DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 10th August 2017
pawkolor pawkolor is offline
Fdisk Soldier
 
Join Date: May 2015
Posts: 53
Default randomization kernel protection

Hello I'm not too much familiar with IT and programing but I would ask about new feature.What advantage will be this change what Theo is doing .

https://marc.info/?l=openbsd-tech&m=149732026405941
Reply With Quote
  #2   (View Single Post)  
Old 10th August 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,975
Default

phessler@ answered this question in the comments to the article in the OpenBSD Journal.
Quote:
Before this change, all kernels would have precisely the same memory layout. If you know a single symbol, you can calculate everything else.

The purpose of this, is to defend against attacks that use that information to attack. If every machine has a unique layout per boot, then those attacks cannot succeed.
Reply With Quote
  #3   (View Single Post)  
Old 10th August 2017
pawkolor pawkolor is offline
Fdisk Soldier
 
Join Date: May 2015
Posts: 53
Default

Why Theo do this now not 10 years ago.Somebody from NSA use this method to hack system.
Reply With Quote
  #4   (View Single Post)  
Old 11th August 2017
Trihex's Avatar
Trihex Trihex is offline
Real Name: Trihexagonal
Port Guard
 
Join Date: Jul 2017
Location: Over the hills and far away
Posts: 36
Default

There was also this article in bleepingcomputer.com, and where I first learned about it.

OpenBSD Will Get Unique Kernels on Each Reboot

It explains the difference in KARL and ASLR — Address Space Layout Randomization, which has been implemented in Linux:
Reply With Quote
  #5   (View Single Post)  
Old 11th August 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,975
Default

For clarity, your link references KASLR - "Kernel ASLR."

ASLR is not new, having been initially developed for Linux PaX in 2001 and deployed in OpenBSD in 2003, with other operating systems following over time. (Wiki)

Last edited by jggimi; 11th August 2017 at 03:43 PM. Reason: added link
Reply With Quote
  #6   (View Single Post)  
Old 11th August 2017
Trihex's Avatar
Trihex Trihex is offline
Real Name: Trihexagonal
Port Guard
 
Join Date: Jul 2017
Location: Over the hills and far away
Posts: 36
Default

I wasn't clear enough and going by what the article stated:

Quote:
KARL should not be confused with ASLR — Address Space Layout Randomization — a technique that randomizes the memory address where application code is executed, so exploits can't target a specific area of memory where an application or the kernel is known to run.
At any rate, it was the deciding factor in my building another OpenBSD box after not having one for several years. Having an OpenBSD box in addition to just FreeBSD boxen has its merits as well.
Reply With Quote
  #7   (View Single Post)  
Old 30th August 2017
handy handy is offline
Port Guard
 
Join Date: Aug 2017
Posts: 17
Default

On my learning of OpenBSD doing this kernel randomization thingy, I moved (after ~12 years of Linux) from an ArchLinux based distro to OpenBSD. (I had been dissatisfied with Linux due to the effects of Red Hat - in particular - on the way Linux was being developed - I really don't like systemd. I also have learned that I really don't like the OpenRC init, which I've used for quite some time - the dislike is for completely different reasons...)

OpenBSD even without the Linux compatibility kernel layer, gives me more useful application choices than Void Linux (a technically great non-systemd alternative that uses the runit init). Unfortunately Void Linux seems to me to be more of a technical experiment & hobby for a BSD guy! (He makes me feel very simple minded...)

I only mentioned Void, as it was probably my last hope of finding a systemd free Linux that was suitable. For me it isn't. Repo is too small, community is too small, development team is too small, forum moderator team is too small, & on it goes.

/rant
Reply With Quote
  #8   (View Single Post)  
Old 30th August 2017
sacerdos_daemonis's Avatar
sacerdos_daemonis sacerdos_daemonis is offline
Real Name: Will forever be a secret.
Package Pilot
 
Join Date: Sep 2014
Location: Currently residing in China.
Posts: 188
Default

Quote:
Originally Posted by handy View Post
Unfortunately Void Linux seems to me to be more of a technical experiment & hobby for a BSD guy!
Not a surprise.
Quote:
Rolling release
Install once, update daily. Your system will always be up-to-date.

From https://www.voidlinux.eu/
That is a clear message that the system is a toy not suitable for production environments. (like Arch) I am not saying there is anything wrong with such systems, but they are meant to be toys for computer hobbyists. There is a reason they are used in few offices and on few servers.

Personally, randomised kernals do not mean much to me. The extra security is nice, but it would not be the determining factor in my choice of OS.
__________________
OpenBSD 6.2
Reply With Quote
  #9   (View Single Post)  
Old 31st August 2017
handy handy is offline
Port Guard
 
Join Date: Aug 2017
Posts: 17
Default

@s_d I agree with you that the rolling release package management system is not really suitable for business environments.

Where Void's rolling release system is superior to Arch (or any other rolling system that I know of) is that you can not upgrade any package for over a year, & then upgrade only selected packages (the dependencies will have to be upgraded too of course) & there will be no stability problems.

If you go to 3 months & beyond with Arch (based systems) you are asking for system trouble.

The kernel randomization thing was really just what caused me to have another look at OpenBSD. It installed & ran on my main machine; does just about everything that I need, so it is my new desktop system.

I just have to get AirVPN working on it & I'll be completely satisfied.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
"arc4random - randomization for all occasions" presentation by Theo de Raadt J65nko News 0 22nd November 2014 12:51 AM
freebsd jails and drupal protection barti FreeBSD Security 7 6th September 2012 03:58 AM
ASLR (Address Space Layout Randomization): i386 PAE vs 64 bit aleunix OpenBSD Security 0 2nd March 2012 11:48 AM
Protection against Fingerprinting magnesik OpenBSD Security 0 6th February 2010 12:12 AM
Virus & Rootkit protection jaymax FreeBSD Ports and Packages 1 18th June 2008 02:46 PM


All times are GMT. The time now is 09:52 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick