It has been a number of months since the last status report. I got really sick in November/December and am now recovering from COVID. Fun! Regardless, there have been a ton of enhancements and goings on in the project.
- devd(8) is now compiled as a PIE default
- FreeBSD commit 140ceb5d956bb8795a77c23d3fd5ef047b0f3c68 introduced the ability to easily force a remote process to perform a syscal (`ptrace(PT_SC_REMOTE)`). This is restricted by the `hardening.prohibit_ptrace_syscall` sysctl node by default. While an attacker can force the remote process to execute syscalls regardless, I think exposing an API to make this easier is not attractive.
- The netlink(4) module is marked as insecure. FreeBSD recently landed support for basic netlink socket support. However, the implementation quality seems to be sub-par and has me worried about security implications. FreeBSD has enabled netlink by default in the GENERIC kernel config (from which we inherit). I've disabled it default in the HardenedBSD kernel configs.
- I fixed a number of potential NULL deref vulnerabilities in netlink(4).
- I fixed a bug in the insecure kmod loading enforcement code.
- I fixed a number of code consitency issues in netlink(4).
- I introduced a new feature: malloc(9) hardening. A new kernel option, PAX_HARDEN_KMALLOC, enables all malloc(9) hardening features by default. The only feature implemented currently is zeroing allocations on creation and free. To enable allocation zeroing without having to compile a custom kernel, set the `hardening.kmalloc_zero` sysctl tunable node to 1. It is disabled by default due to obvious performance impacts.
- Kernel modules can now opt-in to -ftrivial-var-auto-init=zero. Kernel modules currently opted in:
- uuidgen(1) now defaults to generating UUIDv4 identifiers. A new option, -R, provides backwards compatibility for generating UUIDv1 identifiers.
Ports hasn't seen much change, just regular maintenance. So not much to report there.
The infrastructure is slowly coming back online. I'm now hosting GitLab and one build server at home. I'm rewriting the build scripts from scratch, tying together the `hbsd-update` artifacts and the installation media together. I'm about 99% done with that. Once that reaches 100% (hopefully by the end of this week), I will reach out to those who showed desire to host public mirrors of our builds.
I suspect my electricity bills are going to go up by around $250USD/month. Once I'm done with the infrastructure work, I will sit down and switch to the administrative side of the house.
Here are my goals for February 2023:
- Write a 2023 project roadmap with firm donation goals, coordinating this with the HardenedBSD Foundation Board of Directors.
- Send out donation receipts for 2022 US-based donors who donated $250USD or more for tax deduction purposes.
- Determine if/how to provide better cooling to our unfinished basement to prepare for summer. In the summer, our basement can get up to 90F without any servers or computer equipment. Obviously, that presents issues for continued hosting out of our basement.
- Documentation! Keep making more progress on updating our wiki with relevant documentation.