New stable versions: HardenedBSD-stable 10-STABLE and 11-CURRENT v40

HardenedBSD-10-STABLE-v40 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...
-------------------------------------
[freebsd] Implement AT_SECURE properly. FreeBSD-SA-16:10.linux (HardenedBSD not affected by default install)
[freebsd] ntpd update FreeBSD-SA-16:09.ntp (already fixed in 10-STABLE v39.2)
[hardenedbsd] HBSD: Default jemalloc's lg_chunk to 16 from 21.
[freebsd] continued UEFI loader rewrite

New Member - CTurt

We've added a new member to the HardenedBSD team! CTurt will be working with us to research, exploit, and produce patches for kernel-level vulnerabilities. We'll be working on getting these kernel security enhancements upstreamed to FreeBSD after the fixes have been deemed stable in HardenedBSD first.

New development versions.

What's new:
* changed internal data types
* added new KPI to query the current HardenedBSD hardening version (in this case it returns 40)
* the default stack protection from RWX has changed to RW on amd64 architecture, this change is a noop when you have enabled NOEXEC in your kernel config (this is the default)
* fixed etcupdate integration to hbsd-update

Introducing HardenedBSD's New Binary Updater

One feature our users have been asking us ever since we officially launched over a year ago was to provide binary updates for base and kernel. We are excited to announce that we are launching the framework for binary updates today! We still need to tie in the update build script to our continuous integration infrastructure. For now, updates for the hardened/current/master branch of the HardenedBSD repo will be done manually. When we create the next installers/distsets for the HardenedBSD-stable repo, we'll also support updates there. You will notice two new programs, /usr/sbin/hbsd-update and /usr/sbin/hbsd-update-build, which apply and build update packages, respectively. This work was sponsored by G2, Inc, who has an immediate need for binary updates.

Please note that this feature is still experimental. Read on for design documentation.

Introducing secadm 0.3.0-beta-01

Over the last few months, Brian Salcedo has been working on rewriting our secadm tool from scratch. We're excited to announce the first beta release of secadm 0.3.0. User-facing changes in this release include:

  1. secadm set is now secadm load and requires a file path.
  2. secadm list is now secadm show.
    • You can now export the ruleset to different formats with the -f argument! For example, secadm show -f json exports the rules to JSON format.
  3. You can now add/remove rules one at a time with secadm add and secadm del.
  4. You can now enable/disable rules one at a time with secadm enable and secadm disable.
  5. UCL rule language is nearly the same.

Please give this release a try. You can download the tarball here and the GPG signature here. If you find any issues, please email Brian Salcedo (brian.salcedo {at} hardenedbsd.org) and CC Shawn Webb (shawn.webb {at} hardenedbsd.org).

Follow this example for the new UCL syntax:

secadm {
    pax = {
        path = "/usr/local/bin/testpie";
        aslr = false;
    }
}

Update 2015-11-22 21:58 EST: An issue was found with the PAGEEXEC and MPROTECT feature parsing. The version number has been bumped to 0.3.0-beta-02 and the links have been updated accordingly.

New Package Building Server

The folks at Automated Tendencies have graciously decided to provide a better package building server for us. We've got it set up and are running tests on it now. The old server built packages at a rate of around 300 packages per hour. This new one averages around 650-700 per hour. We're extremely grateful for Automated Tendencies. Once things settle down, we may look into setting up more mirrors. So if you've pinged us about running a mirror in the past, we may reach out to you soon.

Call For Donations Update

On 11 July 2015, we announced a Call For Donations. The community has been very gracious towards us. As of today, we have now exceeded our goal. We are grateful to each and every one of our donors, no matter the amount they contributed or in what form. HardenedBSD is growing and we need all the help we can get. We would especially like to thank Xinuos and ISC for their sizable contributions.

Here's what we've managed to do so far with the donations provided:

  • Replace two failing hard drives in the package building server along with ordering two extra for hot spares.
  • Purchase multiple ARM and ARM64 development boards for porting and testing efforts.
  • Stickers!
  • Minor expenses for conferences.
  • Hosting expenses.
  • Other hardware replacement and acquisition.

In January of 2016, work will start for becoming a 501(C)(3) not-for-profit organization in the United States. This will mean that US-based donations will be tax-deductible, giving a tangible incentive for donations.

We couldn't have done all of this had it not been for all the generous contributions, large and small. Even though we've reached our goal, we're still accepting donations. The more that comes in, the more that we can accomplish. We look forward to the coming year and the advancements we'll make.

Generous Xinuos Donation

On 05 October 2015, Xinuos™, a leading provider of UNIX-based operating systems has announced funding for the HardenedBSD project’s efforts to develop security enhancements for FreeBSD. Xinuos has contributed half of the $7,000 fundraising goal for hardware updates, hosting requirements and investigation into the formation of a not-for-profit.

