Monday, 29 September 2014

EuroBSDCon 2014, arc4random and co ...

Hi folks,

As expected, the last EuroBSDCon 2014 in Bulgaria this last week end provided enough very good talks. I could not attend but followed the livestreams (during the multiple compilations of my various FreeBSD instances :-)), mostly OpenBSD and FreeBSD ones, plus few NetBSD. I paid attention especially to Ted Unangst talk, Theo de Raadt one as well. The latter was about arc4random mostly. It raised then two needs in FreeBSD. Making arc4random from userspace, fork safe then also using ChaCha 20 algorithm instead of the actual RC4.

For the first point, it exists different opinions to address proper reseeding in a fork basis. Indeed a fork should not share any random data from the parent process. The actual strategy is using getpid() call which some people think (me included) is working but not solid enough without mentioning of the cost of this call. Also using pthread_atfork which needs -pthread flag then. The last one, which get inspiration from OpenBSD is using MAP_INHERIT_ZERO flag to guarantee zero'd memory mappings for the fork. This is the one, some guys and I think, is the best. It is actually in discussion between us, HardenedBSD guys and FreeBSD's experts, we'll see what will come up ;-) So The user part is nearly done, just started the kernel counterpart where I had already replaced the RC4 by the ChaCha 20 calls then also I use current timestamp to put some data very early, right after read_random (might be useful if read_random does not return any data) ... Still needs work to do for sure and above all needs to be reviewed also by crypto experts ;-)

For last, I of course watched Shawn Webb talk which was great (he had even a short word about me, was surprised :-)), even Ilya Bakulin was able to fix the ARM issue, very nice !

Labels: , , , , , ,

View David Carlier's profile on LinkedIn

Thursday, 25 September 2014

Bugs, bugs, bugs ...

Hi folks,

I m awaiting the great talk Shawn Webb will give this week end, I ll watch it once available for sure.
Meanwhile, things evolve smoothly for HardenedBSD, some FreeBSD are looking at it with interest, Oliver works hard to make Pax features better. In my side, I am still taking care of bugs in my own branch, some will be pushed upstream (one is already anyway ...), while I deal with more and more FreeBSD commiters, even more generally with other BSD people as well. I particularly like productive exchanges like this instead of making "flamewars" to each other.
There is no point and this is not interesting at all ;-)
This is quite good to get known with people I knew only via articles and such :-)

For last I wanted particularly thank Sean Bruno and Pedro Giffuni for their efforts.

Labels: , , ,

View David Carlier's profile on LinkedIn

Thursday, 18 September 2014

EuroBSDcon and other things

Hi folks,

The EuroBSDcon 2014 is very close now and will bring many interesting topics like running NetBSD  as rump kernel, the LLDB debugger as first class stuff and so on ... Ah also, Shawn will talk about HardenedBSD the 28th :-)

Meanwhile Oliver is planning to implement various PAX features and other things. In my side,  I still work both on userlandenhanced and ptrace stuff. Apart of that I plan to test Hadoop with FreeBSD's fuse implementation and as the API version is quite old (only 2.7 while Linux is 2.9.3), I'll see if I can update it myself :-) never worked on Filesystems topic before but why not after all.

Labels: , , , ,

View David Carlier's profile on LinkedIn

Monday, 15 September 2014

HardenedBSD slight updates

Hi folks,

I am still a new bee in FreeBSD development, Oliver and Shawn still give me good advices to do things better. Still thanks to them ;-). Somehow was able to make progress in the userlandenhanced branch, made the necessary strtonum optimisation (first time I touch something in the libc, although strtonum is not standard ... Around 5% of performance gain, the important thing is to avoid breaking reentrancy and such ...), hence uses it in more utilities instead of the legacy atoi. Also I was trying to solve some bugs (like segfault with BSDgrep, I hope Gabor will be happy with it :-)).

Apart of this branch, all of these are available too with all other amazing features from Shawn and Oliver in the unstable branch.

Labels: , ,

View David Carlier's profile on LinkedIn

Friday, 12 September 2014

HardenedBSD updates

Hi folks,

Shawn is willing to work on a ugidfw replacement : secfw which will work with json-c (I used it for my company a while ago and it works very fine). Meanwhile, Oliver wants to extends FS-XATTR for
PAX_XATTR_PAX_FLAGS support. Anyway I thank them for their patience ;-)

In my side, just created the "modestly" named userlandenhanced new branch which provides various small fixes/updates from our own or if we think grabbing code from DragonflyBSD and such might be useful to integrate (recently I updated systat to provide ALTQ informations display).

So I ll switch between pure kernel development and this branch for next.

