The FreeBSD people seem to be on a roll when it comes to porting things. They mention a 64-bit Linux compatibility layer they recently rolled out in this post. But in addition, some iXsystems employees have ported much of the OSF Mach kernel (sans memory object/external pager interface) as a module, plus partial or full implementations of XPC, libdispatch, ASL (Apple System Logger), liblaunch and other facilities just so they can run the low-level Darwin/OS X userspace and launchd, especially. FreeNAS then wrote Cython bindings to all this for use in their system services. This is all in feature branches atm, but it should be rolling out soon enough.
To be honest, I think OpenBSD is ahead on some fronts (research on security mechanisms, for instance), but the reason that I tend to use FreeBSD is that it actually works with software packages.
So the computers are based on FreeBSD (which manages the hypervisor -- and soon container daemon!), and appliances only are based on OpenBSD.
Well I don't know about that. I can't open Settings in Chromium at all anymore, the whole browser crashes. It also constantly uses 100% CPU for something so with Chromium open my load is always >1.
In VirtualBox none of the file open dialogs work.
If I switch to a console from X the whole screen glitches and gets stuck, I have to SSH in to restart/stop X.
Suspend doesn't work for me.
So yeah, it doesn't work on the desktop as well as Linux does. Haven't had any problems with it as a server though.
Oh and about the X thing, do you have a Haswell processor? And are you using the VGA driver for X? I had that, bought a $20 ATI card, works fine now, 3D acceleration in KWM and everything.
I use OpenBSD and haven't found software to be an issue. Certainly mainstream stuff such as Chromium, Firefox, LibreOffice, VLC, Evince, Gimp, Inkscape... all works.
I believe capsicum is/will be used for sandboxing sshd, ping and tcpdump. Furthermore i know about Security Appliances making use of it, but that's about it, to be honest.
Can you provide further details or examples of how these two projects did or do improve FreeBSD's Security? I know for example about ASLR in FBSD 11 coming from Shawn Webb et. al. from the HardenedBSD project..
Canaries and other techniques that leverage volatiles do not prevent an overflow; they just try to cope with the consequences of an overflow which has happened. (This is why they're generally lumped together as "mitigation".) The canary tries to detect the case of an overflow which overwrites the return address in a stack frame. Data Execution Prevention (DEP) takes this idea a step further, it assumes that the return address has been overwritten and followed, and it restricts the areas where execution could jump. ASLR is yet another step further: it "shuffles" the areas where execution is allowed.
More specifically, stack canaries work by modifying every function's prologue and epilogue regions to place and check a value on the stack respectively. As such, if a stack buffer is overwritten during a memory copy operation, the error is noticed before execution returns from the copy function. When this happens, an exception is raised, which is passed back up the exception handler hierarchy until it finally hits the OS's default exception handler. If you can overwrite an existing exception handler structure in the stack, you can make it point to your own code. This is a Structured Exception Handling (SEH) exploit, and it allows you to completely bypass the canary check.
DEP and NX (what OpenBSD calls W^X) mark important structures in memory as non-executable, and force hardware-level exceptions if you try to execute those memory regions. This makes normal stack buffer overflows where you set eip to esp+offset and immediately run your shellcode impossible, because the stack is non-executable. Bypassing DEP and NX requires a trick called Return-Oriented Programming (ROP).
ROP essentially involves finding existing snippets of code from the program (called gadgets) and jumping to them, such that you produce a desired outcome. Since the code is part of legitimate executable memory, DEP and NX don't matter. These gadgets are chained together via the stack, which contains the exploit payload. Each entry in the stack corresponds to the address of the next ROP gadget. Each gadget is in the form of instr1; instr2; instr3; ... instrN; ret, so that the ret will jump to the next address on the stack after executing the instructions, thus chaining the gadgets together. Often additional values have to be placed on the stack in order to successfully complete a chain, due to instructions that would otherwise get in the way.
The trick is to chain these ROPs together in order to call a memory protection function such as VirtualProtect, which is then used to make the stack executable, so your shellcode can run, via an jmp esp or equivalent gadget. Tools like mona (https://github.com/corelan/mona) can be used to generate ROP gadget chains, or to find ROP gadgets.
There are a few ways to bypass ASLR:
Direct RET overwrite - Often processes with ASLR will still load non-ASLR modules, allowing you to just run your shellcode via a jmp.
