From owner-freebsd-security@freebsd.org Wed Mar 9 16:52:56 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9FB85AC882C for ; Wed, 9 Mar 2016 16:52:56 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qk0-x22c.google.com (mail-qk0-x22c.google.com [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6A766938 for ; Wed, 9 Mar 2016 16:52:56 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qk0-x22c.google.com with SMTP id o6so22714411qkc.2 for ; Wed, 09 Mar 2016 08:52:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=N8Nd6DJ5fv8dW34EBx7hz5iEvHQZwD5Sb2DC0CgpdNc=; b=CFHzBvlKfr1IpnlY52z8GQexBAzt46S/kTd3LkDZu/F5sl4JPXt74D0/suiryNl4EI jDwSbC6gHcmc8cBO3azyXYu/wJ74h8nMmGLol5cftOJBzahAEPLPKv55N/SEUyqxveSR 3gwxvhpB2EiSMqvVb8ceaoJSCn++fImcgmYb2DdQpTy2rdO+DqvqF2kbH64D5elCFQt3 VbtNQBXc7Eak2n4gYQnscePSlZHTm/UvoFgB3vQG9DifzLGdDHxbOAAwpdQk26aiT5nf ChIM5z3NJZT8veU+8N6IfYGi33vLfqu4HgpBR0jy+nUoSQGHz8oNGNsmqQFpgxG3umOn 7euQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=N8Nd6DJ5fv8dW34EBx7hz5iEvHQZwD5Sb2DC0CgpdNc=; b=b3LAG6ExNGCFtLVpBNysN+EQrOvxiGa1ANvnKcET8uiax3rKwmTpEi59m2c0TixpXS nMuyegL5JLQl5XmaT8xo3FQEdD7MuMR8NY6LWIz91GkETvP0r03I8NnWlMOsGilidubI edtS0H+fJ5Zu1pOVxOaRbotKreuLBMI5XngFocEyUQV40hJIZ/Md6GXigJl3LFVlqt8P TbNAhSrpaUVoQv1VYqMF1gb+cKUYtxKEcsaFTHujGPjzgLxe3P2+cicrH2LPk5+CyrWh 7CJXJixkQ6KXCWJLo8+oHhupWtv7rls3iOcUqVlIGBMiIDGH6PVTd612orMoBVG7I6yF 0E3Q== X-Gm-Message-State: AD7BkJJc6wqgn1KoR4TbhdljlNq2Y436wdxLYC1n6YkKOhlJ2/eSTgnFQ+xvsMJWPa4bRPGb X-Received: by 10.55.195.142 with SMTP id r14mr43217652qkl.59.1457542375307; Wed, 09 Mar 2016 08:52:55 -0800 (PST) Received: from mutt-hardenedbsd (c-73-135-80-144.hsd1.md.comcast.net. [73.135.80.144]) by smtp.gmail.com with ESMTPSA id o97sm4003224qge.23.2016.03.09.08.52.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Mar 2016 08:52:54 -0800 (PST) Date: Wed, 9 Mar 2016 11:52:52 -0500 From: Shawn Webb To: Big Lebowski Cc: Piotr Kubaj , freebsd-security Subject: Re: Will 11.0-RELEASE include ASLR? Message-ID: <20160309165252.GB42303@mutt-hardenedbsd> References: <56E02D95.9020303@anongoth.pl> <20160309162210.GA42303@mutt-hardenedbsd> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="KFztAG8eRSV9hGtP" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD mutt-hardenedbsd 11.0-CURRENT-HBSD FreeBSD 11.0-CURRENT-HBSD X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2016 16:52:56 -0000 --KFztAG8eRSV9hGtP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Mar 09, 2016 at 04:39:37PM +0000, Big Lebowski wrote: > Shawn, >=20 > Please, note, that I said, these are the things I've heard, and there > should be people able to answer those better. As such, you should consider > them to be opinion, not pure facts. >=20 > On Wed, Mar 9, 2016 at 4:22 PM, Shawn Webb > wrote: >=20 > > (Responding inline) > > > > On Wed, Mar 09, 2016 at 04:05:12PM +0000, Big Lebowski wrote: > > > Hi Piotr, > > > > > > There are people who can probably answer it better, but until they do= , I > > > can share what I've heard about it: on the FreeBSD side there are few > > > things that stop ASLR implementation: > > > > > > - there's no actual agreement between the influencial developers on > > wether > > > ASLR is viable or needed in first place > > > > Some FreeBSD developers think ASLR would be a good addition and others > > don't. We at HardenedBSD believe that ASLR provides a great foundation > > for further exploit mitigation technologies. We don't hold the belief > > that ASLR is the "end-all-be-all" of security as some would like you to > > believe. > > >=20 > That's pretty much what I wanted to say. >=20 >=20 > > > > > - there was no planning or discussion how to implement ALSR in FreeBS= D, > > > Shawn simply started writing the code, and some developers would like= to > > > discuss and plan things first > > > > Discussions took place over a period of over two years. I was very > > cooperative. If you take a look