From owner-freebsd-security@FreeBSD.ORG Thu Sep 12 17:40:21 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id F3DB4A67; Thu, 12 Sep 2013 17:40:20 +0000 (UTC) (envelope-from jonathon.s.wright@gmail.com) Received: from mail-pa0-x234.google.com (mail-pa0-x234.google.com [IPv6:2607:f8b0:400e:c03::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id C6154239B; Thu, 12 Sep 2013 17:40:20 +0000 (UTC) Received: by mail-pa0-f52.google.com with SMTP id kq13so1406936pab.11 for ; Thu, 12 Sep 2013 10:40:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=JeHgFw8aO2XeCSNbzPKUtOjCuH2BE5Y0+7Xz5qZZmQg=; b=MKe6GDGstIxJxHH7sdNIodeHcjQuyDA80V4ebLiKJrjFeC+8zrTVwkLq1m1RVLX4Y7 /HiepFPk/shkS2N7GcRpr/UNJCzutbD0p6YDEFyY/ImqpZgFsTmTKgW4KW4wVHI4Nk1k agNfseISVDtIya3JGDpipExfFsk12t3EJTTwOZDEbglvN3JEp37t2ZEvIm0pBHQHgZlz 2VEcoOpLmSzPZdCR3Xg3+2SVFw50mWVqlCxiMqSOfYmg+WbLoz/El9DasJpQO59um/7y T7vd3h62RLhMcfJjKizDWfENmRz9pGBwD5W7B/BYmG2t/CgPMzppVAvVDW4oiwrpt+U7 nYug== X-Received: by 10.67.4.197 with SMTP id cg5mr10716852pad.10.1379007620391; Thu, 12 Sep 2013 10:40:20 -0700 (PDT) Received: from [192.168.1.102] (cpe-98-150-133-16.hawaii.res.rr.com. [98.150.133.16]) by mx.google.com with ESMTPSA id ve9sm6168828pbc.19.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 12 Sep 2013 10:40:19 -0700 (PDT) References: <5231D461.5050504@freebsd.org> Mime-Version: 1.0 (1.0) In-Reply-To: <5231D461.5050504@freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-Id: <26028E42-5FB6-43EF-A70E-7A531711BC65@gmail.com> X-Mailer: iPhone Mail (10B329) From: My Email Subject: Re: FreeBSD Transient Memory problem? Date: Thu, 12 Sep 2013 07:40:17 -1000 To: Julian Elischer Cc: "freebsd-security@FreeBSD.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Sep 2013 17:40:21 -0000 I hear ya, except they (the team) has successfully played the fallacy of 'sh= ifting the burden of proof' to our management. I've argued that to them alre= ady but they refuse to put the burden of proof back on the inspection team. ...So now its up to me to prove FreeBSD does not have this issue when it sho= uld be up to them to prove FreeBSD does. I kinda figured it was not a battle that I'm supposed to win, since the prob= lem they've presented cannot be proven true or false without more info. The o= nly info I have is what was posted in the forums though. Will update if new details unfold. JW On Sep 12, 2013, at 4:49 AM, Julian Elischer wrote: > On 9/12/13 8:15 AM, Jonathon Wright wrote: >> All, >>=20 >> I have posted this question (username-scryptkiddy) in the forums: >> http://forums.freebsd.org/showthread.php?t=3D41875 >> but was suggested to bring it here to the mailing list for discussion. >>=20 >> Basically, FreeBSD 8.3 (64bit) is what we use in our shop. We were >> inspected by a security team and they had issues with FreeBSD's memory >> management. >>=20 >> Namely the transient memory and object reuse areas of FreeBSD. They claim= ed >> that FreeBSD did not have a Common Criteria (EAL1-4) evaluation completed= , >> and therefore was vulnerable to the Transient memory problem. >>=20 >> Our higher ups need some sort of documentation / testing that can be use= d >> to counter this, since changing Operating Systems is not something we hav= e >> time / manpower to do, but might have too based on this supposed 'finding= '. >>=20 >> The post has all the details. Let me know I need to repost in this as wel= l. >=20 > Pretty much all they've proved to me is that they have no idea of what the= y are talking about. > You need to ask them for a better description of the problem as so far all= you've > seen is about a hundred computer science professionals rolling around on t= he floor > laughing when you showed them the paragraph from the report.. >=20 > and you can quote me on that one. >=20 >>=20 >> JW >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" >>=20 >=20