From owner-freebsd-security@freebsd.org Sun Jul 30 09:25:24 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2D1A7DB2D59 for ; Sun, 30 Jul 2017 09:25:24 +0000 (UTC) (envelope-from amutu@amutu.com) Received: from mail-oi0-x230.google.com (mail-oi0-x230.google.com [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DE6366ADCB for ; Sun, 30 Jul 2017 09:25:23 +0000 (UTC) (envelope-from amutu@amutu.com) Received: by mail-oi0-x230.google.com with SMTP id a9so162922718oih.0 for ; Sun, 30 Jul 2017 02:25:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amutu-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tR/Alr1INvm040ybjOAuUOrkmsEPcZChaFHdgZC5LHA=; b=uWXo38YWiqMNhUDSMZOaBAiRV0jkE8w6NxVv0MTG3zCJPTWXoogvgHBkqwikjuvSJn HMhBxodHRukllludCiEbXxN7HyxP/9mZ1TOpaAAOh3GmPWFINBndZy4eBOeg5vIDqCb/ EqHcf7jjD4PcJUmZzoG12gnpdeymPLRDACubSnsSi/ohPBjmUE3wfSz4J2cYej9o/uYw x0Kxs3Djy3NxxOzg9oKBsWQe+W3yfpaNZhmF5xjprJvnRTcFOES0Iaev/qCCmdO0nExF a/iKWa9wtdBPw3MVW8y21vOJRkjJiYQEh1B1jFfgOBVYdRVzuO9necvUEAb9stRLtXPv bNzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=tR/Alr1INvm040ybjOAuUOrkmsEPcZChaFHdgZC5LHA=; b=VP0FXeIC12BbGG83FqhaOX87V87oPvBb8GJRWKSL9/LcMblVSiIvy2JY5JQXOnH/PZ aoLwzb7bEy+GRGk/H4qF+g0cF1k1O2KBwgCmu1/gEN0rM6xm3eA+aw3QZcNCLqbPOCkm gdkP1G7S22kk9+A5gmFD7yUohBNSsk/5VmVfkUlID1BEAbNMBjTGs9GdqiWOWgzFGEex bbBEle0j/YYLNNG2yOl3UdgOMYq/4sv29lCNU5W+Wv11hJLvlwnOAzPoUpJgQ38sTwy8 4RSGtW5Hz9YaBjK6TwQT+6TGPfUCZYrhLKHtGTFYJDEkW+pvJ8hHIuJJPe9lhG/t6xiy 1SFA== X-Gm-Message-State: AIVw113Zkwd888RAy4vuhXuErWIlJX6YVEZ2K05GmoAqUQhU2vtIBDxE TcsDfnYIG5bGrDnMfJqWLg== X-Received: by 10.202.219.198 with SMTP id s189mr12912354oig.103.1501406722858; Sun, 30 Jul 2017 02:25:22 -0700 (PDT) Received: from mail-oi0-f53.google.com (mail-oi0-f53.google.com. [209.85.218.53]) by smtp.gmail.com with ESMTPSA id c8sm7717835oia.36.2017.07.30.02.25.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 30 Jul 2017 02:25:22 -0700 (PDT) Received: by mail-oi0-f53.google.com with SMTP id x3so158352343oia.1; Sun, 30 Jul 2017 02:25:21 -0700 (PDT) X-Received: by 10.202.198.199 with SMTP id w190mr10938188oif.93.1501406721760; Sun, 30 Jul 2017 02:25:21 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.128.197 with HTTP; Sun, 30 Jul 2017 02:25:01 -0700 (PDT) In-Reply-To: <8F4BB6E0-66A3-4367-BD86-DC29F2BA3C0A@pair.com> References: <8F4BB6E0-66A3-4367-BD86-DC29F2BA3C0A@pair.com> From: Jov Date: Sun, 30 Jul 2017 17:25:01 +0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: ACK Storm protection? To: Matt Riffle Cc: freebsd-security@freebsd.org, freebsd-net@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Jul 2017 09:25:24 -0000 =E2=80=8B=E2=80=8B freebsd-net@ added. After google "ack storm freebsd" I find a very old SA: https://www.freebsd.org/security/advisories/FreeBSD-SA-98%3A07.rst.asc mentions: =E2=80=8B + * In the SYN-RECEIVED state, don't send an ACK unless the + * segment we received passes the SYN-RECEIVED ACK test. > + * If it fails send a RST. This breaks the loop in the > + * "LAND" DoS attack, and also prevents an ACK storm > + * between two listening ports that have been sent forged > + * SYN segments, each with the source address of the other. > + */ > + if (tp->t_state =3D=3D TCPS_SYN_RECEIVED && (tiflags & TH_ACK) && > + (SEQ_GT(tp->snd_una, ti->ti_ack) || > + SEQ_GT(ti->ti_ack, tp->snd_max)) ) > + goto dropwithreset;=E2=80=8B Not sure in the established state there also has ACK storm protection. 2017-07-22 2:57 GMT+08:00 Matt Riffle : > Hello, > > Starting on July 11, I=E2=80=99ve started to see an increasing number of = what > appear to be =E2=80=9CACK storms=E2=80=9D affecting a number of FreeBSD b= oxes I=E2=80=99m > administering. There are a few unsupported releases mixed in, but, this = is > also happening on boxes running 10.3-RELEASE-p3. > > In the cases we=E2=80=99re seeing, it begins with legitimate TCP traffic > requesting something over HTTP, but soon thereafter we get an out of wind= ow > packet and get in to a loop. If anybody is interested or especially if > they=E2=80=99ve experienced something similar, there are a few more detai= ls I could > share privately. > > Setting aside the cause, I=E2=80=99m interested in trying to mitigate the > problem. None of my Ubuntu boxes appear to be affected, I presume becaus= e > of these patches Google made to the kernel there: > > https://www.ietf.org/mail-archive/web/tcpm/current/msg09445.html < > https://www.ietf.org/mail-archive/web/tcpm/current/msg09445.html> > > Is there any equivalent protection for FreeBSD? In my own research I=E2= =80=99ve > been unable to find anything. In fact, beyond the message above you can= =E2=80=99t > find very much about ACK storms at all. > > Right now we=E2=80=99re mitigating with custom code that is sniffing pack= ets and > adding temporary firewall rules whenever it sees a loop start, and that= =E2=80=99s > working well enough, but, I=E2=80=99d prefer to handle it at a lower leve= l if > possible. > > Thanks, > > Matt R. > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g > " From owner-freebsd-security@freebsd.org Mon Jul 31 10:41:28 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 85E51DCFB51 for ; Mon, 31 Jul 2017 10:41:28 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 4EFB171D8B for ; Mon, 31 Jul 2017 10:41:27 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 7D2409E48; Mon, 31 Jul 2017 10:41:21 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 8213A48B99; Mon, 31 Jul 2017 12:41:22 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Dirk Engling Cc: freebsd-security@freebsd.org Subject: Re: DefCon lecture BSD Kern Vulns References: <26de0aed-8151-6105-188f-ad0c6c6cf8b8@erdgeist.org> Date: Mon, 31 Jul 2017 12:41:22 +0200 In-Reply-To: <26de0aed-8151-6105-188f-ad0c6c6cf8b8@erdgeist.org> (Dirk Engling's message of "Fri, 28 Jul 2017 14:08:50 +0200") Message-ID: <86y3r4ubvx.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jul 2017 10:41:28 -0000 Dirk Engling writes: > have those findings officially been reported? Is someone working on > them? Speaking as a secteam member but not on behalf of so@, we are aware of these issues but did not get sufficient advance notice to fix them in time for DefCon. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Mon Jul 31 14:08:55 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2B99BDAE808 for ; Mon, 31 Jul 2017 14:08:55 +0000 (UTC) (envelope-from mikhail.krylatyh@rcntec.com) Received: from mail-lf0-x236.google.com (mail-lf0-x236.google.com [IPv6:2a00:1450:4010:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AC41F7C011 for ; Mon, 31 Jul 2017 14:08:54 +0000 (UTC) (envelope-from mikhail.krylatyh@rcntec.com) Received: by mail-lf0-x236.google.com with SMTP id y15so114116815lfd.5 for ; Mon, 31 Jul 2017 07:08:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rcntec.com; s=google; h=from:mime-version:subject:message-id:date:to; bh=OAfY1zmpPaaPw/M2ivtiqapEsgI5VLt52Rp0wQ3RBHk=; b=SX4A802XmhwzMwyG8bDbb4IJtuaxjB76Uvh4RjebmrG2FXn9p4137dQO+nkdZOleWz Ru2c8+30gFbCI6SaNA1Pjfe/nbJyDci6JvbkG3OPJZNx43CWPayak59lA7C8faL9Xvpd Nj3qcUOiyrDWzkpM+SRv7GLBNncoWGkSmhgWE2neKQryBYGr+Aeav/8omgIUEXCkEtco 0WDf/FU6+O2uqAryOMfbwhP86bovCJGfoA+nLqcYHCMbcOx/uenyvBQjI6Ii57EbdorR nmS+bXyMvMH8dRPmvyZHuKJ+XMZ0h7H8EdJ56z7qLgJKkG0m4H43CQ5qIxU97uGY06sM C+jw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:to; bh=OAfY1zmpPaaPw/M2ivtiqapEsgI5VLt52Rp0wQ3RBHk=; b=Zzo2ejDatbT56afMH0vLZzihxmeiLzEiqkLIz2Rd0Vkve9R5/YZKbRd68OIL4hmVkB Yt8cT3C9sw6Jt6o8KGJ2ijE2SIccBADfDJQt80hMUoi7gV3r5b0QSZ1uHXUccESB7aw+ OLhxe3/Ksdu4ORyPHkTOsFD/rzAdJry0ckIED01Q6oByRSHwOz9npNk7d+XisxzcJRfB vUF30iiJrFgXBIdQAJG84uiRK/+TDusG5iL2O9QH3kuhSpOLsY7bN+udmrUQZpVsjrJM C1h2wmDx4E49pX31FlJ3GnJm8njhQ0AcW3PbWtl/E4xHBadHOaTbpcvTLy+m+WnA8gkS JvJQ== X-Gm-Message-State: AIVw111RDll6mXYDz7ULMRTMchHQaFPKGpbnHUwc9j30Z4ytJLrD6grR 64oicNGf+uhCaXrFSqOpow== X-Received: by 10.46.64.20 with SMTP id n20mr2381921lja.4.1501510132219; Mon, 31 Jul 2017 07:08:52 -0700 (PDT) Received: from [192.168.222.204] ([178.141.61.3]) by smtp.gmail.com with ESMTPSA id r8sm953965lff.81.2017.07.31.07.08.51 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 31 Jul 2017 07:08:51 -0700 (PDT) From: Mikhail Krylatyh Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: FreeBSD Server configuration and security compliance benchmark Message-Id: <23AAE336-5235-47BA-A931-26B51D287970@rcntec.com> Date: Mon, 31 Jul 2017 17:08:50 +0300 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.3273) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jul 2017 14:08:55 -0000 Hi everyone. I'm participating in development of some security-centric product, one = part of which performs compliance checks upon target server's OS. The = main purpose of this checks is to find possible misconfigurations which = are widely considered as insecure or deprecated (e.g password login by = root or use of week ciphers in sshd). As a basis of our compliances we = use recommendations of cisecurity.org = (https://www.cisecurity.org/cis-benchmarks/ = ). Unfortunately, they don't = have any valid benchmarks for currently supported versions of FreeBSD. = So is there anything similar (the one and only available benchmark is = for 4.10 - = https://drive.google.com/file/d/0B-dY8d2tWnU-b2pkczNJcURfaHM/view = ) in = a FreeBSD community? I'm no familiar with *BSD so any feedback or links = are appreciated.= From owner-freebsd-security@freebsd.org Mon Jul 31 14:48:33 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DDC59DAF641 for ; Mon, 31 Jul 2017 14:48:33 +0000 (UTC) (envelope-from michelle@sorbs.net) Received: from hades.sorbs.net (hades.sorbs.net [72.12.213.40]) by mx1.freebsd.org (Postfix) with ESMTP id C23867D308 for ; Mon, 31 Jul 2017 14:48:33 +0000 (UTC) (envelope-from michelle@sorbs.net) MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=UTF-8; format=flowed Received: from isux.com (firewall.isux.com [213.165.190.213]) by hades.sorbs.net (Oracle Communications Messaging Server 7.0.5.29.0 64bit (built Jul 9 2013)) with ESMTPSA id <0OTY00850K1S5G00@hades.sorbs.net> for freebsd-security@freebsd.org; Mon, 31 Jul 2017 06:56:17 -0700 (PDT) Subject: Re: DefCon lecture BSD Kern Vulns To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= Cc: freebsd-security@freebsd.org References: <26de0aed-8151-6105-188f-ad0c6c6cf8b8@erdgeist.org> <86y3r4ubvx.fsf@desk.des.no> From: Michelle Sullivan Message-id: <84c3e9d0-3d44-b310-a946-96eb0c54e79d@sorbs.net> Date: Mon, 31 Jul 2017 15:48:19 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 In-reply-to: <86y3r4ubvx.fsf@desk.des.no> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jul 2017 14:48:34 -0000 Dag-Erling Smørgrav wrote: > Dirk Engling writes: >> have those findings officially been reported? Is someone working on >> them? > Speaking as a secteam member but not on behalf of so@, we are aware of > these issues but did not get sufficient advance notice to fix them in > time for DefCon. > > DES After reading the presentation a few minutes ago... I'm going to say the obvious.... He has a point. .. now to add something more helpful .. :) People should talk between, and maybe people should put security and co-operation before pride and empires... before us vs them... and I know that means its not just FreeBSD, but also NetBSD and OpenBSD people who have historically had their differences... perhaps now is the time for an olive branch? (and there is a massive 'us vs them' on IRC when it comes to OpenBSD and FreeBSD.) From a personal point of mine and on my observations I would add that Microsoft et al all went through similar issues that everyone is seeing today.. everyone wants new features, everyone wants new drivers, everyone thinks they want new releases perhaps a shift is needed in thoughts/actions when it comes to FreeBSD.... this constant push forward leaves bugs which often become security issues in old code.. 2 of the highlighted bugs in the presentation were introduced in 8.1... In the past I opened filesystem bugs against 9.x (think it was 9.2 then 9.3 for one of the bugs)... however it was never fixed (and the one I am thinking of is "panicable" one)... in fact I predicted that what would happen would be the bug would be looked at just after 9.x was EOLd completely... and it was hilarious.. 