Partial EIP overwrite - Only overwrite part of EIP, or use a reliable information disclosure in the stack to find what the real EIP should be, then use it to calculate your target. We still need a non-ASLR module for this though.
NOP spray/sled - Create a big block of NOPs to increase chance of jump landing on legit memory. Difficult, but possible even when all modules are ASLR-enabled. This won't work if DEP is switched on.
Bruteforce - If you can try an exploit with a vulnerability that doesn't make the program crash, you can bruteforce 256 different target addresses until it works.
Again, the important theme here is that canaries, DEP and ASLR do not defeat overflows themselves, but target the generic overflow exploit methods which have traditionally been employed. The arms race between attackers and defenders in this space is becoming too specialized and increasingly, misses the point.
Additionally, PIE (required for ASLR) has a negativ...
As noted below, Theo seems to be cautiously boarding the capabilities train with tame. That said, there appear to be some rather large issues with the implementation as it stands.
The only piece of software I really miss on OpenBSD is the Android SDK, other than that it has everything I use and it works great. So once again I want to tell everyone reading this, if you haven't tried it and if your hardware is supported I invite you to give OpenBSD a spin.
I've been looking at OpenBSD but the partitioning setup (fdisk) is off-putting. Why are we counting heads/tracks/cylinders in 2015? Also, the labeling thing is weird but I could live with that.
I have no idea what happened to "The Landlord" on that front. Story just about died in 2013, there was a brief segment on Good Morning America in 2014 and that was that. He works for iXsystems and even gave out some talks. It's not like I'd bother asking him.
An article around the time of sentencing (mid-2013) said he'd be out in about a year,
> Kip and Nicole Macy agreed to a plea deal of "four years, four months" in state prison. If a judge approves it next month, they could be out in a year, with time served.
The bit about adding in Mach/OS X support is really interesting. Any idea specifically what they're looking to run?
It's intriguing on its own and could provide a basis for reimplementations of CoreFoundation, AppKit, Quartz, etc, enabling the creation of FreeBSD-based "open OS X" of sorts.
Yeah, I think this one's meant to run nearly unmodified because of an OSF Mach layer being supplied, rather than translating source code from Mach to POSIX.
I just assumed we would not do docker because we have had jails for so long. In fact, ZFS and jail is docker no? I admit no familiarity with docker (played with LXC years ago and thought - gosh it's like jail! :-)
Docker is a management tool for the underlying jail-like features implemented by the kernel (cgroups, mainly). There's no reason why it can't be used to manage *BSD jails, ie., create jails from Dockerfiles, download jail templates from a public repository, etc.
I hope Sony will be implementing this with the PS4 for running an emulator of the PS3 for backwards compatibility in response to Xbox Ones recent emulation implementation.
I really like a lot of things about FreeBSD and would love to try it in the cloud but I feel like I'm missing something? Running FreeBSD on top of ZFS seems to be the smart way to go and yet this requires 1GB of ram minimum. If I spin up an instance of Ubuntu using ext4 by default, the OS uses around 50Mb of ram total. I feel like only the big kids who run on dedicated servers or who are paying for a larger instance get to use FreeBSD.
There's nothing wrong with UFS+SUJ. FreeBSD is awesome for a lot more reasons than just ZFS, and it works well in low memory environments (assuming that you're willing to tweak the kernel/installation a little bit---for example, see https://www.freebsd.org/doc/en/articles/nanobsd/index.html). That said, the smallest current generation instance from Amazon comes with 1 GB RAM, which is more than enough memory to experiment with everything FreeBSD has to offer.
68 comments
[ 7.7 ms ] story [ 1399 ms ] threadIt's insane.
So the computers are based on FreeBSD (which manages the hypervisor -- and soon container daemon!), and appliances only are based on OpenBSD.
Compatibility ftw.
Well I don't know about that. I can't open Settings in Chromium at all anymore, the whole browser crashes. It also constantly uses 100% CPU for something so with Chromium open my load is always >1.
In VirtualBox none of the file open dialogs work.
If I switch to a console from X the whole screen glitches and gets stuck, I have to SSH in to restart/stop X.
Suspend doesn't work for me.
So yeah, it doesn't work on the desktop as well as Linux does. Haven't had any problems with it as a server though.