The HardenedBSD project was created in 2014 by Oliver Pinter and Shawn Webb to continuously add security hardening features to FreeBSD, the open source operating system powering some of the world’s busiest services including Netflix, OKCupid and WhatsApp. Over the past year, HardenedBSD has implemented a number of advanced exploit mitigation technologies and security hardening features which were subsequently submitted upstream to FreeBSD.

“We are excited about the work we’re doing for this widely used operating system,” said Shawn Webb, HardenedBSD co-founder. “The contribution from Xinuos goes a long way toward developing new features.”

The HardenedBSD project started with the development of the Address Space Layout Randomization (ASLR) feature which helps prevent attackers from exploiting vulnerabilities in FreeBSD by making it hard for them to find vulnerabilities within memory. Other work includes SEGVGUARD, mprotect and pageexec hardening and procfs/linprocfs hardening to further block attacks on FreeBSD systems.

The project hopes to raise $7,000 by the end of 2015 to purchase new hard drives, web site hosting and begin work to form a not-for-profit organization. In September, Xinuos contributed $3,500 toward this goal as part of their commitment to the FreeBSD community.

“There couldn’t be a better time for this project and the security enhancements they’re looking to develop for FreeBSD,” said Sean Snyder, Xinuos president and chief executive officer. “We look forward to seeing the innovative work that continues to come from the HardenedBSD project.”

About Xinuos, Inc.

Xinuos provides commercial customers with operating systems that are reliable, dependable and secure for mission-critical applications that demand rock-solid performance. The Xinuos general-purpose operating systems are on pace with hardware and software industry advances and are designed to power any size business that requires stability, reliability and scalability. Learn more at www.xinuos.com.

Xinuos Media Contact

Rosie Hausler
Phone		+1 (425) 301-6740
Email		[email protected]
Internet	http://www.xinuos.com

August HardenedBSD Status Report

We at HardenedBSD have decided to do a periodic (likely quarterly) status report in order to keep the community informed of what's going on in HardenedBSD. So here goes the first status report:

The Call for Donations is going well. We have raised nearly $1,000 USD of our goal of $7,000 USD. The Internet Systems Consortium, the people behind BIND and ISC-DHCPD, have offered to match donations up to $1,000 USD. We've decided to run the donations until November 30th. We appreciate all the help and support from the community. We're excited to see where this round of donations takes us. We plan to start the 501(C)(3) organization investigation in January.

We added Brian Salcedo as an official developer, tasked with rewriting secadm nearly from scratch. He has been hard at work revamping how the rules are stored in the kernel. As part of the rewrite, he'll include ugidfw(8) functionality. The basic rewrite is 100% complete and pending a thorough code review. We're hoping to have a beta released soon.

We have started storing a cache of secadm rules for applications that are known to misbehave with our awesome enhancements. If you have a secadm rule for an application and would like to see it up there, please send us either a Pull Request on GitHub or email us a patch. Feel free to also drop in IRC and let us know. Oliver has created a little script to help in rule validation.

Shawn has been working with the OPNSense team to deliver quality builds based on HardenedBSD. Experimental builds have been posted here, the latest build being hbsd-exp-05. Work is in progress to provide a binary upgrade path and an official download location. Shawn has also been working with Baptiste Darrousin from the FreeBSD project to test his RELRO patch. The RELRO patch is in the hardened/current/unstable branch and is undergoing extensive testing, including a full package build with a number of packages being compiled with RELRO. We hope to have the RELRO patch merged into the hardened/current/master branch within the next week or two. Shawn is also preparing to give a number of presentations. He'll be speaking at vBSDcon, DerbyCon, and BSidesDC. The BSidesDC will be a recorded, four-hour presentation diving deep into HardenedBSD's internals.

Oliver has been working hard on bringing FORTIFY_SOURCE to FreeBSD for his Google Summer of Code project. He has made a lot of progress. He's currently splitting the work out into smaller patches for easier review by the FreeBSD development team. It builds fine with both clang and gcc. He also backported our ASLR code to 10-STABLE. Oliver also has been keeping tabs on HardenedBSD's infrastructure, ensuring everything runs smoothly. We had a failing disk earlier this week on our Jenkins machine and we got that replaced within a few hours. The main CPU fan pinout on the motherboard of the package building server has stopped working. Luckily there's a second pinout for an additional CPU fan. The motherboard should be under warranty. As a bandaid, the CPU fan was moved to the second pinout. We'll be working on replacing the motherboard through the normal warranty process soon.

A user reported having issues with golang on HardenedBSD. After some digging, we found out that in golang versions prior to 1.5, COMPAT_FREEBSD32 needs to be enabled in your kernel config. We have removed it from the HARDENEDBSD kernel config. Golang version 1.5, which is already in the ports tree, fixes this. We will be following up with a new package build soon.

Pages

Subscribe to HardenedBSD RSS