HardenedBSD November 2020 Status Report

Hey all,

We're getting close to the end of November. My wife and I have plans this weekend, so I thought I'd take the time to write November's status report today.

On amd64, with commit fd35ed2087409c7ae83ed6cf8ec041d47432a758, I added the HARDENEDBSD-NODEBUG kernel. Note that this disables INVARIANTS, which has a lot of security side-benefits due to assertion checking. Disabling INVARIANTS also means enabling PAX_INSECURE_MODE.

I've been working on the ports tree, updating more ports that need extra CFLAGS/LDFLAGS and/or need ports-based hardening features disabled (like PIE, RELRO+BIND_NOW).

I've worked on merging in some code and documentation contributions. We had our first vendor code contribution this month. I still need to review and merge in their patch for the hardening-check port.

Our self-hosted git server is still experiencing issues, but is still getting more stable as time goes on. We've noticed malicious bot scanning activity over our Tor Onion Service endpoints that put a lot of pressure on Gitea, to the point of crashing Gitea. Happens every other week or so.

There's some work that I failed to highlight in October:

  1. Per-thread stacks. We apply both a new delta to mmap(MAP_STACK) and libthr's _thr_stack_alloc(). The delta is is disabled when the hardening.pax.aslr.status syctl node/tunable is set to 1 or 0, or if ASLR is disabled for the process. I need to determine a way to disable the additional randomization added in libthr so that ports like sbcl work again. sbcl requires a deterministic memory layout.
  2. I hardeninged the debug.dump_modinfo flag. Only privileged, unjailed accounts can now access debug.dump_modinfo.

I took a brief look at Cross-DSO CFI again, merging in the latest changes from hardened/current/master into the Cross-DSO CFI feature branch. It seems that FreeBSD's switch to ZFS-on-Linux as the new basis for the upstream repo, the ZFS utilities (/sbin/zpool, /sbin/zfs) and perhaps libraries violate Cross-DSO CFI in some form or fashion. I need to set up a UFS VM and test ZFS regressions there, because it's not possible to boot a userland with Cross-DSO CFI and root-on-ZFS anymore.

In early December, I plan to catch up on HardenedBSD administrative tasks, like reaching out to October and November's donors to see if they want to be listed on the donor's page. (We default to keeping donations anonymous given the security and privacy aspects HardenedBSD promots.)

Cross-DSO CFI will start becoming my main focus again as we go into 2021. Cross-DSO CFI is a hard beast to wrangle when you have to maintain millions of lines of code in the base OS _and_ 33,000+ ports/packages built on top of that. It's a huge effort, and I'm happy to be the guinea pig for llvm's implementation of CFI in a complete OS ecosystem (base OS + third-party programs/packages.)