On Thu, Mar 6, 2014 at 1:55 AM, Jason Hellenthal wrote:
> I would also add . . . separate ssh keys and passwords if the user needs
> access to both host and jailed systems. This is just common practice and
> not a security flaw by any means but an engineering oversight.
>
> Popsicle sticks also h
patches/20140514091132-freebsd-stable-10-aslr-segvguard-SNAPSHOT.diff
Thanks,
Shawn Webb
pgpZYdFhbir_V.pgp
Description: PGP signature
for months. amd64 is rock solid from my experience. But your mileage may
vary, hence the CFT. :-)
Thanks,
Shawn
On May 14, 2014 10:02 AM -0700, Adrian Chadd wrote:
> Hi!
>
> Cool! Does it run on MIPS? :P
>
>
> -a
>
>
> On 14 May 2014 06:58, Shawn Webb wrote:
>
On May 23, 2014 07:53 PM +, Wojciech A. Koszek wrote:
> On Wed, May 14, 2014 at 09:58:52AM -0400, Shawn Webb wrote:
> > Hey All,
> >
> > [NOTE: crossposting between freebsd-current@, freebsd-security@, and
> > freebsd-stable@. Please forgive me if c
Hey All,
I've submitted a new revision of our ASLR patch to Phabric. It can be
applied to 11-CURRENT. The main changes include removal of the MAP_32BIT
hack for amd64, a couple bug fixes, and stylistic changes requested by a
few people. I'm looking for commentary and volunteers for testing. The li
the patch is much too large to attach to an email, you can find our
latest patch on FreeBSD's Phabricator:
https://reviews.freebsd.org/D473
Or download the raw version of the patch:
https://reviews.freebsd.org/D473?download=true
Please let me know if you find any issues.
Thanks,
Shawn W
On Tuesday, February 24, 2015 01:30:19 PM Bartek Rutkowski wrote:
> On Sat, Feb 21, 2015 at 3:59 PM, Shawn Webb
wrote:
> > Hey All,
> >
> > It has been a long time since we sent out a call for testing request for
> > our ASLR patch. We've been hard at work m
for a smaller prereq patch:
https://reviews.freebsd.org/D3565
Thanks,
Shawn
>
> Cheers,
> BL
>
> On Wed, Mar 9, 2016 at 2:05 PM, Piotr Kubaj wrote:
>
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > Shawn Webb has recently announced that ASLR
ed, Mar 9, 2016 at 4:22 PM, Shawn Webb
> wrote:
>
> > (Responding inline)
> >
> > On Wed, Mar 09, 2016 at 04:05:12PM +, Big Lebowski wrote:
> > > Hi Piotr,
> > >
> > > There are people who can probably answer it better, but until they do,
w speed (e.g. on a server which is hardened in other ways)
> or for the extra warm fuzzies that ASLR provides.
The great thing is that our implementation comes as a kernel build
option, just like you want. Our implementation also works on a per-jail
basis.
Thanks,
--
Shawn
7;s implementation.
It has been a kernel option that you can toggle at compile time with the
PAX_ASLR kernel option. IT can also be toggled via /boot/loader.conf by
setting hardening.pax.aslr.status=0.
Thanks,
--
Shawn Webb
HardenedBSD
GPG Key ID: 0x6A84658F52456EEE
GPG Key Fingerprint:
ck and VDSO randomization.
If the implementation that FreeBSD provides is better than
HardenedBSD's, we'd likely drop our implementation and go with
FreeBSD's.
I'll keep an eye on Phabricator today.
Thanks,
--
Shawn Webb
HardenedBSD
GPG Key ID: 0x6A84658F52456
es. ASLR helps make more difficult the successful
exploitation of buffer overflows, format string vulnerabilities, etc.
In HardenedBSD, we've fixed the two libarchive vulnerabilities that
FreeBSD is vulnerable to. But the fixes are only band-aids until FreeBSD
publishes their fixes,
hile icc uses
> the intermediate representation.
>
The only other major thing to discuss is supporting public key chaining.
Ideally, digital signature support should also support chaining multiple
keys (similar to X.509 PKI). If the accepted solution supported cert
chaining, then the solution
Qualys:
>
> https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
FreeBSD is indeed affected. I've written a PoC, which works even with
the stack guard enabled:
https://github.com/lattera/exploits/blob/master/FreeBSD/StackClash/001-stackclash.c
Thanks,
--
Shawn Webb
Co
:
> Hi Shawn,
>
> Nice p0c, but it don't work with security.bsd.unprivileged_proc_debug=0,
> which was initially enabled in the menu with hardening options.