6th Jan (IIRC) the message came through, "please replicate on a supported version" ... I haven't and I haven't submitted a single bug since.... and why would I? Perhaps we should consider a change in how we manage these things, and sorry if this message p**ses off anyone (particularly those in the Security Team) because I know you all do good work, however the whole "well you should pay for our time" argument compounds the problem, it won't get any more funds in most cases, it will just p**s people off elsewhere so you end up with less eyes looking for these issues.... this is one of the things linux has gotten right.. fix bugs no matter what and regardless, new features... different matter that's on a whim of a coder. I hope this will start a constructive conversation rather than people ignoring or worse arguing. Regards, -- Michelle Sullivan http://www.mhix.org/ From owner-freebsd-security@freebsd.org Mon Jul 31 15:49:57 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 41080DB1C21 for ; Mon, 31 Jul 2017 15:49:57 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 08271801F0 for ; Mon, 31 Jul 2017 15:49:56 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 836DA91E6; Mon, 31 Jul 2017 15:49:55 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id A5D1D48BBE; Mon, 31 Jul 2017 17:49:57 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Michelle Sullivan Cc: freebsd-security@freebsd.org Subject: Re: DefCon lecture BSD Kern Vulns References: <26de0aed-8151-6105-188f-ad0c6c6cf8b8@erdgeist.org> <86y3r4ubvx.fsf@desk.des.no> <84c3e9d0-3d44-b310-a946-96eb0c54e79d@sorbs.net> Date: Mon, 31 Jul 2017 17:49:57 +0200 In-Reply-To: <84c3e9d0-3d44-b310-a946-96eb0c54e79d@sorbs.net> (Michelle Sullivan's message of "Mon, 31 Jul 2017 15:48:19 +0200") Message-ID: <861sowy5ay.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jul 2017 15:49:57 -0000 Michelle Sullivan writes: > People should talk between, and maybe people should put security and > co-operation before pride and empires... [...] There are decades of history here of which you are clearly unaware. Your may have the best of intentions, but nothing good will come of raising this topic here and now. Just drop it. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Mon Jul 31 15:56:31 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 37C7FDB287E for ; Mon, 31 Jul 2017 15:56:31 +0000 (UTC) (envelope-from spankthespam@gmail.com) Received: from mail-qt0-x22e.google.com (mail-qt0-x22e.google.com [IPv6:2607:f8b0:400d:c0d::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BFB3681881 for ; Mon, 31 Jul 2017 15:56:30 +0000 (UTC) (envelope-from spankthespam@gmail.com) Received: by mail-qt0-x22e.google.com with SMTP id a18so92330269qta.0 for ; Mon, 31 Jul 2017 08:56:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4MLRumQEPX9b3wsIZoc9J1vCK3izOydVII54Ihn2ae0=; b=L4GIIUyb2RydCcU2JjfMHW/Pj9g2F5IjGhhp+QVEUL6gJNrW9mIn1sLrG7kkjxe3K/ 8f9LQdRa7jFWUmqODTiBTbUnejET1F9Rz8D9jn7z3Bygow5Ry0aT/iIhtuFgvQntclSu 4Uvd9rIIXgA2seAEXTph6/nRtpFgqOUzbjuOEPsg1yOV8anMWmje0HuBof0W3qly60mp JxxuBJ8cQ1hKWgzAUFWvoYSSBjJWtyllqQmuh6f+0+bwRBdjOF/KbW/5KTKWAyUaYNW0 FXm7Ux2joJaJAXcqA2+N9+ykoXpUI52unPPJx6alV/UB7n3I6awOr4FmbMcwKkdWkhHW O6NA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4MLRumQEPX9b3wsIZoc9J1vCK3izOydVII54Ihn2ae0=; b=r5d0Q6m2NXvGnKG5AwWBwZBgZQXx/Z/NXoCRJ603cb17CD9Kg/Avk6/lcK3tk9LcLE SyuKFzEiZvEZ9VkSFRe6fETpZa3+RvTlWYkQ4dsSqaJwpDJR6wkphMkZz+cDwEIvB/Lb z97aaAXFyU697QurR4REDqCPC4DiONZd6B5v24F/Sn6xqdEH4McJJuS3kgUBbwszTRcR 7vDe6t/SMDlE4oPg4ZxzwtV3ScWFbBnDkzZsdfo0ijLS1xMgbiZ3MUf02CDuACqyDgog rBN9e3jc1QVafSdwFbfOjhRYsf+J/z9GI0beE9NuSQPwfZXhk8PeLluh4KsiNgZb/vhi 7V0A== X-Gm-Message-State: AIVw111N05l2KP7/Cx0tmB1CUm5sYp4srYVMnAK5aMrNgK2Rc051Ty9c IXkwkyXVL1fGWhbP+4fyMd28JYuM9A== X-Received: by 10.237.48.65 with SMTP id 59mr23371182qte.10.1501516589743; Mon, 31 Jul 2017 08:56:29 -0700 (PDT) MIME-Version: 1.0 Received: by 10.200.48.19 with HTTP; Mon, 31 Jul 2017 08:56:29 -0700 (PDT) In-Reply-To: <861sowy5ay.fsf@desk.des.no> References: <26de0aed-8151-6105-188f-ad0c6c6cf8b8@erdgeist.org> <86y3r4ubvx.fsf@desk.des.no> <84c3e9d0-3d44-b310-a946-96eb0c54e79d@sorbs.net> <861sowy5ay.fsf@desk.des.no> From: Big Lebowski Date: Mon, 31 Jul 2017 16:56:29 +0100 Message-ID: Subject: Re: DefCon lecture BSD Kern Vulns To: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= Cc: Michelle Sullivan , freebsd-security Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jul 2017 15:56:31 -0000 > > There are decades of history here of which you are clearly unaware. > Your may have the best of intentions, but nothing good will come of > raising this topic here and now. Just drop it. > > DES > Des, please, stop doing that. You're greatest example of cant-be-done about almost anything anyone asks for on this list. Michelle, please, don't stop. Keep talking, keep asking, and maybe one day a new breed of people who don't care about cant-be-done or 'decades of history' will get things done. BL. From owner-freebsd-security@freebsd.org Mon Jul 31 16:20:01 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1DD59DB322A for ; Mon, 31 Jul 2017 16:20:01 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id D8A4582575 for ; Mon, 31 Jul 2017 16:20:00 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id A79F092C5; Mon, 31 Jul 2017 16:19:59 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 55C6848BC4; Mon, 31 Jul 2017 18:20:03 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Big Lebowski Cc: freebsd-security , Michelle Sullivan Subject: Re: DefCon lecture BSD Kern Vulns References: <26de0aed-8151-6105-188f-ad0c6c6cf8b8@erdgeist.org> <86y3r4ubvx.fsf@desk.des.no> <84c3e9d0-3d44-b310-a946-96eb0c54e79d@sorbs.net> <861sowy5ay.fsf@desk.des.no> Date: Mon, 31 Jul 2017 18:20:03 +0200 In-Reply-To: (Big Lebowski's message of "Mon, 31 Jul 2017 16:56:29 +0100") Message-ID: <867eyoshn0.