BSD Now - Episodes Tagged with “W^X”

89: Exclusive Disjunction

JT Pennington — Wed, 13 May 2015 08:00:00 -0400

This week on the show, we'll be talking to Mike Larkin about various memory protections in OpenBSD. We'll cover recent W^X improvements, SSP, ASLR, PIE and all kinds of acronyms! We've also got a bunch of news and answers to your questions, coming up on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

OpenSMTPD for the whole family

Setting up a BSD mail server is something a lot of us are probably familiar with doing, at least for our own accounts
This article talks about configuring a home mail server too, but even for the other people you live with
After convincing his wife to use their BSD-based Owncloud server for backups, the author talks about moving her over to his brand new OpenSMTPD server too
If you've ever run a mail server and had to deal with greylisting, you'll appreciate the struggle he went through
In the end, BGP-based list distribution saved the day, and his family is being served well by a BSD box ***

NetBSD on the Edgerouter Lite

We've talked a lot about building your own BSD-based router on the show, but not many of the devices we mention are in the same price range as consumer devices
The EdgeRouter Lite, a small MIPS-powered machine, is starting to become popular (and is a bit cheaper)
A NetBSD developer has been hacking on it, and documents the steps to get a working install in this blog post
The process is fairly simple, and you can cross-compile your own installation image on any CPU architecture (even from another BSD!)
OpenBSD and FreeBSD also have some support for these devices ***

Bitrig at NYC*BUG

The New York City BSD users group has semi-regular meetings with presentations, and this time the speaker was John Vernaleo
John discussed Bitrig, an OpenBSD fork that we've talked about a couple times on the show
He talks about what they've been up to lately, why they're doing what they're doing, difference in supported platforms
Ports and packages between the two projects are almost exactly the same, but he covers the differences in the base systems, how (some) patches get shared between the two and finally some development model differences ***

OPNsense, meet HardenedBSD

Speaking of forks, two FreeBSD-based forked projects we've mentioned on the show, HardenedBSD and OPNsense, have decided to join forces
Backporting their changes to the 10-STABLE branch, HardenedBSD hopes to introduce some of their security additions to the OPNsense codebase
Paired up with LibreSSL, this combination should offer a good solution for anyone wanting a BSD-based firewall with an easy web interface
We'll cover more news on the collaboration as it comes out ***

Interview - Mike Larkin - mlarkin@openbsd.org / @mlarkin2012

Memory protections in OpenBSD: W^X, ASLR, PIE, SSP

News Roundup

A closer look at FreeBSD

The week wouldn't be complete without at least one BSD article making it to a mainstream tech site
This time, it's a high-level overview of FreeBSD, some of its features and where it's used
Being that it's an overview article on a more mainstream site, you won't find anything too technical - it covers some BSD history, stability, ZFS, LLVM and Clang, ports and packages, jails and the licensing
If you have any BSD-curious Linux friends, this might be a good one to send to them ***

Linksys NSLU2 and NetBSD

The Linksys NSLU2 is a proprietary network-attached storage device introduced back in 2004
"About 2 months ago I set a goal to run some kind of BSD on the spare Linksys NSLU2 I had. This was driven mostly by curiosity, after listening to a few BSDNow episodes and becoming a regular listener [...]"
After doing some research, the author of this post discovered that he could cross-compile NetBSD for the device straight from his Linux box
If you've got one of these old devices kicking around, check out this write-up and get some BSD action on there ***

OpenBSD disklabel templates

We've covered OpenBSD's "autoinstall" feature for unattended installations in the past, but one area where it didn't offer a lot of customization was with the disk layout
With a few recent changes, there are now a series of templates you can use for a completely customized partition scheme
This article takes you through the process of configuring an autoinstall answer file and adding the new section for disklabel
Combine this new feature with our -stable iso tutorial, and you could deploy completely patched and customized images en masse pretty easily ***

FreeBSD native ARM builds

FreeBSD -CURRENT builds for the ARM CPU architecture can now be built natively, without utilities that aren't part of base
Some of the older board-specific kernel configuration files have been replaced, and now the "IMC6" target is used
This goes along with what we read in the most recent quarterly status report - ARM is starting to get treated as a first class citizen ***

Feedback/Questions

87: On the List

JT Pennington — Wed, 29 Apr 2015 08:00:00 -0400

Coming up this time on the show, we'll be speaking with Christos Zoulas, a NetBSD security officer. He's got a new project called blacklistd, with some interesting possibilities for stopping bruteforce attacks. We've also got answers to your emails and all this week's news, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

New PAE support in OpenBSD

OpenBSD has just added Physical Address Extention support to the i386 architecture, but it's probably not what you'd think of when you hear the term
In most operating systems, PAE's main advantage is to partially circumvent the 4GB memory limit on 32 bit platforms - this version isn't for that
Instead, this change specifically allows the system to use the No-eXecute Bit of the processor for the userland, further hardening the in-place memory protections
Other operating systems enable the CPU feature without doing anything to the page table entries, so they do get the available memory expansion, but don't get the potential security benefit
As we discussed in a previous episode, the AMD64 platform already saw some major W^X kernel and userland improvements - the i386 kernel reworking will begin shortly
Not all CPUs support this feature, but, if yours supports NX, this will improve upon the previous version of W^X that was already there
The AMD64 improvements will be in 5.7, due out in just a couple days as of when we're recording this, but the i386 improvements will likely be in 5.8 ***

