OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
W^X now mandatory in OpenBSD
Contributed by tj on Fri May 27 22:27:14 2016 (GMT)
from the x-chromosome dept.

Traditional Unix has allowed memory to be mapped W | X. Everyone now knows thatís a bad practice from a security standpoint, but the software ecosystem hasn't made much progress in this area. Theo de Raadt has just committed a change to begin blocking W^X violations in OpenBSD.

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2016/05/27 13:45:04

Modified files:
	lib/libc/sys   : mmap.2 mount.2 mprotect.2 
	sbin/mount     : mntopts.h mount.8 mount.c 
	sbin/mount_ffs : mount_ffs.c 
	sbin/mount_nfs : mount_nfs.c 
	sys/kern       : kern_sysctl.c vfs_syscalls.c 
	sys/sys        : mount.h sysctl.h 
	sys/uvm        : uvm_mmap.c 
	usr.sbin/pstat : pstat.c 

Log message:
W^X violations are no longer permitted by default.  A kernel log message
is generated, and mprotect/mmap return ENOTSUP.  If the sysctl(8) flag
kern.wxabort is set then a SIGABRT occurs instead, for gdb use or coredump
creation.

W^X violating programs can be permitted on a ffs/nfs filesystem-basis,
using the "wxallowed" mount option.  One day far in the future
upstream software developers will understand that W^X violations are a
tremendously risky practice and that style of programming will be
banished outright.  Until then, we recommend most users need to use the
wxallowed option on their /usr/local filesystem.  At least your other
filesystems don't permit such programs.

This is a first step towards mandatory W^X, a plateau no one else has been able to reach yet. Some ports have been modified to adhere to this rule, but a number of others (JDK, GCC, Mono, Chromium, etc) will need the /etc/fstab workaround until they can be fixed upstream. Firefox is a notable exception, having been refactored in just the last year. While these remaining violators are being reworked, an initial method has been introduced to differentiate between filesystems whose binaries are or are not entirely W^X-safe.

None of the base system binaries violate this check, so there should be no noticable effect if you don't have any third party packages installed.

More information for -current users can be found in the usual place.

[topicsecurity]

<< Privilege Separation and Pledge (video) | Reply | Flattened | Expanded | ARMv7 now has a bootloader >>

Threshold: Help

Related Links
more by tj


  Re: W^X now mandatory in OpenBSD (mod 6/148)
by PaX Team (94.21.46.17) (pageexec@freemail.hu) on Fri May 27 21:18:49 2016 (GMT)
pax.grsecurity.net
  PaX has had MPROTECT since 2000 which is a strict superset of what OpenBSD not-reinvented-here as W^X a few years later and what Theo had called a POSIX violation (which it never was). nice to see you guys come around, better late than never ;). FWIW Apple's iOS also made this move a few years ago already and even vanilla Linux does the same with SELinux (yes, ouch but the capability is there and enforced in real life policies).

as for fixing/adapting userland, noone does it right, not even Firefox (it 'works' with OpenBSD only because its W^X doesn't actually enforce true exclusion of the W/X rights unlike MPROTECT in PaX has always done). grsecurity has had GRKERNSEC_RWXMAP_LOG for many years now to help users identify such use.

as for proper runtime code generation, it will require more surgery than simply changing mmap/mprotect flags, using dual maps and/or temporary files, etc. namely, what must be ensured is that the address space that generates the code is different from the one consuming (executing) it (not unlike how ahead-of-time compilation is done and why it's considered 'trusted'). i know of only one academic example of such an approach, SDCG for the V8 JIT engine (available on github after i had requested it back then) which is not a spring chicken either.

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: W^X now mandatory in OpenBSD (mod 9/131)
by Billy Larlad (69.178.115.77) (larladtech@gmail.com) on Fri May 27 21:30:21 2016 (GMT)
  This sounds great. Good work, devs! The ports team deserves a lot of credit for continually keeping ports up-to-date with OpenBSD's latest security features. A never-ending job.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: W^X now mandatory in OpenBSD (mod -10/124)
by Sebastian Rother (79.247.132.99) on Sun May 29 10:21:35 2016 (GMT)
  I completly angree to this step (except of the trolls (of BOTH sides) who talk about who invented what bullshit first....

But consider: The BASE OS is capable to do what exactly?

