When we first introduced our ASLR patch upstream to FreeBSD, we provided a mechanism via ugidfw for system administrators and users to toggle ASLR and other security features on a per-binary basis. However, this mechanism was more of a hack than a production-ready solution. We have been hard at work to rearchitect a new production-ready implementation. We designed an application that we like to call secadm, short for Security Administration. This application will serve as the basis for advanced administration of the security features we implement in HardenedBSD. Read on for the full release announcement.
As we mentioned in our blog article about the Offset2lib attack, we wanted to make our ASLR a little more secure against these types of attacks. One of the ways we can strengthen our ASLR implementation is by randomization the order in which shared objects get loaded when a program starts up. This removes one more piece of determinism and can further frustrate an attacker. We've now implemented it.
Our website and its database server will be undergoing routine maintenance this weekend. Please expect some downtime. Our build server will still be up if you need to grab builds. Thank you for your patience.
The recently disclosed offset2lib attack against Linux's default ASLR implementation has generated a lot of chatter. As mentioned in the paper, ASLR implementations based off of PaX's--which is the case for HardenedBSD--are generally secured against this attack. Our whitepaper describes how we calculate separate offsets for the execution base, mmap, and the stack.
HardenedBSD is growing, thanks to our donors. We've built a new server and thanks to a generous donation, we have a hosted second server. One server is generating nightly builds (our Jenkins instance) and the other is a development workhorse and is responsible for our package building. Our old server took 3.5 hours to do a buildworld+buildkernel just for amd64 and around 75-80 hours for a package build for amd64. Our new server takes 3.5 hours to do a buildworld+buildkernel+release for amd64, i386. and beaglebone black and does a package build in around 50 hours. The core team and the developers at HardenedBSD would like to thank all who have donated (and those who will donate in the future). Read on to learn our plans for our package repos.
Starting with build 47, we have removed support for the a.out executable file format and NULL page mapping support. This also means that gzipped kernels in a.out format are not supported anymore in HardenedBSD as well. The a.out file format is an extremely dated format. We in the HardenedBSD project have no desire to support and ensure feature interop with such an old format. Additionally, we have no way to generate a.out files and test against it.
We're working hard to bring the FreeBSD community (and the Internet community as a whole) many security enhancements. We're looking to build an automated infrastructure along with providing our developers a system to do dedicated development on. We're paying everything out of pocket and our expenses are quite high, even as a new project. As such, we've started a crowdfunding campaign on Indiegogo for a dedicated development server.
The published exploit for the sftp configuration vulnerability can be easily mitigated outside of sshd/sftpd. grsecurity (aka, grsec), a popular third-party hardening patch for Linux, can restrict Linux's procfs to lock down /proc/pid/mem from being written to. Linux systems using that option, then, are unaffected by the sftp configuration vulnerability.
A new amd64 build of the hardened/current/master branch has been uploaded here. In that directory, you'll find a file called HASHES. I've included all the distsets and even the memstick images. You can verify a successful download of your media by validating with that file. I've started a new amd64 package run as of 12:00 EST today.
EuroBSDCon was a resounding success! Many great presentations were delivered that discussed security and gave the HardenedBSD developers ideas for features to implement. I met a few awesome people for the first time, including Ed Maste and Ilya Bakulin. Ilya Bakulin is a developer who took great interest in our ASLR work. He knows ARM pretty well and took a look at the bug that we were experiencing on ARM in regards to ASLR. Within a few hours, he had a working, stable, production-ready patch for us to merge into the HardenedBSD tree that fully fixes ARM.