Booting Windows in bhyve

Work on FreeBSD's bhyve continues, and a big addition is on the way
Thus far, bhyve has only been able to boot operating systems with a serial console - no VGA, no graphics, no Windows
This is finally changing, and a teasing screenshot of Windows Server was recently posted on Twitter
Graphics emulation is still in the works; this image was taken by booting headless and using RDP
A lot of the needed code is being committed to -CURRENT now, but the UEFI portion of it requires a bit more development (and the aim for that is around the time of BSDCan)
Not a lot of details on the matter currently, but we'll be sure to bring you more info as it comes out
Are you more interested in bhyve or Xen on FreeBSD? Email us your thoughts ***

MidnightBSD 0.6 released

MidnightBSD is a smaller project we've not covered a lot on the show before
It's an operating system that was forked from FreeBSD back in the 6.1 days, and their focus seems to be on ease-of-use
They also have their own, smaller version of FreeBSD ports, called "mports"
If you're already using it, this new version is mainly a security and bugfix release
It syncs up with the most recent FreeBSD security patches and gets a lot of their ports closer to the latest versions
You can check their site for more information about the project
We're trying to get the lead developer to come on for an interview, but haven't heard anything back yet ***

OpenBSD rewrites the file utility

We're all probably familiar with the traditional file command - it's been around since the 1970s
For anyone who doesn't know, it's used to determine what type of file something actually is
This tool doesn't see a lot of development these days, and it's had its share of security issues as well
Some of those security issues remain unfixed in various BSDs even today, despite being publicly known for a while
It's not uncommon for people to run file on random things they download from the internet, maybe even as root, and some of the previous bugs have allowed file to overwrite other files or execute code as the user running it
When you think about it, file was technically designed to be used on untrusted files
OpenBSD developer Nicholas Marriott, who also happens to be the author of tmux, decided it was time to do a complete rewrite - this time with modern coding practices and the usual OpenBSD scrutiny
This new version will, by default, run as an unprivileged user with no shell, and in a systrace sandbox, strictly limiting what system calls can be made
With these two things combined, it should drastically reduce the damage a malicious file could potentially do
Ian Darwin, the original author of the utility, saw the commit and replied, in what may be a moment in BSD history to remember
It'll be interesting to see if the other BSDs, OS X, Linux or other UNIXes consider adopting this implementation in the future - someone's already thrown together an unofficial portable version
Coincidentally, the lead developer and current maintainer of file just happens to be our guest today… ***

Interview - Christos Zoulas - christos@netbsd.org

blacklistd and NetBSD advocacy

News Roundup

GSoC-accepted BSD projects

The Google Summer of Code people have published a list of all the projects that got accepted this year, and both FreeBSD and OpenBSD are on that list
FreeBSD's list includes: NE2000 device model in userspace for bhyve, updating Ficl in the bootloader, type-aware kernel virtual memory access for utilities, JIT compilation for firewalls, test cluster automation, Linux packages for pkgng, an mtree parsing and manipulation library, porting bhyve to ARM-based platforms, CD-ROM emulation in CTL, libc security extensions, gptzfsboot support for dynamically discovering BEs during startup, CubieBoard support, a bhyve version of the netmap virtual passthrough for VMs, PXE support for FreeBSD guests in bhyve and finally.. memory compression and deduplication
OpenBSD's list includes: asynchronous USB transfer submission from userland, ARM SD/MMC & controller driver in libsa, improving USB userland tools and ioctl, automating module porting, implementing a KMS driver to the kernel and, wait for it... porting HAMMER FS to OpenBSD
We'll be sure to keep you up to date on developments from both projects
Hopefully the other BSDs will make the cut too next year ***

FreeBSD on the Gumstix Duovero

If you're not familiar with the Gumstix Duovero, it's an dual core ARM-based computer-on-module
They actually look more like a stick of RAM than a mini-computer
This article shows you how to build a FreeBSD -CURRENT image to run on them, using crochet-freebsd
If anyone has any interesting devices like this that they use BSD on, write up something about it and send it to us ***

EU study recommends OpenBSD

A recent study by the European Parliament was published, explaining that more funding should go into critical open source projects and tools
This is especially important, in all countries, after the mass surveillance documents came out
"[...] the use of open source computer operating systems and applications reduces the risk of privacy intrusion by mass surveillance. Open source software is not error free, or less prone to errors than proprietary software, the experts write. But proprietary software does not allow constant inspection and scrutiny by a large community of experts."
The report goes on to mention users becoming more and more security and privacy-aware, installing additional software to help protect themselves and their traffic from being spied on
Alongside Qubes, a Linux distro focused on containment and isolation, OpenBSD got a special mention: "Proactive security and cryptography are two of the features highlighted in the product together with portability, standardisation and correctness. Its built-in cryptography and packet filter make OpenBSD suitable for use in the security industry, for example on firewalls, intrusion-detection systems and VPN gateways"
Reddit, Undeadly and Hacker News also had some discussion, particularly about corporations giving back to the BSDs that they make use of in their infrastructure - something we've discussed with Voxer and M:Tier before ***

FreeBSD workflow with Git

If you're interested in contributing to FreeBSD, but aren't a big fan of SVN, they have a Github mirror too
This mailing list post talks about interacting between the official source repository and the Git mirror
This makes it easy to get pull requests merged into the official tree, and encourages more developers to get involved ***