1. run a basic Mail Server
2. run a very BASIC webserver (no *.php and so, even if SSI could get included via a CGI (thttpd as example) it comes with no native support of any way)
3. other basic Services (dhcp, ntp and co)
4. You get the point, don't you.. :)


What does it lack?

A basic mail application (well "mail" exists but I mean a Client where you can connect to an IMAP(s)/POP3(s) Server). Any kind of Browser... Well you get the point again I think....

So I (ME, the person I am.. ) consider this Change as a step ahead but the Project needs to take care of other things from Ports even if this is not included in the BASE-System! People do use Dovecot, people do use exim/sendmail... they might use another ftpd because the one in Base lacks features (like ftps?! Security "first", huhu?! Why is ftpd not in the ports anyway (it lacks "Security"..), Auth against ldap even ldapd is included.. If you found some critic here you can keep it and take care of it until it grows to some logic flaw! *sacasm* :))


But all this needs manpower or donations!

Since manpower can get bought (you pay somebody to do XYZ) every donation counts! So get to your Boss, explain them how much you use OpenSSH or other things the Foundation supports and ask them to donate.... for example.

This is a major step ahead even if people not familiar with Security or programming simply WONT know about the benefits! Those people wont know why/what/how something changed! They care about their Dovecot or Desktop... and now it might crash or not work anymore!

If the Project (OpenBSD) is serious about this step: You need to take care about 3rd party applications, you need manpower....

You could Co-Op with other Projects. NetBSD, Bitrig (Yeah, even Theo might not like it)... FreeBSD/DragonflyBSD.. all BSD would basicaly PROFIT if no application violates the new default...

They don't have to adopt the implementation OpenBSD uses but they would all profit to fix such stuff so a Co-Op might be benefitial even if this might be a "dream".


Just my considerations... :-)


Kind regards,
Sebastian Rother
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: W^X now mandatory in OpenBSD (mod -7/119)
by Anonymous Coward (45.116.233.55) on Sat Sep 10 16:30:41 2016 (GMT)
  Never forget to verify the all parts of your vehicle and its interior condition as well.Selling your wrecked car to a professional. Cash For Old Cars Brisbane
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: W^X now mandatory in OpenBSD (mod -1/73)
by Anonymous Coward (199.115.116.80) on Tue Oct 11 11:36:18 2016 (GMT)
  Android or Windows 8 gadget clients. You can see a common note pad with the same name as the room. http://www.mobdroapp.net/hubi-app-breakthrough-application-streaming-downloading
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: W^X now mandatory in OpenBSD (mod -5/73)
by Draper Wreke (182.182.49.239) (jazbajanoon@outlook.com) on Wed Nov 30 08:13:36 2016 (GMT)
  I know right, Traditional Unix has allowed memory to be mapped W | X. I read about it at superior papers essay writing service reviews. Good to know about these changes, all pretty impressive.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  No Subject Given (mod -4/74)
by jhon (182.182.90.166) (zasd@gmail.com) on Wed Dec 7 16:08:42 2016 (GMT)
  That i donít fully understand once you discover any severity for assistance that personal blogs supply. In my opinion, I do know that this it all werenít in your personal blogs We'd don't have uncovered that will help utilizing my best essays. The provider generates in each a identity together with Iím a sucker for necessary to resist they brandish. Thank you so much! how to deal with chargebacks
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  instagram (mod -3/75)
by instagram (182.182.98.112) (muneerahmed400@gmail.com) on Wed Dec 14 15:00:12 2016 (GMT)
http://tournamentforce.com/buy-instagram-followers.html
  The data you have posted is extremely valuable. The locales you have alluded was great. A debt of gratitude is in order for sharing... instagram
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: W^X now mandatory in OpenBSD (mod 0/70)
by mxffiles (218.11.246.179) on Tue Feb 7 06:57:23 2017 (GMT)
  This is a very good post which I really enjoy reading. It is not every day that I have the possibility to see something like this. Software mxf Software mxf converter free download to convert HD camcorder files. ts converter convert ts video files to avi, mp4, wmv, mov mts to avi mp4 mov mkv iMovie, FCP/FCE with mts converter, so to convert mts files for your PC and mobiles. mod converter and convert tod files just free download mod video converter. m2ts
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. Some icons from slashdot.org used with permission from Kathleen. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]