HardenedBSD January 2022 Status Report

The first month of the year started strong. I'm going to get right into it.

In base:

  1. FreeBSD landed their Virtual Dynamic Shared Object (VDSO) late last year. I brought those changes in to 14-CURRENT (and subsequently 13-STABLE). I ensured that the VDSO's userland mapping was still randomized. As it stands today, the VDSO is active on amd64, but not on arm64. I tested to make sure that both scenarios still work by testing on the development ThunderX1.
  2. In the back port of the VDSO work to 13-STABLE, I introduced a single-character typo. I chased that down, squashing the bug.
  3. FreeBSD's pkgbase work has advanced quite a bit. Our pkgbase integration didn't follow those advancements, so I belatedly fixed that. This was needed for work sponsored by BlackhawkNest, Inc.

  4. Loic made it so that the kernel's config file isn't embedded in the kernel.
  5. I made it so that we apply a separate delta for the RTLD upon image activation time. Previously, we would apply the same delta we use for regular mmap calls. Re-using the mmap delta placed the RTLD right next to the other dependent shared objects. As the RTLD contains high-value targets, applying a separate delta helps protect those targets.
  6. I identified a problem with the OpenSSH import in base whereby the in-app sftpd service would crash when a Windows client attempted to connect. I resolved that issue by fixing a kernel check on the process control KPI.
  7. FreeBSD introduced a new `security.bsd.allow_ptrace` sysctl node and its corresponding integration code. When PAX_HARDENING is set in the kernel (it is set by default), the sysctl node will default to 0.
  8. CVE-2021-4034 came out. I took inspiration from OpenBSD's general mitigation of checking that (argc == 0) in the kernel before allowing execve(2) to complete. The implementation of the argc check differs between FreeBSD and HardenedBSD. FreeBSD's implementation occurs much sooner in the code path, whereas my implementation occurs after the sysentvec-specific sv_copyout_strings function pointer is called. Should there be a weird sv_copyout_strings implementation, our argc check will be more resilient than the FreeBSD check.
  9. The old Berkely DataBase (bdb) implementation requires downstream consumers to reference function pointers in a contextual structure returned (and filled out) by dbopen(3). These function pointers point to uninstrumented functions in libc. Thus, when the cfi-icall scheme is applied, applications attempting to call those function pointers will be killed with SIGILL by CFI.
  10. I spent around twenty hours this month on Cross-DSO CFI, the longest amount of time spent in a while. I've identified some chicken-and-egg scenarios, especially revolving around the dlopen dance in libc and the rtld. The Cross-DSO CFI runtime intercepts calls to dlopen in order to add the shared object's memory to the CFI allow list.

In ports:

  1. Loic hardened the multimedia/ffmpeg port
  2. I fixed the misc/seabios port.
  3. Loic removed an unneeded patch in the security/osiris port.
  4. I disabled the DTRACE option for a few ports. DTrace support is broken when using a more complete llvm compiler toolchain. I need to file a bug report upstream in llvm to address this, but haven't due to lack of time.
  5. I fixed the openjdk ports.
  6. Loic fixed the devel/aarch64-none-elf-gcc ports.
  7. I disabled PaX MPROTECT for the mongodb ports.

Infrastructure work:

All of the HardenedBSD build infrastructure is graciously hosted by my employer, BlackhawkNest, Inc. Due to COVID-19, we're still working remotely 99.9% of the time, myself included. The 27th of this month was the first time in around three months since I had been in the office.

With my focus being more on the development side, I've not taken the time to set up a proper network and system monitoring solution. Some servers are experiencing hardware failures (mostly just dead drives).

Starting 02 Feb 2022, I plan to go up to the office at least twice per week. I've ordered replacement drives and will install them as soon as they arrive. The server hit hardest is the 12-STABLE nightly build server, which is at the point where I will need to rebuild it with new drives, performing a fresh reinstall and reconfiguration.

I plan to divert some of my development time towards infrastructure maintenance in February, setting up that infrastructure monitoring solution. I'd like to get us to the point where we can be anticipatory with our infrastructure's needs rather than reactionary.


HardenedBSD has had a very busy and productive January. We've made several substantial improvements. This project would not be possible without the generous and greatly appreciated contributions of the community. The HardenedBSD team and I are grateful for the opportunity to serve you.