From owner-freebsd-security@FreeBSD.ORG Thu Sep 12 20:03:14 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 434D566D; Thu, 12 Sep 2013 20:03:14 +0000 (UTC) (envelope-from jonathon.s.wright@gmail.com) Received: from mail-vc0-x229.google.com (mail-vc0-x229.google.com [IPv6:2607:f8b0:400c:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E293C236E; Thu, 12 Sep 2013 20:03:13 +0000 (UTC) Received: by mail-vc0-f169.google.com with SMTP id ib11so239822vcb.14 for ; Thu, 12 Sep 2013 13:03:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=JqWoKXXvKvywZtEK1OzKnxAoObxHzDLX+svxLxp5kbQ=; b=S9lJMwaomIWsa8xy3FEj/p+QzSpfGAslJydkhNypFTNj1pF+F8/Nv6NJCCJI6YWWx5 7BGLq6OXQjDvZZaz3IbeiiwuO7RS9O/+8wkSdS//ku8PLsdWhOQbVkOOG0W29wjXdcyU A/DuNyMLRPa4h22GtdJOH9phZVGpYaFcqg2tPd/ZufQxEnV0OU1Zk5QQLtZWsvW6cxRe Gq7iW6w7BTzVH47Fsg61z0YHJ6Lq2xb3VjXyAnSPbKDBLJRsry17n/K21Eh6A7fWJgGV BxsZOtHb0jhrpERJ+00w/MvWjKyBQDp5Ly71k8Mma/AD8OLoTMpWsmpP4KvmCkJxDeFZ RnAQ== MIME-Version: 1.0 X-Received: by 10.52.230.74 with SMTP id sw10mr6601341vdc.6.1379016192983; Thu, 12 Sep 2013 13:03:12 -0700 (PDT) Received: by 10.58.41.66 with HTTP; Thu, 12 Sep 2013 13:03:12 -0700 (PDT) In-Reply-To: <201309121953.NAA24598@mail.lariat.net> References: <20130912053559.GF68682@funkthat.com> <979901F9-5F25-4DF1-95A8-32473C55B25F@gmail.com> <52320144.2090807@freebsd.org> <201309121953.NAA24598@mail.lariat.net> Date: Thu, 12 Sep 2013 10:03:12 -1000 Message-ID: Subject: Re: FreeBSD Transient Memory problem? From: Jonathon Wright To: Brett Glass Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-security@freebsd.org" , John-Mark Gurney , Julian Elischer X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Sep 2013 20:03:14 -0000 Great translation Brett, the whole team is rolling! Unfortunately, its probably true. Yeah, I went to the site, interesting, but I'm not sure how shady they are or not. In either case, my problem still remains. I'm looking into what John-Mark Gurney posted to me, it looks a bit promising as far as being able to "demonstrate" the zeroing of the memory allocated prior to use. For example, when I did a man malloc, the Z option states exactly that: The problem though is it also states that "this is intended for debugging and will impact performance negatively". That means I'm in between a rock and hard spot: 1. If I turn it on, I'll have horrible performance. (I suppose I need a /etc/malloc.conf example if I did if you have one) 2. if I don't turn it on, I am not able to address their so called 'issue'. On Thu, Sep 12, 2013 at 9:53 AM, Brett Glass wrote: > At 01:33 PM 9/12/2013, Jonathon Wright wrote: > > *Description of Finding:* Object reuse cannot be verified. The FreeBSD >> >> servers used have not been evaluated or certified by NIAP. As such, it >> cannot be verified that the operating system ensures transient memory >> cleansing (object reuse) features are in place. >> > > Translation: The FreeBSD Project doesn't participate in, and hasn't paid > money to be certified by, a program run by the NSA... a shadowy government > agency which has been known to actively compromise security and spy on > citizens. We recommend that our clients move to a less secure OS so that > their > systems can be spied upon and their security compromised. > > --Brett Glass > > P.S. -- For more on NIAP, see www.niap-ccevs.org. Note that this site will > deposit multiple tracking cookies in your browser which you may want to > delete after visiting it. > >