oneechanhax/phunix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
phunix/minix/commands/update_asr/update_asr.8
David van Moolenbroek e4d99eb9b0 Basic live rerandomization infrastructure 
This commits adds a basic infrastructure to support Address Space
Randomization (ASR).  In a nutshell, using the already imported ASR
LLVM pass, multiple versions can be generated for the same system
service, each with a randomized, different address space layout.
Combined with the magic instrumentation for state transfer, a system
service can be live updated into another ASR-randomized version at
runtime, thus providing live rerandomization.

Since MINIX3 is not yet capable of running LLVM linker passes, the
ASR-randomized service binaries have to be pregenerated during
crosscompilation.  These pregenerated binaries can then be cycled
through at runtime.  This patch provides the basic proof-of-concept
infrastructure for both these parts.

In order to support pregeneration, the clientctl host script has
been extended with a "buildasr" command.  It is to be used after
building the entire system with bitcode and magic support, and will
produce a given number of ASR-randomized versions of all system
services.  These services are placed in /usr/service/asr in the
image that is generated as final step by the "buildasr" command.

In order to support runtime updating, a new update_asr(8) command
has been added to MINIX3.  This command attempts to live-update the
running system services into their next ASR-randomized versions.
For now, this command is not run automatically, and thus must be
invoked manually.

Technical notes:

- For various reasons, magic instrumentation is x86-only for now,
  and ASR functionality is therefore to be used on x86 only as well.
- The ASR-randomized binaries are placed in numbered subdirectories
  so as not to have to change their actual program names, which are
  assumed to be static in various places (system.conf, procfs).
- The root partition is typically too small to contain all the
  produced binaries, which is why we introduce /usr/service.  There
  is a symlink from /service/asr to /usr/service/asr for no other
  reason than to let userland continue to assume that all services
  are reachable through /service.
- The ASR count field (r_asr_count/ASRcount) maintained by RS is not
  used within RS in any way; it is only passed through procfs to
  userland in order to allow update_asr(8) to keep track of which
  version is currently loaded without having to maintain own state.
- Ideally, pre-instrumentation linking of a service would remove all
  its randomized versions.  Currently, the user is assumed not to
  perform ASR instrumentation and then recompile system services
  without performing ASR instrumentation again, as the randomized
  binaries included in the image would then be stale.  This aspect
  has to be improved later.
- Various other issues are flagged in the comments of the various
  parts of this patch.

Change-Id: I093ad57f31c18305591f64b2d491272288aa0937
2015-09-17 17:15:03 +00:00

52 lines
1.5 KiB
Groff
Raw Blame History

.Dd September 7, 2015
.Dt UPDATE_ASR 8
.Os
.Sh NAME
.Nm update_asr
.Nd perform ASR rerandomization on system services
.Sh SYNOPSYS
.Nm
.Op Fl v
.Op Ar labels
.Sh DESCRIPTION
The
.Nm
utility performs one cycle of system service live
ASR (Address Space Randomization) rerandomization.
By default, the utility will attempt to update all system services.
If a space-separated list of service
.Ar labels
is given, only those services are updated.
.Pp
Updates require the presence of at least two precreated ASR binaries for the
service: the original service binary, and at least one rerandomized ASR binary
for the service.
The update consists of selecting the next on-disk ASR binary for the service,
and performing a live update from the current service into the selected new
version.
The selection takes place in a round-robin fashion, so once the script has
gone through all rerandomized ASR binaries, it will revert to the original
service binary, and then continue with the first rerandomized ASR binary
again, and so on.
.Pp
The following options are available:
.Bl -tag -width Ds
.It Fl v
Enable verbose mode.
.El
.Sh SEE ALSO
.Xr service 8
.Sh AUTHORS
The
.Nm
utility was written by
.An David van Moolenbroek
.Aq david@minix3.org .
.Sh BUGS
Failures are silently ignored.
Some failures are expected, since not all services are necessarily quiescent
and therefore ready to be updated.
.Pp
As of writing, no infrastructure exists to perform ASR updates automatically,
and no infrastructure exists to create new rerandomized binaries at runtime.
Reference in New Issue View Git Blame Copy Permalink