See: https://twitter.com/cperciva/status/619969753566744576
Suspend/resume should be working pretty well in -CURRENT, unfortunately 11.0 is still a ways out if you want a -RELEASE.
The VirtualBox issue is long standing, it's caused by the fact that vbox is setuid. Try this:
env KDE_FORK_SLAVES=1 VirtualBox
Citation(s) requested.
Edit: First 5 Minutes De Raadt speaks about Mitigation Techniques in comparison to other OSs, including FBSD. I fear, this is still true in mid-2015..
In the security area, for instance, there are very good things coming from the TrustedBSD and HardenedBSD branch, getting ported back to FreeBSD.
http://www.trustedbsd.org/
http://hardenedbsd.org/
https://en.wikipedia.org/wiki/FreeBSD#Security
More specifically, stack canaries work by modifying every function's prologue and epilogue regions to place and check a value on the stack respectively. As such, if a stack buffer is overwritten during a memory copy operation, the error is noticed before execution returns from the copy function. When this happens, an exception is raised, which is passed back up the exception handler hierarchy until it finally hits the OS's default exception handler. If you can overwrite an existing exception handler structure in the stack, you can make it point to your own code. This is a Structured Exception Handling (SEH) exploit, and it allows you to completely bypass the canary check.
DEP and NX (what OpenBSD calls W^X) mark important structures in memory as non-executable, and force hardware-level exceptions if you try to execute those memory regions. This makes normal stack buffer overflows where you set eip to esp+offset and immediately run your shellcode impossible, because the stack is non-executable. Bypassing DEP and NX requires a trick called Return-Oriented Programming (ROP).
ROP essentially involves finding existing snippets of code from the program (called gadgets) and jumping to them, such that you produce a desired outcome. Since the code is part of legitimate executable memory, DEP and NX don't matter. These gadgets are chained together via the stack, which contains the exploit payload. Each entry in the stack corresponds to the address of the next ROP gadget. Each gadget is in the form of instr1; instr2; instr3; ... instrN; ret, so that the ret will jump to the next address on the stack after executing the instructions, thus chaining the gadgets together. Often additional values have to be placed on the stack in order to successfully complete a chain, due to instructions that would otherwise get in the way.
The trick is to chain these ROPs together in order to call a memory protection function such as VirtualProtect, which is then used to make the stack executable, so your shellcode can run, via an jmp esp or equivalent gadget. Tools like mona (https://github.com/corelan/mona) can be used to generate ROP gadget chains, or to find ROP gadgets.
There are a few ways to bypass ASLR:
Direct RET overwrite - Often processes with ASLR will still load non-ASLR modules, allowing you to just run your shellcode via a jmp.
Partial EIP overwrite - Only overwrite part of EIP, or use a reliable information disclosure in the stack to find what the real EIP should be, then use it to calculate your target. We still need a non-ASLR module for this though.
NOP spray/sled - Create a big block of NOPs to increase chance of jump landing on legit memory. Difficult, but possible even when all modules are ASLR-enabled. This won't work if DEP is switched on.
Bruteforce - If you can try an exploit with a vulnerability that doesn't make the program crash, you can bruteforce 256 different target addresses until it works.
Again, the important theme here is that canaries, DEP and ASLR do not defeat overflows themselves, but target the generic overflow exploit methods which have traditionally been employed. The arms race between attackers and defenders in this space is becoming too specialized and increasingly, misses the point.
Additionally, PIE (required for ASLR) has a negativ...
/lib/lib[asl, dispatch, launch, mach, osxsupport, xpc].
The XPC stuff is mostly Jakub Klama's work, I think.
> Kip and Nicole Macy agreed to a plea deal of "four years, four months" in state prison. If a judge approves it next month, they could be out in a year, with time served.
It's intriguing on its own and could provide a basis for reimplementations of CoreFoundation, AppKit, Quartz, etc, enabling the creation of FreeBSD-based "open OS X" of sorts.
OP mentioned the "why", it was just oddly worded.
https://en.wikipedia.org/wiki/Grand_Central_Dispatch
ezjail[1] manages FreeBSD jails quite nicely too. Paired with ZFS, the GP makes a solid case IMHO.
1 - https://www.freebsd.org/doc/handbook/jails-ezjail.html
https://www.youtube.com/watch?v=8phbsAhJ-9w
https://www.youtube.com/watch?v=kJ74mgkzLxc
There ...fixed that for you