at the two reviews on FreeBSD's > > Phabricator instance (linked to below), you'll notice that there's a lot > > of back-and-forth discussion. > > >=20 > Discussing patches and designing a feature such as ASLR is not exactly the > same thing. In the spirit of this, some developers would expect some form > of academical approach, a whitepaper, and so on, not the reviews > discussion, and that's what lacking in their opinion. We provided a whitepaper and went through a few revisions of that, even. >=20 >=20 > > > > > - there are doubts expressed in the code reviews about code quality a= nd > > > compliance to FreeBSD standards. Some developers dedicated their time= to > > > review the code and provide feedback, there were few cycles of rewrit= e, > > > review, rinse, repeat, but if you'd look into the reviews, Shawn clos= ed > > > them, and I understand they'd only be considered for inclusion if the= y'd > > > meet the code quality standards expected > > > > Initial patches did not meet code quality standards. However, those > > style(9) violations were fixed early on. > > > > Even though the patches on Phabricator are closed, they can still be > > looked at for independent review. However, the code is now old and does > > not reflect the current implementation in HardenedBSD. > > > > We closed the reviews so that we could focus on making HardenedBSD > > great, not because of the lack of code quality. > > > > I'm not sure whether the patches would be considered for inclusion. > > That's up to FreeBSD to decide. Given that the last patch went months > > without any input from FreeBSD--input that was promised to be delivered. > > >=20 > I dont know C and I am not a security expert, however, the code quality w= as > questioned by people who I respect for their achievement in security, > operating systems and C knowledge, and I can simply rely what I've heard: > that there are doubts, some people even mentioned actual bugs, so its not > all about style(9). Yet again, not something I can verify myself, only > something I've heard and can share. >=20 > The lack of input is directly caused by my first two points: lack of > agreement that FreeBSD needs it, and lack of academical style on how > FreeBSD would like to implement it. Agreed. >=20 >=20 > > > > > > > > As a side note, one person saying 'ASLR implementation is finished' a= nd > > > proper ASLR implementation that's properly tested, functional and not= in > > > fact opening other security issues are two vastly different things, t= hat > > > should be approached very carefully. > > > > Does "being tested over the period of three or so years through many > > full package builds, production deployments, and dogfooding" not mean > > "properly tested?" What does "properly tested" mean to you? > > > > The developers at HardenedBSD make it a point to run HardenedBSD on all > > their hardware--even laptops. > > > > HardenedBSD has been available for over two years, so it can be tested > > by anyone who downloads it and runs tests themselves. If there's a test > > you'd like me to run, please let me know. > > >=20 > Sorry, but I completely disagree here. I dont know the actual numbers, but > I can safely assume that HardenedBSD user numbers are way smaller than > FreeBSD, and thus, I would say that amount of dogfooding over so short > period of time (since ASLR is considered to be completed by you) is nowhe= re > close for my taste, to consider it production ready. Moreover, do you have > any tests results available? Do you have a complete automated test suite > exposed somwhere? Have you done static code analysis? Have you used fuzze= rs > or any similar tools? When it comes to number of users, sure. We don't have nearly the visibility FreeBSD enjoys. But that's not a problem I can easily solve. Since we don't have any tools that call home, we don't even know how many users we have. Does a kernel