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jul 2017 16:20:01 -0000 Big Lebowski writes: > Dag-Erling Sm=C3=B8rgrav writes: > > There are decades of history here of which you are clearly unaware. > > You may have the best of intentions, but nothing good will come of > > raising this topic here and now. Just drop it. > Des, please, stop doing that. You're greatest example of cant-be-done > about almost anything anyone asks for on this list. > > Michelle, please, don't stop. Keep talking, keep asking, and maybe one > day a new breed of people who don't care about cant-be-done or > 'decades of history' will get things done. No. You truly have no idea. You're pouring gasoline on a fire and inadvertantly insulting everyone involved. Come see me at a con and we can discuss it over a beer. But not here. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Mon Jul 31 16:23:05 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 27F66DB353F for ; Mon, 31 Jul 2017 16:23:05 +0000 (UTC) (envelope-from michelle@sorbs.net) Received: from hades.sorbs.net (hades.sorbs.net [72.12.213.40]) by mx1.freebsd.org (Postfix) with ESMTP id 0C85A82A79 for ; Mon, 31 Jul 2017 16:23:04 +0000 (UTC) (envelope-from michelle@sorbs.net) MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=UTF-8; format=flowed Received: from isux.com (firewall.isux.com [213.165.190.213]) by hades.sorbs.net (Oracle Communications Messaging Server 7.0.5.29.0 64bit (built Jul 9 2013)) with ESMTPSA id <0OTY0085ZR7I5G00@hades.sorbs.net> for freebsd-security@freebsd.org; Mon, 31 Jul 2017 09:30:56 -0700 (PDT) Subject: Re: DefCon lecture BSD Kern Vulns To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= Cc: freebsd-security@freebsd.org References: <26de0aed-8151-6105-188f-ad0c6c6cf8b8@erdgeist.org> <86y3r4ubvx.fsf@desk.des.no> <84c3e9d0-3d44-b310-a946-96eb0c54e79d@sorbs.net> <861sowy5ay.fsf@desk.des.no> From: Michelle Sullivan Message-id: <644048d0-b9cb-606b-814d-fb68fe657bf9@sorbs.net> Date: Mon, 31 Jul 2017 18:22:55 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 In-reply-to: <861sowy5ay.fsf@desk.des.no> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jul 2017 16:23:05 -0000 Dag-Erling Smørgrav wrote: > Michelle Sullivan writes: >> People should talk between, and maybe people should put security and >> co-operation before pride and empires... [...] > There are decades of history here of which you are clearly unaware. > Your may have the best of intentions, but nothing good will come of > raising this topic here and now. Just drop it. > > DES I know some (though definitely not all) of the histor, I've been around a long while... but it was worth a comment/try... sooner or later someone has to try again. -- Michelle Sullivan http://www.mhix.org/ From owner-freebsd-security@freebsd.org Thu Aug 3 15:35:09 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C9049DC3C0A for ; Thu, 3 Aug 2017 15:35:09 +0000 (UTC) (envelope-from 0xsyed@gmail.com) Received: from mail-oi0-x230.google.com (mail-oi0-x230.google.com [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9023683023 for ; Thu, 3 Aug 2017 15:35:09 +0000 (UTC) (envelope-from 0xsyed@gmail.com) Received: by mail-oi0-x230.google.com with SMTP id d71so16134641oih.0 for ; Thu, 03 Aug 2017 08:35:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=1kzzkDP9Bv357iHuSxNLfAxYkadjjj/WHU1b+V8O5So=; b=kkdBsVz8/uorCxXSrd1QwvwfNQ8FyQrIY5cBvc7CIIBrXVtsEhWxxhCilxw2FKoKoS DGzvhHlkOFXuX9UnDOIBz/P4sG4kniAd7r3iWtONSyAjEZFZ//aoJ3ot3+akbwUkJiSI Iwy98Arw7gwFddVQXtOO+U/Sq4VEYkw4WPapxtPEy/NGKps6nBgxxwefoU9e7qkL72bj FxF7vHg1gwqTVcjE064xNIIQh4wisaWKZkF90PvW9E6eAQDGawAMvnbiXs1ceTB7FDC5 OQ2kVgF0R9gDxERXMkCAMW8ShELz2ekVh0T5jlcrLubUXRktNmbuLExhM5d87KYX9nuQ Y+5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=1kzzkDP9Bv357iHuSxNLfAxYkadjjj/WHU1b+V8O5So=; b=McVQk3P40pjnfT4njLqvu5mLtZIkEDbKA7EttU6bkKB7C5gCEf2bK2QA8ZGX9FZzOB 6XHZvF/sG6EQpsy3twWNHv41+bzP6BjT9RcTXILTBZTCoXE2RVC7/nMfMTlZ0IqN6yYN 7YCRzaPZeh+CIkjRHVsNPP0F1HdNhl9jApd6MNXPt5O+0/+q7uZZqAy+QqEG47gTkjcK Brs9FphXBipbe1dKhixw1Ty9VMLCPWxfQfSJv828gsa/L3cfYuyUxjC3Id7bMcI52cZW dRaMcUKDdSmrrgEN6sP50GpZnuYE7YXHQLXCRbxmST9OwhHIQL1Q75d5ELmUKw1lMRJp 5tGw== X-Gm-Message-State: AIVw111pICpTWNATSatDI+VqKoLdBeBHcfp5QJgvVmnBR1qCq97S4624 O9x4B6ov1oh6nkMC5TDKwSYgy7AgWrqs X-Received: by 10.202.188.196 with SMTP id m187mr1760871oif.91.1501774507763; Thu, 03 Aug 2017 08:35:07 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.61.138 with HTTP; Thu, 3 Aug 2017 08:35:07 -0700 (PDT) From: syed khalid <0xsyed@gmail.com> Date: Thu, 3 Aug 2017 21:05:07 +0530 Message-ID: Subject: SEGVGUARD in freeBSD To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Aug 2017 15:35:09 -0000 Hello All, I would like to configure SEGVGUARD for few critical applications in FreeBSD10 . Is is available natively in FreeBSD10 ? If so you could anyone help me in enabling/configuring SEGVGUARD -- *Thanks & Regards* *Syed Khalid M* From owner-freebsd-security@freebsd.org Thu Aug 3 15:48:43 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6B4FADC4CB3 for ; Thu, 3 Aug 2017 15:48:43 +0000 (UTC) (envelope-from johannes@perceivon.net) Received: from mail-lf0-x22d.google.com (mail-lf0-x22d.google.com [IPv6:2a00:1450:4010:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E14CA83CFC for ; Thu, 3 Aug 2017 15:48:42 +0000 (UTC) (envelope-from johannes@perceivon.net) Received: by mail-lf0-x22d.google.com with SMTP id g25so7843460lfh.1 for ; Thu, 03 Aug 2017 08:48:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=perceivon-net.20150623.gappssmtp.com; s=20150623; h=subject:to:references:cc:from:organization:message-id:date :user-agent:mime-version:in-reply-to; bh=RYMUo3krQBJ+GRstRA4GdtM2q/LPUrJVjPVgy73TvU8=; b=RMWZlQf6f5yoxJbgQa0RH8hcVgZyhevKnXcgBpRdWJImemtqNCiuevZcv4+o9nu0kl uH2B0cghlHQKaEj/NZSpgvksiXHXoucbOv0dNfAV3ti7jGLYAGFux9+/R0F+mFc2u3ql Cay/RcmllYpPW5d99u9uFuU9Pu7r34n4+RdCxSlyPKv69vnVftHcAfrtyB2vZ3KOVkiK 6jG+m9xd7C1A/TRrOyIKC7yfVoRDjy8nAFaj2iJGVm/1ikTZcYLCELa9XS9fH15K9qzm CA34KRfmdRtm09LD2vyJehWlyPvmlEW/xC7KTbTzsQdA0iiMoPjuf8RD1i4D73W392M5 j2ng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:organization :message-id:date:user-agent:mime-version:in-reply-to; bh=RYMUo3krQBJ+GRstRA4GdtM2q/LPUrJVjPVgy73TvU8=; b=f5eOrrcpchfwKuQfNvCM7cLK2pqeA9BgBGHbaaYDggN2RCkqvq4In3Uy2p/XVM7m1B BhuiU7rXps3C5myOyZ7mTEoCj6VqIckSXI0DdrTHBCjKSyjsN+3VFkCmITfAfo+PxBbV 6fZpjcdz03P29ixdQfaEEh2WGFFfxLrOq2E1shSkRQOdsO9n454QnPzehSk4V+tpW8nJ yEP/oTIm1KJatBl+OrDiA3mJ65E8PmCX0UdJ9LsEaH2tVOEjO2t8sx8VKnjYibvhOwoq BbYbOR6ZmmguPmCtN2lTOgoPRJn0U8oHb6PIkCFPPCbXJRZ2RehMgzaTDkjhloOs9M6d Ft+A== X-Gm-Message-State: AIVw113IpOcadoNf2BYN43Ns/YgXyU5R/J340PLQ1xmp7ik2pNUMYJ4G O1jmLD4c2t+VFDL2rJn6tMutmGwP8MY67FU3g7CxRHcAvrSP/SVWdJ4zu1x6YZrEOIQHoDJz1gA xc95bFOpTAjLh6LgsaXea9QjhuwKAroOt+vYGe2pedKwdfJbME8dh2WldQ4NXLzH5hKY= X-Received: by 10.46.64.73 with SMTP id n70mr1011906lja.120.1501775319811; Thu, 03 Aug 2017 08:48:39 -0700 (PDT) Received: from mx16 (101.177.50.84.sta.estpak.ee. [84.50.177.101]) by smtp.gmail.com with ESMTPSA id 193sm458689ljj.30.2017.08.03.08.48.39 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 03 Aug 2017 08:48:39 -0700 (PDT) Received: from [127.0.0.1] (localhost [127.0.0.1]) by mx16 (OpenSMTPD) with ESMTP id d654b0d4; Thu, 3 Aug 2017 18:48:20 +0300 (EEST) Subject: Re: SEGVGUARD in freeBSD To: syed khalid <0xsyed@gmail.com>, freebsd-security@freebsd.org References: Cc: Shawn Webb From: Johannes Jost Meixner Organization: Perceivon Hosting Inc. Message-ID: Date: Thu, 3 Aug 2017 18:48:18 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="DSe51FL9j3rWGlcAwvTbN9Dd4A32RqW0D" X-Mailman-Approved-At: Thu, 03 Aug 2017 15:53:28 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Aug 2017 15:48:43 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --DSe51FL9j3rWGlcAwvTbN9Dd4A32RqW0D Content-Type: multipart/mixed; boundary="8TB6eJ5SUvAXE5QUKAL8fs2o0CeSLw4nE"; protected-headers="v1" From: Johannes Jost Meixner To: syed khalid <0xsyed@gmail.com>, freebsd-security@freebsd.org Cc: Shawn Webb Message-ID: Subject: Re: SEGVGUARD in freeBSD References: In-Reply-To: --8TB6eJ5SUvAXE5QUKAL8fs2o0CeSLw4nE Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable You'll want to checkout HardenedBSD[1], especially the 10-STABLE builds [= 2]. [1] https://www.hardenedbsd.org [2] http://jenkins.hardenedbsd.org/builds/HardenedBSD-10-STABLE-amd64-LATEST/= Best regards, Johannes Meixner Perceivon O=C3=9C Pikk 7-17 10123 Tallinn tel: +372 5855 1779 web: http://www.perceivon.net On 08/03/2017 18:35, syed khalid wrote: > Hello All, >=20 > I would like to configure SEGVGUARD for few critical applications in > FreeBSD10 . Is is available natively in FreeBSD10 ? >=20 > If so you could anyone help me in enabling/configuring SEGVGUARD >=20 --8TB6eJ5SUvAXE5QUKAL8fs2o0CeSLw4nE-- --DSe51FL9j3rWGlcAwvTbN9Dd4A32RqW0D Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwY8kko8dNupPoLLvSWqdcGJQ1AIFAlmDRcMACgkQSWqdcGJQ 1AJRZhAAuOYkd7nx39QBrqSzvKmPFHJwWviLR1L0L5qxZ3unfDw8u29QnIRScuWf TZvNmZtJa9+dBL3ceShRw6UJs2M/qwskQvSYueQvMhK3yHXtTbobYKbGBpwn14Db OMNQjAeSQ4ZlOCwgMZS6hXPnFEiZWKUdiNDFwAhicJuHjm/VmfzLpdBRi+5QZxU3 HNuGq1e6AOMlo9RtV1xoEzi3150vQ6jrmBnDZLit5I8lEZeE4usepMiU7jM+wfHc mA/SIKM1mV423Oe2c8ZUAgyaXIWyr7mMl6APYiD+VKi6ejq2dgmU3b7u7a1jPJbj 1gD7TUFcVyEak2HRRDw2QaGLMo9BTMwg/llDrKHp+wbVXx9JwUtFAVeCHvuM2DhU CW6Au54zV1kl8bMMGJu737PqraMGDEsV4MmNxM1X69teQNiJGao7qIz+On8ELV8Q +C+/NFI3Mrv17mz29wWAFeO4FeJYbYZnQMk+e3FfZHaEKuBA0APIQWe5vhKJLOQ/ Xq9olkuSuUH36C4X5FO1dHu+olAUDeslt/aghHlg2OBaFRWlYmRMSw9jfQPHqZRo Zy6yrfbPAxWMTISo+bja4pdoOccRCEvbIglJSAEVIepA4/T2bJ5gqoxwMl1BS/xE M9+DDCWmKK1Fq9awHJ06t+ZuJML7pzAiHjPnz7t0aJUpNsRFpVw= =PuKO -----END PGP SIGNATURE----- --DSe51FL9j3rWGlcAwvTbN9Dd4A32RqW0D-- From owner-freebsd-security@freebsd.org Thu Aug 3 15:58:11 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2F984DC5521 for ; Thu, 3 Aug 2017 15:58:11 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D822884317 for ; Thu, 3 Aug 2017 15:58:10 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qt0-x230.google.com with SMTP id p3so10119392qtg.2 for ; Thu, 03 Aug 2017 08:58:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=qOQXa37DZ44sRQxH8u3tZt788iWm3//keyxKU1DkSvY=; b=Zv0L/G6CJetndKizVzIQbEQmyOsMdUcDHv17L/+fHqbMVFMBeQztlwsNOfDZ8To844 MWDQwjB6I8T9gcl87BvlOsu3o4YUKRBpgBz7hGiq4yeRQWZPTVsAN+DJy39baPEL7WbO 8VMsVI6H5YGZkvkKEuiNDcLKtM1SqFBY6AETWQnm4N2jVKYMXuSF2v5GESIokqud/ouK jz16YD3hd6OtIZ9hl1hDaUajRA0ME9mzoTs9hsZTopmEZ0LDhtZLsoTkZDfLMvf6zpBE 8RlUhDCGIJbffb2ADFFO6uwEPGZmQZwP82nt6guYQD6XwrjwVdQwZVQHf+qy661U/zkl MUTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=qOQXa37DZ44sRQxH8u3tZt788iWm3//keyxKU1DkSvY=; b=JeagXgfjcKVC25fvHya2wcwSTqKKEyaNLR3tAdWiQ+Kk89kVz7XWA7Qid6EPNZ8hKC rixAYcpxO/lvsTdzzwMcPh7xemdLE4Xh1occ/yUbVAxRvCgbq8L1YUbW8Ral/kIi0Coc NhQkCgPvJmT3b1rFs9/jyHkoofCZd7b4rE1PK4RoxXqz2MCC/rEeifkFckGB3Sza9V8t d+TNFPFe9fPi+ZGSibkhmggP5Q/6Gllf85kjlugcKzaRtSKBqCajqkMLns9X4K6I6NS4 QIV6HZg+sn9Z6ZmNINpOBe0IJy9EgGac+dIIQg1T6vVQOa+Cmld41K2LqveBpmfwC/Aw 2P6g== X-Gm-Message-State: AHYfb5gLEzWlyJnUrJhxV1B9xpfZXu1oECWuqS5DxWUK2PKfTJ8Rpm6E xtzE5T4lyRmllik9 X-Received: by 10.200.56.216 with SMTP id g24mr2766069qtc.83.1501775889549; Thu, 03 Aug 2017 08:58:09 -0700 (PDT) Received: from mutt-hbsd ([63.88.83.66]) by smtp.gmail.com with ESMTPSA id q17sm27709926qkh.53.2017.08.03.08.58.08 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 03 Aug 2017 08:58:08 -0700 (PDT) Date: Thu, 3 Aug 2017 11:58:08 -0400 From: Shawn Webb To: syed khalid <0xsyed@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: SEGVGUARD in freeBSD Message-ID: <20170803155808.snwnyj7ducdjopgo@mutt-hbsd> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="vzkq7xwvurw24jd6" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20170714 (1.8.3) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Aug 2017 15:58:11 -0000 --vzkq7xwvurw24jd6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 03, 2017 at 09:05:07PM +0530, syed khalid wrote: > Hello All, >=20 > I would like to configure SEGVGUARD for few critical applications in > FreeBSD10 . Is is available natively in FreeBSD10 ? >=20 > If so you could anyone help me in enabling/configuring SEGVGUARD Hey Syed, FreeBSD does not support SEGVGUARD at the moment. Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --vzkq7xwvurw24jd6 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlmDSA0ACgkQaoRlj1JF bu4l+g/9EoMJr0LafX3NM87EbZpAQvmjzJCRM98W9Fq7Rkco3yf+No4G5JJFcBOs ZJMWLxXWkz9wZ3rH7pRINIjYNin7eUM4gOn1RWE8OgVCPSNzKeWyI9bqL7VCzejA PORsYT6iEOXsXN/tnEEpQYTmsD7gvvewDOXoqy57w7+S5CuUz5g2Ge56WhTlKTbB Bmfv7CaXkixE/heL53+ew81kEHAPZb5Ix3zfvttZstoa4c2mbD0C0GAGAkME+q7Q lryFNi0Upnjx7HmBVRoR5/qp253vqw+52WsJ3Ibie9Kx+N6GDKfJlCANXLLNV3sv 1nPdSIqKiWmya/iaTtYjM8OtyGdih+4Ay7FMucgEGvEnmTIi3CX5Ct59nafuxphI 2hiD0dfZgEMGD5ee/QyeqlTga5Yt6LQ8RuAtk59XOVqpjG8VtI2TDyYeITIKJLkh G4TINZAYDoBAY+iZkqwEnx7CEa1eoUVIBv/AxyQcjEkOxr+KTucwFC+iWYSabC6z SKLZPwKTukD8Mtpgfw4JWCuoYwRZ+luqScy3FOfWCr6cUcu9i+OyYSudqqU0cWh6 7nWfXaHL5eta7TQ+28YjooYK7ewK3q3ZrUWj8wCtlP8ROBQ6B+mtMzGoG7Mlbbgl s7qC8NN4l3oXAV3MeTBZcCCycJIMObk7FTWBXUKm+omXrjZsQsY= =P94M -----END PGP SIGNATURE----- --vzkq7xwvurw24jd6-- From owner-freebsd-security@freebsd.org Fri Aug 4 11:45:52 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F1FD1DD502F for ; Fri, 4 Aug 2017 11:45:52 +0000 (UTC) (envelope-from 0xsyed@gmail.com) Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B54E664F06 for ; Fri, 4 Aug 2017 11:45:52 +0000 (UTC) (envelope-from 0xsyed@gmail.com) Received: by mail-oi0-x22d.google.com with SMTP id e124so12610994oig.2 for ; Fri, 04 Aug 2017 04:45:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+obuFkfK15E8Khyth82LiO2NuwbIMjuop+demFqfSPg=; b=rJFloMUbH4yfpSAMisvkHYAj0s/p6MRU7+CRUPu2O8mf1so6QYpi2BtjPg6F8kF79U LkdimOwC9TUCzL9IbLkhgcJJ5ZyqPSQNpOqK6oIlILrqQa9I0uJVhIESHGkM3iMNg6WA 1aekUZI9PQ1hsR1BGBG9fM4bcva3NlURGX1GxaCRTXJVlZniQtpSuwWJfznMr+y4/EfU sPuTZ2tmE8i9zQoN4RgY/bzebHsgJ34tfxZ6IZfNPKhMOPsHHICPscc9EhgQlt0ORiBy n8eL8xOrkMbQsEU9vb7Q1Sw/89lM8kthkkFrEX7G5UMNSUjj9Nh2ddCFLUq9oIPVZKpU LxEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+obuFkfK15E8Khyth82LiO2NuwbIMjuop+demFqfSPg=; b=rJf5LxsEGKnLijfRQpBV9IDD/xlGG2J3EqFUCqbaePBw1EBGjfUznYQKW6qTG0F5H9 V2hokVGdvhPt8sUWoES900lNgxOCmUL9V2br6O2tkZv3TH3XeVJN+g94EnafAeKPYqK0 ll7ybr1lieZe6QXYAGA1JRZHGtjO8J/eQUrEC+o1UqOo3Wk1Nhf6YuXcdPnVpo0pAa11 1kAtetAhraQ4mcxwdzYVl89Vx83tcxkPoG03NLJfLtklZNKXuj3lp/4Cfb3bUFUDBvPB +6ZTkwjmmOxIblsdiR0j+dZudNas2xMDcFE75yLmS6efccdnZrAlQ95EVotn5udpTv81 330w== X-Gm-Message-State: AHYfb5iGIfg2I6hF5Rpd57eFHO2ztFJc3vq8ou2sZbkXFE0pdcQT3Vgf OGjkGx1mOF7/Vr2XkjL6Xeg1zdHo3xGQ X-Received: by 10.202.182.11 with SMTP id g11mr1891161oif.60.1501847151794; Fri, 04 Aug 2017 04:45:51 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.61.138 with HTTP; Fri, 4 Aug 2017 04:45:51 -0700 (PDT) In-Reply-To: References: From: syed khalid <0xsyed@gmail.com> Date: Fri, 4 Aug 2017 17:15:51 +0530 Message-ID: Subject: Re: SEGVGUARD in freeBSD To: Johannes Jost Meixner , shawn.webb@hardenedbsd.org Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Aug 2017 11:45:53 -0000 Hello Johannes/Shawn, Thanks for the information. I would like to experiment SEGVGUARD and I would like to monitor the performance of the kernel in the context of SEGVGUARD enabled for a single application. How do i enable or configure the SEGVGUARD service in HardenedBSD? Regards, Syed On Thu, Aug 3, 2017 at 9:18 PM, Johannes Jost Meixner < johannes@perceivon.net> wrote: > You'll want to checkout HardenedBSD[1], especially the 10-STABLE builds > [2]. > > > [1] https://www.hardenedbsd.org > [2] > http://jenkins.hardenedbsd.org/builds/HardenedBSD-10-STABLE-amd64-LATEST/ > > > > Best regards, > > Johannes Meixner > > > Perceivon O=C3=9C > Pikk 7-17 > 10123 Tallinn > > tel: +372 5855 1779 > web: http://www.perceivon.net > > On 08/03/2017 18:35, syed khalid wrote: > > Hello All, > > > > I would like to configure SEGVGUARD for few critical applications in > > FreeBSD10 . Is is available natively in FreeBSD10 ? > > > > If so you could anyone help me in enabling/configuring SEGVGUARD > > > > --=20 *Thanks & Regards* *Syed Khalid M* *Mobile No:+91-8148910714* From owner-freebsd-security@freebsd.org Fri Aug 4 12:46:49 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1C7FFDD7B51 for ; Fri, 4 Aug 2017 12:46:49 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qt0-x234.google.com (mail-qt0-x234.google.com [IPv6:2607:f8b0:400d:c0d::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C6C1566B07 for ; Fri, 4 Aug 2017 12:46:48 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qt0-x234.google.com with SMTP id p3so8369561qtg.2 for ; Fri, 04 Aug 2017 05:46:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=lToThBjapditnGQy2COUikf2oPEj/tgUigx1c4m0lu0=; b=i07cMhgIhi7LVoTT9FsS91ugWVL1p36Bsmw07arxqSZnm4h0ozIm8+VfvDrkppAjRa uT1ATXhmyiTAktkVlJDpTTnTwgnXHDY0pX94kiG0iqk8HC1LIxDufHl0Cd4GGN8YkYUl 50O2LQ/ckeT4UUsw7de7lKy275vQTjOiopbrpuT2nTNseng4iLmpBVZ3qC5ONCe0rI0v EEodEwUur0IXBsV52L2u9nKmEGYrSETsEWHV8daelecz3crcuAWpybpBdiRRAwKdvXcG tu24wYAvdmG9hhs5MtN9a8cO/yTYWR5NoB/mbbmVnDwyICfdmNpVWhnYdXJmfr4joTRp aPWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=lToThBjapditnGQy2COUikf2oPEj/tgUigx1c4m0lu0=; b=nRFmIgH3NvdrfrgfMedRUhBfsLsWPcEkCZr76yKrvcaeX8YN5PuapG9B4+Xssj28qL WscAQ9wNU86kNc7w/0paWE/IOjI+TXMHd4tzwS172BK0WaVf67KotxOPu3NYUVppygFY CesNhMqT/ZQKxoeztiE63YXxYJNCp37dZZ8rM7nK6Vdvro81/egwJPkH2JBJ3pSO4OI+ gzKwvmW3uCSYwAXtagDf4CSFDNQDRAQeS02STiLftUP7SuY2nLTAlVXtxAQcsZWY7vhP 1iue5XOd57R2Fjlgjjj3GtMJwAjgOE2BuJZmK5yuwHUjIJo7RArMhpThacADSkPlTrME MgFw== X-Gm-Message-State: AHYfb5jNIAb43pKJPhSZY3DTSdizi8QZjvoY1Ew3UxqoakFuV0nYDMRm GtPrr3wmGfPYBGUdMltiXw== X-Received: by 10.200.41.166 with SMTP id 35mr3029841qts.141.1501850807603; Fri, 04 Aug 2017 05:46:47 -0700 (PDT) Received: from mutt-hbsd ([63.88.83.66]) by smtp.gmail.com with ESMTPSA id i79sm955874qke.3.2017.08.04.05.46.46 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 04 Aug 2017 05:46:46 -0700 (PDT) Date: Fri, 4 Aug 2017 08:46:46 -0400 From: Shawn Webb To: syed khalid <0xsyed@gmail.com> Cc: Johannes Jost Meixner , freebsd-security@freebsd.org Subject: Re: SEGVGUARD in freeBSD Message-ID: <20170804124646.xxu74ibdm73ut354@mutt-hbsd> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="yvgxhhunstx5whka" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20170714 (1.8.3) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Aug 2017 12:46:49 -0000 --yvgxhhunstx5whka Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable After booting HardenedBSD, set hardening.pax.segvguard.status=3D2. No configuration is necessary. Thanks, Shawn On Fri, Aug 04, 2017 at 05:15:51PM +0530, syed khalid wrote: > Hello Johannes/Shawn, >=20 > Thanks for the information. I would like to experiment SEGVGUARD and I > would like to monitor the performance of the kernel in the context of > SEGVGUARD enabled for a single application. How do i enable or configure > the SEGVGUARD service in HardenedBSD? >=20 > Regards, > Syed >=20 > On Thu, Aug 3, 2017 at 9:18 PM, Johannes Jost Meixner < > johannes@perceivon.net> wrote: >=20 > > You'll want to checkout HardenedBSD[1], especially the 10-STABLE builds > > [2]. > > > > > > [1] https://www.hardenedbsd.org > > [2] > > http://jenkins.hardenedbsd.org/builds/HardenedBSD-10-STABLE-amd64-LATES= T/ > > > > > > > > Best regards, > > > > Johannes Meixner > > > > > > Perceivon O?? > > Pikk 7-17 > > 10123 Tallinn > > > > tel: +372 5855 1779 > > web: http://www.perceivon.net > > > > On 08/03/2017 18:35, syed khalid wrote: > > > Hello All, > > > > > > I would like to configure SEGVGUARD for few critical applications in > > > FreeBSD10 . Is is available natively in FreeBSD10 ? > > > > > > If so you could anyone help me in enabling/configuring SEGVGUARD > > > > > > > >=20 >=20 > --=20 > *Thanks & Regards* > *Syed Khalid M* > *Mobile No:+91-8148910714* --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --yvgxhhunstx5whka Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlmEbLMACgkQaoRlj1JF bu5/JRAAhaGlaNF2t7m0tB65bVK7FWlCqXO+UROLUeoj0eS6I6H77BG9LE0s91sf gmpDmdFX/Lzh7ipEi8DEGt0l/8U8/vBbsybPS6UgZX4s6pVkWoK4z/c68jCybZb7 I/k9faohxwEWLZpbZVSUG0i8qAkLxazp8tePR0an3zt5ssQL+mqD+WxEqU+vG4SP NbD2jPh7vSV3MY/MLJV06VzISUxNeubQX8bJ26FMGtuhgHU+uFHIrb+qqZdyf0ye qSZ8mR+/nQ06FCuR4X7Puy6IJFmSS4IFrp1Qp/3kb8nlADVkTFCU3b7zL3qHmTfN F4wEsvkvn1/Jp3yku/c6g6XREbLue5IkBuQdqQC6RF2a/msl4MoaI4Iyuokf2pV2 Q1Fr7oeLD110nt8AZl/S50LZBcm6tLAIcmkM+LYWiaRS84DlCeH6vZeM0faNqkXZ QCiJInYKpiaDK3nTBUQCd2Amj7GGmdQgAbktwBOk4DjMRXjyqwAluD942Xe4g0Ll CRhke62QNtc7Qlq3lGQoK6FJ+GDRiGj5j9veLrn+NtTaoOgn/cfVCwdBamyrxZjp 5mNVPxZA8dxL5JdxCBYCzQGUWptbQKrKrFE27b5XqVRd+qxxwYR7K9fhHZ3wt7vj tUNk01FdYdv9mxnH4QNQEKIyFvoeW/1TXVCGmpVdAqYueoR32mI= =0D26 -----END PGP SIGNATURE----- --yvgxhhunstx5whka-- From owner-freebsd-security@freebsd.org Fri Aug 4 12:48:04 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1D419DD7CDA for ; Fri, 4 Aug 2017 12:48:04 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qk0-x22c.google.com (mail-qk0-x22c.google.com [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C56FE66C72 for ; Fri, 4 Aug 2017 12:48:03 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qk0-x22c.google.com with SMTP id d136so8269841qkg.3 for ; Fri, 04 Aug 2017 05:48:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=XbJU25/YH3SKJKPlsg6sqhQnQQfCnKbIDGyQJuF4PKw=; b=ph4l8UrcsYXj0Y8+qXuF3t5bCq9ga0ltxSNoVDXMU9umFbc6XNxZTG/9R4MgxN/LSC +U7Fkvmzfx2lZ6ISjAFciCUyyi6D3G1l0dfRCivmGuYg+uXR+1irUcuu+P9uzP5VNvBe e25bz9PS7duuLrkp2wqGZNNKhHbM92/tA0FiMatgmWB/oWiB3WZ7+XNiLzdnoy8eT9xW 4ZHCC0QUJyyRQo7jHVGy9Z1M1N5WnE1eluC7HMX53+9aHedzawveeGQJuKQCUxTH8u5Z ryjAmFRaSixb3/vTLO8PPVqGYwmxFk4+8VSL5GcmCnlc0h4LFJotmPcpvn9Nygpyllqs PRsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=XbJU25/YH3SKJKPlsg6sqhQnQQfCnKbIDGyQJuF4PKw=; b=isxPqEPhD7JxjWHW6zffo1sBc+zGsfBrVJBpmbUVKfuXXaD5AVwwKmzSABruTpCXwg SzTXghtrv/JHTtCcptZwL+ILl/jar3PYzrWtlBB1zcrHVfYIMhVnHc+H+FYkwQ1Z2A60 ujhhA4x+WXEeOQyHjD3fpv8i63pNdx1+SUrffxPE3Hr2NXyt/OxAwYCUzTtnADQwRuXo oYEAG1kQc+NvNyJ3fRaSObxyqbFjNjyaw8LyfkJETvGpzay2hHSSP+1I7iyX2GCgFQft jOJ7x6yPYMOdnGmYEvsEdGpLYlV/JnZ5JYflJ1Wkdj5fuXDE2h7CaYSEx8jmzKTmIg+o AD3Q== X-Gm-Message-State: AHYfb5hO8NmIh5CS3g3gAMfJfqsNwsMv+Xej2+UFlbEF3bvURwbL+DgU zQ9DBjdfYxB6sXLT X-Received: by 10.55.41.85 with SMTP id p82mr2607492qkh.292.1501850882835; Fri, 04 Aug 2017 05:48:02 -0700 (PDT) Received: from mutt-hbsd ([63.88.83.66]) by smtp.gmail.com with ESMTPSA id i8sm969646qtb.40.2017.08.04.05.48.02 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 04 Aug 2017 05:48:02 -0700 (PDT) Date: Fri, 4 Aug 2017 08:48:01 -0400 From: Shawn Webb To: syed khalid <0xsyed@gmail.com> Cc: Johannes Jost Meixner , freebsd-security@freebsd.org Subject: Re: SEGVGUARD in freeBSD Message-ID: <20170804124801.u6wpk47zfl5yl7ba@mutt-hbsd> References: <20170804124646.xxu74ibdm73ut354@mutt-hbsd> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="4lpkcj4nbapfejla" Content-Disposition: inline In-Reply-To: <20170804124646.xxu74ibdm73ut354@mutt-hbsd> X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20170714 (1.8.3) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Aug 2017 12:48:04 -0000 --4lpkcj4nbapfejla Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I forgot to mention that hardening.pax.segvguard.status is a sysctl node. To set it: sysctl hardening.pax.segvguard.status=3D2 Or in /etc/sysctl.conf: hardening.pax.segvguard.status=3D2 Thanks, Shawn On Fri, Aug 04, 2017 at 08:46:46AM -0400, Shawn Webb wrote: > After booting HardenedBSD, set hardening.pax.segvguard.status=3D2. No > configuration is necessary. >=20 > Thanks, >=20 > Shawn >=20 > On Fri, Aug 04, 2017 at 05:15:51PM +0530, syed khalid wrote: > > Hello Johannes/Shawn, > >=20 > > Thanks for the information. I would like to experiment SEGVGUARD and I > > would like to monitor the performance of the kernel in the context of > > SEGVGUARD enabled for a single application. How do i enable or configure > > the SEGVGUARD service in HardenedBSD? > >=20 > > Regards, > > Syed > >=20 > > On Thu, Aug 3, 2017 at 9:18 PM, Johannes Jost Meixner < > > johannes@perceivon.net> wrote: > >=20 > > > You'll want to checkout HardenedBSD[1], especially the 10-STABLE buil= ds > > > [2]. > > > > > > > > > [1] https://www.hardenedbsd.org > > > [2] > > > http://jenkins.hardenedbsd.org/builds/HardenedBSD-10-STABLE-amd64-LAT= EST/ > > > > > > > > > > > > Best regards, > > > > > > Johannes Meixner > > > > > > > > > Perceivon