Labels: , ,

View David Carlier's profile on LinkedIn

Wednesday, 10 September 2014

HardenedBSD again

Hi folks,

While Shawn and Oliver are working hard to make automatic builds fully workable (as mentioned here), I have just finished my long week end of coding to improve the ptrace branch. Now all request flags (for example hardening.ptrace.flag.trace_me) can de enabled/disabled atomically (or all at once via sysctl hardening.ptrace.flag_all) at will. Everything is on the unstable branch.

For now I m going to help them to fix some issues and will surely come back on it for adding more features.

More things are coming but will be known in due time ;-)

Labels: , ,

View David Carlier's profile on LinkedIn

Monday, 8 September 2014

HardenedBSD, some examples

Hi folks,

For testing ASLR, I just wrote this very basic example :

#include <mtld/devatlas.h>

using namespace Mobi::Mtld;

int
main(int argc, char *argv[])
{
Da::DeviceAtlas *da = new Da::DeviceAtlas();

printf("Address of da ptr %p\n", da);

delete da;
return (0);

}


Compiled without fPIE and aslr disabled (sysctl hardening.pax.aslr.status=0).
clang++ -I/usr/local/include -L/usr/local/lib -ldevatlas -lcommon -o da-test-aslr da-test-aslr.cc
So each time it is called, it should be the same address all the time.
For example

./da-test-aslr
Address of da ptr 0x802417000
./da-test-aslr
Address of da ptr 0x802417000
...

Now let's enable ASLR and compile with PIE flag
clang++ -I/usr/local/include -L/usr/local/lib -fPIE -ldevatlas -lcommon -o da-test-aslr da-test-aslr.cc

./da-test-aslr
Address of da ptr 0x887017000
./da-test-aslr
Address of da ptr 0x86bc17000
...

Another topic ...
With the ptrace hardening feature, it is possible to allow only root and possibly via PTRACE_HARDENING_GRP kernel option enabled to allow only one specific gid to perform any kind of ptrace call. It is also possible to set ugidfw utility with ptracehdflags to disable ptrace hardening for a specific binary for example.

ugidfw add subject uid dcarlier object filesys /usr/bin/top mode rx ptracehdflags a


Labels: , ,

View David Carlier's profile on LinkedIn

Sunday, 7 September 2014

HardenedBSD, SEGVGUARD and other friends

Hi folks,

Again about HardenedBSD, that starts small but smoothly, we got an article on Phoronix recently which is quite nice to be honest as this website is more for Linux topics. Also I got few but usually positive feedbacks when I talk about it ...

Also recently the SEGVGUARD branch was well updated (this feature is to avoid to get attacked via malicious segmentation faults usage).

In my part, after a long night to code MAC extended support for my PTRACE hardening branch (which allows to disable/enable hardening on a particular executable for example with the new ptracehdflags ...) + I applied also the DragonflyBSD's patch for taking care of SYSRET privilege escalation issue (Matt Dillon is really an hard worker ...), I am now responsible for the whole "ptrace" topic, I ll implement for next finer grained control over this.

All of these features provide this new sysctl tree :

security.pax.aslr.*
security.pax.segvguard.*
security.ptrace.hardening.*

But that a good chance it ll change soon in more consistent way ...

Small update :

Now the sysctl tree is under the root hardening oid just created by oliver :

hardening.pax.aslr.*
hardening.pax.segvguard.*
hardening.ptrace.*

Also just added some logging in case the ptrace call is not authorised.

Labels: , , , , , ,

View David Carlier's profile on LinkedIn

Wednesday, 3 September 2014

Hardened BSD, ASLR + PIE, and so forth ...

Hi folks,

What happened to me recently it s basically "a dream comes true" ... kind of.
Indeed, Shawn Webb (and Oliver Pinter), the men behind Hardened BSD (which is originally to bring proper ASLR support on FreeBSD), wrote me that :

"
Hey David,

Oliver and I would like to add you as a direct contributor to the
HardenedBSD project. We've looked over your pull requests and have been
impressed with your code. Would you like to become an official developer
for the project?

Thanks,
"

Even after nearly 14 years of experience, I was quite shaked by those words, coming from an important person. I extended the goal of HardenedBSD by also providing security fixes in the base userland and he trusted me since the beginning. So I m thankful for his generosity, I won't forget ;-).
It existed before some unofficial ASLR projects but as you can easily mess up things, I did not trust much. But when I first heard about Shawn's work I said to myself "Yes he got it right!", then I saw his interview I was convinced ...

So for next, I m trying to provide optional hardening ptrace calls and will see what will come next.
As it is quite time consuming, I ll probably give much less time to some other projects but this is life !

Labels: , , , ,

View David Carlier's profile on LinkedIn