fuzzer even exist for FreeBSD? If so, I'd love to run it for a whole bunch of things. I'll run it for ASLR, too. >=20 > Dont get me wrong, I highly appreciate your work in that area, however, I > would like to see more complete, thorough and cautios approach to such > complicated thing as computer security. What can we at HardenedBSD do to make it "more complete, thorough, and cautious"? Thanks, Shawn >=20 > Cheers, > BL >=20 >=20 > > > > Thanks, > > > > Shawn > > > > Original Phabricator review: https://reviews.freebsd.org/D473 (warning: > > huge load time since this review spans around two years). > > > > New Phabricator review for a smaller prereq patch: > > https://reviews.freebsd.org/D3565 > > > > Thanks, > > > > Shawn > > > > > > > > Cheers, > > > BL > > > > > > On Wed, Mar 9, 2016 at 2:05 PM, Piotr Kubaj wrot= e: > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > Hash: SHA256 > > > > > > > > Shawn Webb has recently announced that ASLR is complete on Hardened= BSD. > > > > There are patches ready for FreeBSD to use and it's ready to be shi= pped > > > > in FreeBSD. However, for some reason FreeBSD developers do not want= to > > > > ship ASLR in FreeBSD. Why can't it be included at least as non-defa= ult > > > > src.conf option and marked as experimental? > > > > > > > > FreeBSD is the only OS that matters that doesn't have ASLR. > > > > -----BEGIN PGP SIGNATURE----- > > > > Version: GnuPG v2 > > > > > > > > iQIcBAEBCAAGBQJW4C2QAAoJEHpZm4Ugg5yd2MoQAMPZ+UxbpTo9YvJz6YYB8wtH > > > > tRw3jQMUb4K6s26IO1mp/K6p+DM+HXcVvamO2cxjRKseQy/oLBGizgfR1ktBqdXQ > > > > xuqQJc5BCSdKgTsBs0IvNQghvUQkEyvYi+wn9EY9qJh6oEguAkcAWUhl5rGN2FhM > > > > Gwf9VDoPAR+n9Pjl6brcqyQvWczfDx9+VFpF0joeiI5PRRMF1UUsTYM/OHvtVoQA > > > > n1f8qNppIdprjwUjWE/BX6POaDhs4ZZKJRaFmbCuYudDPpX7P1yj7CHz/xthjMYG > > > > 325NnCJpN81fwCmcgvDFU3BYkEC9JSkBoA+5oDdRU3MALsJNQ10rz+IhAaeAsCMb > > > > oz7Oy0Gykeic60NLuMZlhOfl79XW666T1B9wOWlkrAlBPCY6v2kz6t/oJbHHGQOf > > > > CCBuhQJCdzdqyTnv0Bx4ZXiiecwhjvxaAPCwgppnxf2qLuBgxr9BsswMVp7wgYfM > > > > 2sfxk0pS0RuV5M2qWN9UATOyOiO5aPsC4f+WUzUM0LC6MbuHVDJu3QaUo7F3b3Ic > > > > KX150B3gWtsGlZZs8N9mIM3Aj/O5E496JHEf6zmlz6ssLuE6gIO8ICqpFSaXzkJC > > > > IWzgIVdL88gK6niVg7KCOAuzVZ1sxcx7cBCtGzAhVy9RhYKqwAtN9T2YOBC75cQW > > > > OdRGf2V3trcK664nKgEA > > > > =3DlM/6 > > > > -----END PGP SIGNATURE----- > > > > _______________________________________________ > > > > freebsd-security@freebsd.org mailing list > > > > https://lists.freebsd.org/mailman/listinfo/freebsd-security > > > > To unsubscribe, send any mail to " > > freebsd-security-unsubscribe@freebsd.org > > > > " > > > > > > > _______________________________________________ > > > freebsd-security@freebsd.org mailing list > > > https://lists.freebsd.org/mailman/listinfo/freebsd-security > > > To unsubscribe, send any mail to " > > freebsd-security-unsubscribe@freebsd.org" > > > > -- > > Shawn Webb > > HardenedBSD > > > > GPG Key ID: 0x6A84658F52456EEE > > GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE > > --=20 Shawn Webb HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --KFztAG8eRSV9hGtP Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJW4FTiAAoJEGqEZY9SRW7u8C0P/A3FowG3nIuRpPc4cD0i3N5Y nW8avhW45UkY415QSY7Cw4e7ejv3t9ZmLXyOkUt3xc7H09T9hp+QurvxC1spUiCD Mt9XZk8XW03MObLq5sp+OiZsCG5PWcmAu+PWhmYVwkHh5REz/xAaCFICERynH+UI RhJeUMIgkuvu6jC+c4OvaKgOHV4Zy9q4eGqvta9FcODvQf69KEmmo9vhQo+B+UfF deT+GbfyR83it1ysIec8Yj+6kUO043OwQc65QIsS6o102ynBJkiwo1FMtfNfT3B0 NzPSnwvZKEVYIZrZ61Bu5TZtRV99flMXh5v7RMuByl3AdcewB5JsvWV9JaKlPg3p i1bz8VPCQ57yYMVdYZq+efJWlmSyR/fKBLYTCk1Qroy7p/e+mYo7tx7cS79I0LOU C61gexRp9GDo4ZY90pEkD8hTt2NBImonBDI1P+O+EIXGOfyGNUOGoH6boVMAmDwf GSjhV+zng2+TmO/ptOEl4atXhqGHevlCL2H6GkDvUepV/ErvTfmlRBCrqeiMMDM7 RDo6YTaQB3uZwzdHr9EiFUfUzQ0p8SEt8fdmjAOKnnVgZTXXeiX9UOM9Fn61gQ6e 8JJY/6CrhF1auvTyfxDrmhIk8yOZbDjKHsnhRhoObZH5Ll249tkVnuBVDoQopoBS apNXsXcdEf8mY1lvTaQx =k0Iv -----END PGP SIGNATURE----- --KFztAG8eRSV9hGtP--