DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 22nd March 2015
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 425
Default HardenedBSD to get NoExec

Obligatory link here.

It is always good seeing a project brought up to speed with modern security practices, especially one like FreeBSD (the authors of HardenedBSD hope to have their security patches merged upstream with FreeBSD). I appreciate work like this, honestly, I do.

It goes without saying that OpenBSD has had this type of technology since release 3.3 (May, 2003), but hey, I'm happy to see the concept being adopted elsewhere.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
  #2   (View Single Post)  
Old 22nd March 2015
ibara's Avatar
ibara ibara is offline
BSDCan 2017 Attendee
 
Join Date: Jan 2014
Posts: 404
Default

While I'm happy to see this go forward, there is recent political trouble that may jeopardize any inclusion in FreeBSD:
http://marc.info/?l=freebsd-arch&m=142687547315822&w=2
(read the whole thread for context)

I also very much disagree with the PaX model since it's an invitation to simply turn off all the protections. But that's a separate issue stemming from the fundamental design decisions at the beginning of the project.
Reply With Quote
  #3   (View Single Post)  
Old 22nd March 2015
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 425
Default

Quote:
Originally Posted by ibara View Post
I also very much disagree with the PaX model since it's an invitation to simply turn off all the protections.
This is exactly the same problem that selinux suffers from. It irritates me to no end when I hear my fellow Engineers advising customers to "just turn it off...it's more trouble than it is worth". This "accomplishes" two things: 1) real issues that could be uncovered and fixed (so more people would actually use the security feature) are masked by "turn it off" and 2) sadly most IT staff don't care enough to put the effort into making it work with their environment.

Having those knobs also invites the issue of the knob being available to malicious entities as well. Overall, it's horribly broken.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
  #4   (View Single Post)  
Old 26th July 2015
e1-531g e1-531g is offline
Spam Deminer
 
Join Date: Mar 2014
Posts: 314
Default

Announcing ASLR Completion
https://hardenedbsd.org/article/shaw...slr-completion

Quote:
Over the July 4th weekend, we implemented randomization of the VDSO (Virtual Dynamic Shared Object).
[..]
Randomizing the VDSO was the last piece of the address space to randomize.

Now that VDSO randomization is implemented, our ASLR implementation is now complete.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:30 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick