applied, GCC will support the following options:

• -fno-stack-protector: this prevents GCC from protecting anything ;
• -fstack-protector: GCC will protect functions vulnerable to buffer overflows (functions containing one or more character arrays) ;
• -fstack-protector-all: GCC will protect absolutely all functions.

The original GCC patch was created and is maintained by Hiroaki Etoh (etoh at jp dot ibm dot com) at IBM laboratories in Tokyo: http://www.trl.ibm.com/projects/security/ssp/.

It has been ported to FreeBSD 4.x and FreeBSD 5.1 with the help of, among others (whom I have not been able to find names), Dag-Erling Smorgrav (des at FreeBSD dot org): http://www.trl.ibm.com/projects/security/ssp/buildfreebsd.html.

Thijs Eilander (nomad at paranoid dot nl) recently foreported ProPolice to FreeBSD 5.4 and FreeBSD 6.0. You may want to read his page as well, it contains some useful informations: http://www.paranoid.nl/~eilander/freebsd/propolice/.

For the sake of completeness, the ProPolice/SSP patch has also been ported to FreeBSD 4.7 by Yamamoto Takanori: http://ssp4fbsd.sourceforge.jp/.

Finally, I (Jeremie Le Hen (jeremie at le-hen dot org)) decided to provide a more integrated ProPolice patch for FreeBSD 7-CURRENT.

It has been successfully tested on FreeBSD/i386 and FreeBSD/amd64 only. The src/sys/boot/ part should fail to compile for other platforms, but there should be only little work to make it compile correctly.

Pascal Hofstee (caelian at gmail dot com) tested a huge number of successive patchsets I released. He has been very patient. We worked together to make the patch break POLA as little as possible. Thanks to him, I was able to find out the few bits required to make the patch work on amd64.

Olivier Houchard (cognet at FreeBSD dot org) helped me a lot when I began working on this some months ago, he gave me useful advices. Especially he provided me a patch for libpthread and libthr that made open(3) callable very early in constructor functions, before the threading library was full initialized. Furthermore I owe him the trick to move from an SSP-aware system to a not SSP-aware system using LD_PRELOAD ; before that I had to use /rescue to copy files manually.

Joerg Sonnenberger (joerg at britannica dot bec dot de) pointed me out that -O2 compilation is broken with ProPolice because of the implicit -funit-at-time optimization. He reported this to Hiroaki Etoh who fixed the bug shortly.

Kostik Belousov (kostikbel at gmail dot com) explained me the trick when linking statically binaries not being protected by ProPolice/SSP because they do not use any buffer.

I want to thank all alpha and beta testers: Victor Balada Diaz first, Xavier "Bana" Lapie, Jerome "Jethro" Magnin, Ulrich "Neo" Blondel, Stephane "Darksoul" Lapie. If I forgot someone, please forgive me and let me know.

Raphael Poss reviewed my english (I have modified the text since then).

I would also like to thank the OpenBSD project, the DragonFlyBSD project, the Hardened Debian project and the GCC project on which I took some useful ideas.

Since the patch deals with the stack, it doesn't prevent from heap-based buffer overflows as well as return-to-libc attacks. To harden your FreeBSD even more, you can use these two patches from Suleiman Souhlal . These were taken from OpenBSD, as far as I know.

This first patch randomize the gap before the stack start. This makes harder to guess stack address for an attacker:
Post: http://lists.freebsd.org/pipermail/freebsd-arch/2005-May/003835.html
Patch: http://people.freebsd.org/~ssouhlal/testing/stackgap-20050527.diff

This second patch is very interesting because it randomizes the location of mmap(2)'ed dynamic libairies, which makes return-to-libc attacks more difficult:
Post: http://lists.freebsd.org/pipermail/freebsd-arch/2005-May/003851.html
Patch: http://people.freebsd.org/~ssouhlal/testing/mmap_random-20050528.diff

I would be pleased to get feedback if you find bugs. In such a case, please provide me the version of FreeBSD you are using (the best would be the date at which you sync'ed your sources). I will also need your make.conf(5) and a full output of your failed compilation (use script(1)).