En marzo de 2016 estuve charlando con Shawn Webb en el canal de IRC #HardenedBSD, acerca del entonces nuevo soporte para PIE + RELRO + BIND NOW + compatibilidad W^X en Firefox para HardenedBSD y esto es lo que me comentó:
lattera SoloBSD: also, I hope you enjoy PIE + RELRO + BIND NOW + W^X compat firefox like I am 😉
SoloBSD what all of those things do?
SoloBSD PIE is Position-Independent Executable
SoloBSD I almost got that
SoloBSD so it is randomly running in memory space right?
lattera PIE means that the application itself will be loaded in a random spot in memory
lattera RELRO means that the relocation section will be marked as read-only
lattera BIND NOW means that the runtime linker will resolve all symbols (like functions, variables, etc.) immediately, before running the application
SoloBSD RELRO —-> cause sometimes is maked as r/w
lattera if an application doesn’t use RELRO, the part in memory where the relocation entries are located will be marked as RW
SoloBSD so what can go wrong there?
SoloBSD someone can write there?
lattera yeah, there’s a part of the application called the PLT/GOT
lattera and that part is abused by attackers
SoloBSD got it
lattera if it’s marked as RW, then an attacker can redirect function calls
lattera so when you think your application is calling printf(), it’s really calling evil_printf()
SoloBSD ohhh interesting, and the same goes for W^X, right?
lattera kinda/sorta, but not really
lattera if a memory mapping is marked as RWX, then an attacker could write arbitrary code into that mapping and execute it
lattera W^X means “exclusively write or execute, but not both”
lattera so if a memory mapping is marked as writable, it can’t be marked as executable
lattera and if a memory mapping is marked as executable, it can’t be marked as writable
SoloBSD got that now
SoloBSD ok question on PIE, correct me if I’m wrong, which is likely possible, from the HBSD Internals lecture:
SoloBSD OpenBSD does the same, but we already know where the memory stack lives, right? which doesn’t happen with HBSD
lattera OpenBSD has enabled PIE for all of base, something which we haven’t done, yet
lattera we have PIE enabled for certain applications like ssh and sshd
lattera and HardenedBSD is the only BSD with true stack randomization, if I remember right
lattera meaning we randomize the top of the stack address
SoloBSD and that’s why we love it, right?????
lattera we still also utilize a random stack gap, too, to provide more entropy
Espero sirva para entender un poco más cómo funciona todo esto en HardenedBSD.