Date: Thu, 12 Sep 2013 07:49:43 -1000 From: My Email <jonathon.s.wright@gmail.com> To: John-Mark Gurney <jmg@funkthat.com> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: FreeBSD Transient Memory problem? Message-ID: <979901F9-5F25-4DF1-95A8-32473C55B25F@gmail.com> In-Reply-To: <20130912053559.GF68682@funkthat.com> References: <CAGX1DMbQP=TggYQm-3hra0Od3gjgz5xQ8bEMMrueuhL6kuZMUA@mail.gmail.com> <20130912053559.GF68682@funkthat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
My apologies, I have been replying too all, I hope that is the correct metho= d. Anyway, that is very interesting information. I'd be extremely interested in= information on customizing malloc and jemalloc. Let me know where to start.= Thanks! JW On Sep 11, 2013, at 7:35 PM, John-Mark Gurney <jmg@funkthat.com> wrote: > Jonathon Wright wrote this message on Wed, Sep 11, 2013 at 14:15 -1000: >> I have posted this question (username-scryptkiddy) in the forums: >> http://forums.freebsd.org/showthread.php?t=3D41875 >> but was suggested to bring it here to the mailing list for discussion. >>=20 >> Basically, FreeBSD 8.3 (64bit) is what we use in our shop. We were >> inspected by a security team and they had issues with FreeBSD's memory >> management. >>=20 >> Namely the transient memory and object reuse areas of FreeBSD. They claim= ed >> that FreeBSD did not have a Common Criteria (EAL1-4) evaluation completed= , >> and therefore was vulnerable to the Transient memory problem. >=20 > Any system that uses malloc will have difficulties with this as most > versions of free will not zero out the memory... You could make > modifications to kernel malloc to always zero memory on free, and turn on > the junk feature of jemalloc and that could possibly close this issue > for them... >=20 >> Our higher ups need some sort of documentation / testing that can be use= d >> to counter this, since changing Operating Systems is not something we hav= e >> time / manpower to do, but might have too based on this supposed 'finding= '. >>=20 >> The post has all the details. Let me know I need to repost in this as wel= l. >=20 > I know that FreeBSD 4.7 and 4.9 has been EAL3 ceritfied. I worked for > nCircle a number of years ago, and they got their products EAL3 > cerified. >=20 > Link: > http://www.commoncriteriaportal.org:80/files/epfiles/nCircle%20CR%20v1.0.p= df >=20 > It is possible someone else has received certification on a newer version,= > but I'm not aware of any at this time... >=20 > --=20 > John-Mark Gurney Voice: +1 415 225 5579 >=20 > "All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?979901F9-5F25-4DF1-95A8-32473C55B25F>