Introducing secadm 0.1-beta1

When we first introduced our ASLR patch upstream to FreeBSD, we provided a mechanism via ugidfw for system administrators and users to toggle ASLR and other security features on a per-binary basis. However, this mechanism was more of a hack than a production-ready solution. We have been hard at work to rearchitect a new production-ready implementation. We designed an application that we like to call secadm, short for Security Administration. This application will serve as the basis for advanced administration of the security features we implement in HardenedBSD. Read on for the full release announcement.

Tags: 

Shared Object Load Order Randomization

As we mentioned in our blog article about the Offset2lib attack, we wanted to make our ASLR a little more secure against these types of attacks. One of the ways we can strengthen our ASLR implementation is by randomization the order in which shared objects get loaded when a program starts up. This removes one more piece of determinism and can further frustrate an attacker. We've now implemented it.

Tags: 

Maintenance

Our website and its database server will be undergoing routine maintenance this weekend. Please expect some downtime. Our build server will still be up if you need to grab builds. Thank you for your patience.

HardenedBSD and the Offset2lib Attack

The recently disclosed offset2lib attack against Linux's default ASLR implementation has generated a lot of chatter. As mentioned in the paper, ASLR implementations based off of PaX's--which is the case for HardenedBSD--are generally secured against this attack. Our whitepaper describes how we calculate separate offsets for the execution base, mmap, and the stack.

Package Building Infrastructure Maintenance

HardenedBSD is growing, thanks to our donors. We've built a new server and thanks to a generous donation, we have a hosted second server. One server is generating nightly builds (our Jenkins instance) and the other is a development workhorse and is responsible for our package building. Our old server took 3.5 hours to do a buildworld+buildkernel just for amd64 and around 75-80 hours for a package build for amd64. Our new server takes 3.5 hours to do a buildworld+buildkernel+release for amd64, i386. and beaglebone black and does a package build in around 50 hours. The core team and the developers at HardenedBSD would like to thank all who have donated (and those who will donate in the future). Read on to learn our plans for our package repos.

Tags: 

a.out And NULL Mapping Support Removal

Starting with build 47, we have removed support for the a.out executable file format and NULL page mapping support. This also means that gzipped kernels in a.out format are not supported anymore in HardenedBSD as well. The a.out file format is an extremely dated format. We in the HardenedBSD project have no desire to support and ensure feature interop with such an old format. Additionally, we have no way to generate a.out files and test against it.

Crowdfunding Development Server

We're working hard to bring the FreeBSD community (and the Internet community as a whole) many security enhancements. We're looking to build an automated infrastructure along with providing our developers a system to do dedicated development on. We're paying everything out of pocket and our expenses are quite high, even as a new project. As such, we've started a crowdfunding campaign on Indiegogo for a dedicated development server.

Pages

Subscribe to HardenedBSD RSS