>
> Pawel.
>
>
> On 20 June 2017 at 14:15, Shawn Webb wrote:
>
> > On Tue, Jun 20, 2017 at
Qualys:
>
> https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
As a follow-up, Stack Clash should now be mitigated in HardenedBSD:
https://github.com/HardenedBSD/hardenedBSD/compare/de8124d3bf83d774b66f62d11aee0162d0cd1031...91104ed152d57cde0292b2dc09489fd1f69ea77c
Thanks,
--
ced a
regression with mysql56-server when stack_guard_page is set to a
positive integer value greater than 1. All my testing so far has only
been on amd64. I have arm64 devices running the same code, but they
don't do nearly as intensive work as my amd64 systems.
It seems the MAP_GUARD
naconda-addon/> to set security
> profiles during install.
I'll get in touch with some of my coworkers, who were instrumental in
the creation of SCAP. I'll get their thoughts on LoE for porting to
FreeBSD. Depending on their schedules, my response may be delayed.
Thanks,
--
Shawn W
On Sat, Jul 22, 2017 at 09:17:26AM -0400, Joey Kelly wrote:
> On Saturday 22 July 2017 08:47:12 Shawn Webb wrote:
> > On Fri, Jul 21, 2017 at 09:49:14PM -0400, Yonas Yanfa wrote:
>
> > >
> > > Yes, and it shouldn't be too hard to port this to FreeBSD
yed,
FreeBSD does not support SEGVGUARD at the moment.
Thanks,
--
Shawn Webb
Cofounder and Security Engineer
HardenedBSD
GPG Key ID: 0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
signature.asc
Description: PGP signature
lid wrote:
> > > Hello All,
> > >
> > > I would like to configure SEGVGUARD for few critical applications in
> > > FreeBSD10 . Is is available natively in FreeBSD10 ?
> > >
> > > If so you could anyone help me in enabling/configuring SEGVGUARD
>
I forgot to mention that hardening.pax.segvguard.status is a sysctl
node. To set it:
sysctl hardening.pax.segvguard.status=2
Or in /etc/sysctl.conf:
hardening.pax.segvguard.status=2
Thanks,
Shawn
On Fri, Aug 04, 2017 at 08:46:46AM -0400, Shawn Webb wrote:
> After booting HardenedBSD,
t working is calling connect(2) on the socket file
descriptor in the parent. errno gets set to ECAPMODE. This is puzzling
to me since CAP_CONNECT is set on the descriptor.
Any help would be appreciated.
Thanks,
--
Shawn Webb
Cofounder and Security Engineer
HardenedBSD
GPG Key ID: 0x6A8465
Laurie wrote:
> ECAPMODE means the syscall is forbidden, surely?
>
> On 26 September 2017 at 20:37, Shawn Webb wrote:
> > Hey All,
> >
> > I'm working on applying Capsicum to Tor. I've got a PoC design for how
> > I'm going to do it posted here:
>
On Tue, Sep 26, 2017 at 07:37:53PM +, Shawn Webb wrote:
> Hey All,
>
> I'm working on applying Capsicum to Tor. I've got a PoC design for how
> I'm going to do it posted here:
>
> https://github.com/lattera/PoCs/tree/master/capsicum_fdpassing
>
> N
;m curious about the rational behind not requiring expiration of
trusted root key material.
Can jails contain a different trust chain than the host?
Thanks,
--
Shawn Webb
Cofounder and Security Engineer
HardenedBSD
GPG Key ID: 0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
signature.asc
Description: PGP signature
ur own CA, with the CA
cert having a lifetime of twenty years. The key material used to sign
the update gets regenerated every year on January 1st, but has a
thirteen-month lifespan. The CA key material resides on an encrypted
flash drive, stored in a place that requires two signatures from two
parties
disallowed, but TCP:443 is accepted.
Thanks,
--
Shawn Webb
Cofounder and Security Engineer
HardenedBSD
GPG Key ID: 0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
signature.asc
Description: PGP signature
On Tue, Jan 02, 2018 at 08:52:27PM -0500, Mike Tancsa wrote:
> I am guessing this will impact FreeBSD as well ?
>
> http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
https://meltdownattack.com/
--
Shawn Webb
Cofounder and Security Engineer
HardenedBSD
Tor-ified Signal:
t really do much
on its own.
Granted, I could have misread and be completely wrong. Please let me
know if I am.
Thanks,
--
Shawn Webb
Cofounder and Security Engineer
HardenedBSD
Tor-ified Signal:+1 443-546-8752
GPG Key ID: 0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 B
On Tue, Mar 05, 2019 at 11:20:51AM -0800, Cy Schubert wrote:
> This came over my phone's news feed. Another example that Colin Percival was
> right when he wrote his paper on exploiting cache for fun and profit many
> years ago.
Weird machines are weird.
Thanks,
--
Shawn Webb
ncy.
It appears that Netflix's advisory (as of this writing) does not
include a timeline of events. Would FreeBSD be able to provide its
event timeline with regards to CVE-2019-5599?
Were any FreeBSD derivatives given advanced notice? If so, which ones?
Thanks for your time, resources, and conti
On Wed, Jul 03, 2019 at 10:18:12AM -0700, Gordon Tetlow wrote:
> Sorry for the late response, only so many hours in the day.
Completely understood. Thanks for taking the time to respond!
>
> On Tue, Jun 18, 2019 at 08:06:55PM -0400, Shawn Webb wrote:
> > It appears that Netflix
On Fri, Jul 05, 2019 at 07:52:32AM -0700, Dan Langille wrote:
> > On Jul 5, 2019, at 6:40 AM, Shawn Webb wrote:
> >
> >> On Wed, Jul 03, 2019 at 10:18:12AM -0700, Gordon Tetlow wrote:
> >> Sorry for the late response, only so many hours in the day.
> >
&
algorithms for measuring ASLR was meant to test
ASLR, not FreeBSD's ASR implementation. Thus, paxtest results for
FreeBSD's ASR are moot.
Link to the relevant discussion, as pointed out by the dude who coined
the term ASLR: https://reviews.freebsd.org/D5603#120017
result in a crash and a denial of service attack.
Hey all,
Has anyone looked at if/how setting map_at_zero=1 impacts the null ptr
deref issue?
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A
s project, not FreeBSD.
2. You install a package that is made to submit statistical data.
3. You're upset that it submits statistical data?
lolwut,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
signature.asc
Description: PGP signature
On Tue, Apr 06, 2021 at 04:39:40PM +0200, Miroslav Lachman wrote:
> On 06/04/2021 16:27, Shawn Webb wrote:
>
> > 1. BSDStats isn't run/maintained by the FreeBSD project. File the
> > report with the BSDStats project, not FreeBSD.
> > 2. You install a package that
lem, you went the hostile route.
I'm sure you won't learn anything from this, but I hope you do. To me,
it reinforces how random people feel entitled to force their will on
others.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
signature.asc
Description: PGP signature
s referencing a bug that's already fixed in all supported
versions of FreeBSD. A lot of hand waving just for "nothing to see
here, move along" if your systems are up-to-date.
The commit that fixed the vulnerability is
8f594d4355a16f963e246be0b88b9fba8ad77049, made on 31 Aug 2020. That
ted with a NULL key file.
bsdinstall has a nifty option for using geli to encrypt your ZFS root
pool (usually named zroot). Are ZFS pools created by bsdinstall
impacted?
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
signature.asc
Description: PGP signature
main branch.
Note that this code is simply Tavis' original PoC, just modified
enough to get it to build on FreeBSD and OpenBSD.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF
On Thu, Jul 27, 2023 at 01:38:09PM -0400, Jung-uk Kim wrote:
> On 23. 7. 27., Jung-uk Kim wrote:
> > On 23. 7. 27., mike tancsa wrote:
> > > On 7/26/2023 5:46 PM, Shawn Webb wrote:
> > > > On Wed, Jul 26, 2023 at 08:34:56PM +, 0x1eef wrote:
> > > > &
31
> Thread 0x80068ab00 running on CPU 14
> Thread 0x800686f00 running on CPU 2
>
>
> CPU: AMD EPYC 7302P 16-Core Processor (3000.06-MHz K8-class
> CPU)
I've reverted the old work in favor of Jung-uk Kim's patch in my
feature branch (shawn.webb/bsd/main)
ecifically targeted x86_64
> Linux systems using glibc.
Hey Gordon,
Is there potential for Linux jails on FreeBSD systems (ie, deployments
making use of the Linxulator) to be impacted? Assuming amd64 here,
too.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Tor-ified Sign
reactionary moment
whereby the entire project is audited. Until then, some folks would
not consider it over-reactionary to distrust any work since the bad
actor started contributing. This would apply to other projects the bad
actor contributed to as well, like libarchive.
Thanks,
--
Shawn Webb
47 matches
Mail list logo
