Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 6 Sep 2012 11:44:00 -0700
From:      David O'Brien <obrien@FreeBSD.org>
To:        Dag-Erling =?unknown-8bit?B?U23DuHJncmF2?= <des@des.no>
Cc:        Arthur Mesh <arthurmesh@gmail.com>, freebsd-security@FreeBSD.org, Doug Barton <dougb@FreeBSD.org>, freebsd-rc@FreeBSD.org, Mark Murray <markm@FreeBSD.org>
Subject:   Re: svn commit: r239598 - head/etc/rc.d
Message-ID:  <20120906184400.GF13179@dragon.NUXI.org>
In-Reply-To: <867gs7qcsl.fsf@ds4.des.no>
References:  <201208222337.q7MNbORo017642@svn.freebsd.org> <5043E449.8050005@FreeBSD.org> <20120904220126.GA85339@dragon.NUXI.org> <50468326.8070009@FreeBSD.org> <20120906164514.GA14757@dragon.NUXI.org> <867gs7qcsl.fsf@ds4.des.no>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 06, 2012 at 07:30:34PM +0200, Dag-Erling Smrgrav wrote:
> However, it does not vary from one boot to another, or even from one
> machine to another if they run the same FreeBSD version with the same
> device.hints and loader.conf on the same hardware configuration.

... and same BIOS version.

I found on some Dell desktops and HP servers I looked at that the
'hint.acpi.0' MIB could vary depending on BIOS version, and 'smbios'
MIB did vary between systems.

> (with the possible exception of a serial number if the SMBIOS provides
> one, but I have a room full of identical servers which all have serial
> number 123456)

I do not doubt what you say for SuperMicro or similar "white box"
systems.


On $WORKS's ARM and MIPS devices there was also some differences, but
granted not as much as on x86.

better_than_nothing() is a best attempt.
For instance, have you looked at how close the 'ps -fauxww' output is
between systems?  I don't see much variance.

I'm not saying 'kenv' is perfect, but it was something I found in
/[s]bin that varied between systems so it was a good replacement for
one of the 'ps' runs.


There are several attacker scenarios to think of.

1. Attacker has no login on the victim system, but is working from
   anything probeable over the network (including sniffed network
   traffic).

2. Attacker has a local non-root login on the victim system.

3. Attacker no login on the victim system, but knows its exact hardware
   and software configuration and can study their copy of the victim
   system.

4. Attacker has a local [intruded] root login on the victim system.
   [Not to be dismissed as "well they have root -- game over",
    assume a key securely moved off box is being attacked.]

We cannot guard against all of them, but we should try to have output
in better_than_nothing() to help guard against all of these.

-- 
-- David  (obrien@FreeBSD.org)



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120906184400.GF13179>