O?? > > > Pikk 7-17 > > > 10123 Tallinn > > > > > > tel: +372 5855 1779 > > > web: http://www.perceivon.net > > > > > > On 08/03/2017 18:35, syed khalid wrote: > > > > Hello All, > > > > > > > > I would like to configure SEGVGUARD for few critical applications in > > > > FreeBSD10 . Is is available natively in FreeBSD10 ? > > > > > > > > If so you could anyone help me in enabling/configuring SEGVGUARD > > > > > > > > > > > >=20 > >=20 > > --=20 > > *Thanks & Regards* > > *Syed Khalid M* > > *Mobile No:+91-8148910714* >=20 > --=20 > Shawn Webb > Cofounder and Security Engineer > HardenedBSD >=20 > GPG Key ID: 0x6A84658F52456EEE > GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --4lpkcj4nbapfejla Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlmEbQAACgkQaoRlj1JF bu4mKg//U8yn06ZmFR67aK7qEeTyUZCo1Ty3EZg2xjenmVqEjl7Tl9IYRRplbHFr kQ+QcyxtFRxvu9sRwZ9hoLSkBUiq2rKnuOBrmo84vsvG/ZDIgedfpICcO5TBus/g 8VhVhpdi584FHRRbcmZyE2lDxA9aEo0t+8r901iflpxlI5LDFaORI2R4Uu/oTfHW 5yRKKGIc3G0+/+EVfYZyUDBr8Ppl8wZnNC1b0oo7NuC8WYOLdCeVGM+FP3Wl8NM2 SytXQZND56fhKSa2HK8/wzcrD+WMWQEw+MQh6/LPGeazGjldHXTRqfWf7ljCD1uV xydL37yTFbMGWPvE0JFs0sDKkUfcJcYUmljg75G6UXPvvxGzuT07VwE/WFNB+GDX U/n3AFBrqw4mMmowfuN0yfpmygLu+WAMzx0843xfMgvHxrIT0Q9R/bNoe6EWRZvp fOhBulSjDc86ISYYLed47G+jV6worFcMQjPeaglj1y6O0fYr6tRm7uGOGGBk3+MC uFdYALC+tpCmjJbLZF6/7R3XOpP3kfUjttN3mmPsvgc1AwxGgk2t28tuLXINodVm Y8fiqsYNQojv23XmuTRiLHCwRLmT4eiGOw4ZwWB/16dwPn8+uaihYYLtTok88eyD zNcgZlmgXWomF8dp2dkrwWAHgNE1q4w/Zjs0CUku66L9A2qVJDs= =WNl6 -----END PGP SIGNATURE----- --4lpkcj4nbapfejla-- From owner-freebsd-security@freebsd.org Sat Aug 5 11:26:40 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5CCB6DCF8E1 for ; Sat, 5 Aug 2017 11:26:40 +0000 (UTC) (envelope-from spankthespam@gmail.com) Received: from mail-qt0-x22e.google.com (mail-qt0-x22e.google.com [IPv6:2607:f8b0:400d:c0d::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1CC03714F9 for ; Sat, 5 Aug 2017 11:26:39 +0000 (UTC) (envelope-from spankthespam@gmail.com) Received: by mail-qt0-x22e.google.com with SMTP id a18so21175850qta.0 for ; Sat, 05 Aug 2017 04:26:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ZZMFNbMRgxc2y9mRRYlCA/qGcP9u/muy4X6qzpcebkg=; b=PGyP4w5sRUez02kg69Nwqi0tLJl9ZQLU1s33V3NLWQ1//MNC8oYFUueEbYtgh6L22C g1xoYzhSyjE7vu0iS/EcP17HjSnJEy9yiGuVZM887yTrKLCSUHChFtIUTusFxsz8rqX0 28R/N+11jl+zKx5afHCNlJlRIc6LmcknvaZoZ0MfSDPKERUr5teMZz+16cIBRynG110i tYSVJeSU+Nm2o8NoMUP9FWZcssmneF6TQfjmTenQrKr+lQRjKnFB4vCBvESUZI/aNIcF Swoo1aOAFWwwEsrD75N0cKrASzQvfth7ldYLahLXjfPCRzKkF1UpUfYrZw1kL6eiUIAO Mo+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ZZMFNbMRgxc2y9mRRYlCA/qGcP9u/muy4X6qzpcebkg=; b=NT5FusbxgzYkvpN0Y35ujIXwyu8IzCsh2jXPBy4eG4FGCkJNc7lA4zFQeBhhEcMeV3 sZWuEs43vO3tHRO3gktUo++rac3KlMC4xqHQegwsoW/yo/BNKAA54nhz7HCe9ec4x7Ws bwVP2LcobfcRIdnsAo2uJUBrkKq0N2hmE05lrOf0AVQggJ56lPVnLsgjMyrKkKMySWVe WaVV2P2OcFEidFZCSkazJFlCzY6wQKASjNcBv/r+VbV4vL278IUChQi4nZ9+hmJ0XmyW /gTHdsmMruvtq6JXEvGC6OfpSeiFkk/NxlX2ULRQjhfuw4LgOBmntW3cGUuClXoXgdqq ju6Q== X-Gm-Message-State: AHYfb5hNhTGSK774b3V+EVBNR363u88rlOqf9xOrNtakEIwPXrwis3O9 Ol1XKq9fWzaElzu/jOQB3xZa9HoYrA== X-Received: by 10.237.48.65 with SMTP id 59mr7509956qte.10.1501932398890; Sat, 05 Aug 2017 04:26:38 -0700 (PDT) MIME-Version: 1.0 Received: by 10.200.48.19 with HTTP; Sat, 5 Aug 2017 04:26:37 -0700 (PDT) In-Reply-To: <20170804124801.u6wpk47zfl5yl7ba@mutt-hbsd> References: <20170804124646.xxu74ibdm73ut354@mutt-hbsd> <20170804124801.u6wpk47zfl5yl7ba@mutt-hbsd> From: Big Lebowski Date: Sat, 5 Aug 2017 12:26:37 +0100 Message-ID: Subject: Re: SEGVGUARD in freeBSD To: Shawn Webb Cc: syed khalid <0xsyed@gmail.com>, freebsd-security , Johannes Jost Meixner Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Aug 2017 11:26:40 -0000 It does sound like a discussion better suited for HardenedBSD mailing lists, don't you think? ;) Regards, BL On Fri, Aug 4, 2017 at 1:48 PM, Shawn Webb wrote: > I forgot to mention that hardening.pax.segvguard.status is a sysctl > node. To set it: > > sysctl hardening.pax.segvguard.status=2 > > Or in /etc/sysctl.conf: > > hardening.pax.segvguard.status=2 > > Thanks, > > Shawn > > On Fri, Aug 04, 2017 at 08:46:46AM -0400, Shawn Webb wrote: > > After booting HardenedBSD, set hardening.pax.segvguard.status=2. No > > configuration is necessary. > > > > Thanks, > > > > Shawn > > > > On Fri, Aug 04, 2017 at 05:15:51PM +0530, syed khalid wrote: > > > Hello Johannes/Shawn, > > > > > > Thanks for the information. I would like to experiment SEGVGUARD and I > > > would like to monitor the performance of the kernel in the context of > > > SEGVGUARD enabled for a single application. How do i enable or > configure > > > the SEGVGUARD service in HardenedBSD? > > > > > > Regards, > > > Syed > > > > > > On Thu, Aug 3, 2017 at 9:18 PM, Johannes Jost Meixner < > > > johannes@perceivon.net> wrote: > > > > > > > You'll want to checkout HardenedBSD[1], especially the 10-STABLE > builds > > > > [2]. > > > > > > > > > > > > [1] https://www.hardenedbsd.org > > > > [2] > > > > http://jenkins.hardenedbsd.org/builds/HardenedBSD-10- > STABLE-amd64-LATEST/ > > > > > > > > > > > > > > > > Best regards, > > > > > > > > Johannes Meixner > > > > > > > > > > > > Perceivon O?? > > > > Pikk 7-17 > > > > 10123 Tallinn > > > > > > > > tel: +372 5855 1779 > > > > web: http://www.perceivon.net > > > > > > > > On 08/03/2017 18:35, syed khalid wrote: > > > > > Hello All, > > > > > > > > > > I would like to configure SEGVGUARD for few critical applications > in > > > > > FreeBSD10 . Is is available natively in FreeBSD10 ? > > > > > > > > > > If so you could anyone help me in enabling/configuring SEGVGUARD > > > > > > > > > > > > > > > > > > > > > > -- > > > *Thanks & Regards* > > > *Syed Khalid M* > > > *Mobile No:+91-8148910714* > > > > -- > > Shawn Webb > > Cofounder and Security Engineer > > HardenedBSD > > > > GPG Key ID: 0x6A84658F52456EEE > > GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE > > > > -- > Shawn Webb > Cofounder and Security Engineer > HardenedBSD > > GPG Key ID: 0x6A84658F52456EEE > GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE >