Wednesday, 29 October 2014

Another Microkernel based OS ... with DeviceAtlas

Hi folks,

As usual, the ... unusual can get my attention. So this time, it is Minix 3 (the 3.3.0, but tested previously 3.2,0 which, apparently, did not have shared library linkage support ...), which is a quite small smart Unix OS. But this one is a Micro kernel based one and it is exactly one of the reasons it is interested me in first place. So if it is a micro kernel, not surprising, that the kernel itself does not have million of lines of code but only something like 9000 ... Also, the userland is NetBSD compatible, they gave up on GGC suite; then now it is the couple LLVM/Clang.

So after charging the two Device Atlas C++ API on this VM, everything was compiled in a few seconds (Remember it is NetBSD compatible so Carrier Identification is compilable directly). Very good ! All work as expected (apache module included...), did not get the issue I had with 3.2.0 version.

Althought I would not use Minix 3 as my daily OS (alright ... its first target is the embedded world...), it is somehow an interesting and worthy one, its educational "roots" should not make you think it is a very poor Unix like (it is SMP capable, has ASLR even in the kernel part ...).

Labels: , , , , ,

View David Carlier's profile on LinkedIn

Friday, 17 October 2014

PIC my PIE

Hi folks,

Quite a lot of events happen since the last time. some awesome features mostly done by Shawn and Oliver like a mprotect protection which blocks a memory area to be set as executable if, it in first place, it was not set this way. An official Intel SMAP support was added lately. In my side, what I mentioned previously, arc4random (kernel and userland) updates (chacha 20 + minherit new flag INHERIT_ZERO) then adding getentropy syscall are done and merged. Plus, at the moment, I continue the work started by Shawn about the integration of PIC (Position Independant Code) on some libraries and PIE (Position Independant Executable) in a subset of binaries (let's say the most popular attack targets) ... for a start, rather than to apply it widely. The discussion about it started already on arch@ and it goes not badly ... The hope is, for sure, to push it upstream. Few of my under/overflow fixes on base were pushed (like sysctl) for last ...

As many of my fellows, I eat my own "dog food", hence I have a guenine laptop which runs HardenedBSD (and not only in a VM ;-)) daily, ... was important, for example, to test arc4random (used for so many things like creating processes id ...) widely by provoking many events ... compiling ... launching various daemons etc etc ... during hours.

Apart of pure technical topics, Shawn was able to desposit HardenedBSD and it is mentioned in FreeBSD Quaterly report ... Once ASLR is pushed upstream other security features would be as well ... Nice ! it is getting concrete :-)

For next, some features and fixes are planned. Plus a little something in my side ... hopefully ;-)

Labels: , , , , ,

View David Carlier's profile on LinkedIn