Date: Wed, 9 Mar 2016 16:39:37 +0000 From: Big Lebowski <spankthespam@gmail.com> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: Piotr Kubaj <pkubaj@anongoth.pl>, freebsd-security <freebsd-security@freebsd.org> Subject: Re: Will 11.0-RELEASE include ASLR? Message-ID: <CAHcXP%2BdPOu4mgOCrjWx61JaQUQCW47VALQVmh_T_P=DMuZyNDw@mail.gmail.com> In-Reply-To: <20160309162210.GA42303@mutt-hardenedbsd> References: <56E02D95.9020303@anongoth.pl> <CAHcXP%2Bc%2B-PYkn4C8TyGf6Jropot3zsJAiDZFrBvmeT7595fqPA@mail.gmail.com> <20160309162210.GA42303@mutt-hardenedbsd>
next in thread | previous in thread | raw e-mail | index | archive | help
Shawn, Please, note, that I said, these are the things I've heard, and there should be people able to answer those better. As such, you should consider them to be opinion, not pure facts. On Wed, Mar 9, 2016 at 4:22 PM, Shawn Webb <shawn.webb@hardenedbsd.org> wrote: > (Responding inline) > > On Wed, Mar 09, 2016 at 04:05:12PM +0000, Big Lebowski wrote: > > Hi Piotr, > > > > There are people who can probably answer it better, but until they do, I > > can share what I've heard about it: on the FreeBSD side there are few > > things that stop ASLR implementation: > > > > - there's no actual agreement between the influencial developers on > wether > > ASLR is viable or needed in first place > > Some FreeBSD developers think ASLR would be a good addition and others > don't. We at HardenedBSD believe that ASLR provides a great foundation > for further exploit mitigation technologies. We don't hold the belief > that ASLR is the "end-all-be-all" of security as some would like you to > believe. > That's pretty much what I wanted to say. > > > - there was no planning or discussion how to implement ALSR in FreeBSD, > > Shawn simply started writing the code, and some developers would like to > > discuss and plan things first > > Discussions took place over a period of over two years. I was very > cooperative. If you take a look at the two reviews on FreeBSD's > Phabricator instance (linked to below), you'll notice that there's a lot > of back-and-forth discussion. > Discussing patches and designing a feature such as ASLR is not exactly the same thing. In the spirit of this, some developers would expect some form of academical approach, a whitepaper, and so on, not the reviews discussion, and that's what lacking in their opinion. > > > - there are doubts expressed in the code reviews about code quality and > > compliance to FreeBSD standards. Some developers dedicated their time to > > review the code and provide feedback, there were few cycles of rewrite, > > review, rinse, repeat, but if you'd look into the reviews, Shawn closed > > them, and I understand they'd only be considered for inclusion if they'd > > meet the code quality standards expected > > Initial patches did not meet code quality standards. However, those > style(9) violations were fixed early on. > > Even though the patches on Phabricator are closed, they can still be > looked at for independent review. However, the code is now old and does > not reflect the current implementation in HardenedBSD. > > We closed the reviews so that we could focus on making HardenedBSD > great, not because of the lack of code quality. > > I'm not sure whether the patches would be considered for inclusion. > That's up to FreeBSD to decide. Given that the last patch went months > without any input from FreeBSD--input that was promised to be delivered. > I dont know C and I am not a security expert, however, the code quality was questioned by people who I respect for their achievement in security, operating systems and C knowledge, and I can simply rely what I've heard: that there are doubts, some people even mentioned actual bugs, so its not all about style(9). Yet again, not something I can verify myself, only something I've heard and can share. The lack of input is directly caused by my first two points: lack of agreement that FreeBSD needs it, and lack of academical style on how FreeBSD would like to implement it. > > > > > As a side note, one person saying 'ASLR implementation is finished' and > > proper ASLR implementation that's properly tested, functional and not in > > fact opening other security issues are two vastly different things, that > > should be approached very carefully. > > Does "being tested over the period of three or so years through many > full package builds, production deployments, and dogfooding" not mean > "properly tested?" What does "properly tested" mean to you? > > The developers at HardenedBSD make it a point to run HardenedBSD on all > their hardware--even laptops. > > HardenedBSD has been available for over two years, so it can be tested > by anyone who downloads it and runs tests themselves. If there's a test > you'd like me to run, please let me know. > Sorry, but I completely disagree here. I dont know the actual numbers, but I can safely assume that HardenedBSD user numbers are way smaller than FreeBSD, and thus, I would say that amount of dogfooding over so short period of time (since ASLR is considered to be completed by you) is nowhere close for my taste, to consider it production ready. Moreover, do you have any tests results available? Do you have a complete automated test suite exposed somwhere? Have you done static code analysis? Have you used fuzzers or any similar tools? Dont get me wrong, I highly appreciate your work in that area, however, I would like to see more complete, thorough and cautios approach to such complicated thing as computer security. Cheers, BL > > Thanks, > > Shawn > > Original Phabricator review: https://reviews.freebsd.org/D473 (warning: > huge load time since this review spans around two years). > > New Phabricator review for a smaller prereq patch: > https://reviews.freebsd.org/D3565 > > Thanks, > > Shawn > > > > > Cheers, > > BL > > > > On Wed, Mar 9, 2016 at 2:05 PM, Piotr Kubaj <pkubaj@anongoth.pl> wrote: > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA256 > > > > > > Shawn Webb has recently announced that ASLR is complete on HardenedBSD. > > > There are patches ready for FreeBSD to use and it's ready to be shipped > > > in FreeBSD. However, for some reason FreeBSD developers do not want to > > > ship ASLR in FreeBSD. Why can't it be included at least as non-default > > > src.conf option and marked as experimental? > > > > > > FreeBSD is the only OS that matters that doesn't have ASLR. > > > -----BEGIN PGP SIGNATURE----- > > > Version: GnuPG v2 > > > > > > iQIcBAEBCAAGBQJW4C2QAAoJEHpZm4Ugg5yd2MoQAMPZ+UxbpTo9YvJz6YYB8wtH > > > tRw3jQMUb4K6s26IO1mp/K6p+DM+HXcVvamO2cxjRKseQy/oLBGizgfR1ktBqdXQ > > > xuqQJc5BCSdKgTsBs0IvNQghvUQkEyvYi+wn9EY9qJh6oEguAkcAWUhl5rGN2FhM > > > Gwf9VDoPAR+n9Pjl6brcqyQvWczfDx9+VFpF0joeiI5PRRMF1UUsTYM/OHvtVoQA > > > n1f8qNppIdprjwUjWE/BX6POaDhs4ZZKJRaFmbCuYudDPpX7P1yj7CHz/xthjMYG > > > 325NnCJpN81fwCmcgvDFU3BYkEC9JSkBoA+5oDdRU3MALsJNQ10rz+IhAaeAsCMb > > > oz7Oy0Gykeic60NLuMZlhOfl79XW666T1B9wOWlkrAlBPCY6v2kz6t/oJbHHGQOf > > > CCBuhQJCdzdqyTnv0Bx4ZXiiecwhjvxaAPCwgppnxf2qLuBgxr9BsswMVp7wgYfM > > > 2sfxk0pS0RuV5M2qWN9UATOyOiO5aPsC4f+WUzUM0LC6MbuHVDJu3QaUo7F3b3Ic > > > KX150B3gWtsGlZZs8N9mIM3Aj/O5E496JHEf6zmlz6ssLuE6gIO8ICqpFSaXzkJC > > > IWzgIVdL88gK6niVg7KCOAuzVZ1sxcx7cBCtGzAhVy9RhYKqwAtN9T2YOBC75cQW > > > OdRGf2V3trcK664nKgEA > > > =lM/6 > > > -----END PGP SIGNATURE----- > > > _______________________________________________ > > > freebsd-security@freebsd.org mailing list > > > https://lists.freebsd.org/mailman/listinfo/freebsd-security > > > To unsubscribe, send any mail to " > freebsd-security-unsubscribe@freebsd.org > > > " > > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to " > freebsd-security-unsubscribe@freebsd.org" > > -- > Shawn Webb > HardenedBSD > > GPG Key ID: 0x6A84658F52456EEE > GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHcXP%2BdPOu4mgOCrjWx61JaQUQCW47VALQVmh_T_P=DMuZyNDw>