lattera to Present HardenedBSD Talk at THOTCON

lattera will be giving a talk about HardenedBSD titled "Pissing off the bad guys by porting grsecurity to HardenedBSD" at THOTCON in Chicago at 12:00PM CST on Thursday, May 4th 2017 in Track X. Please contact him if you plan on attending and he might be willing to meet up. The details of the talk are as follows:
Work on HardenedBSD began around three years ago, with HardenedBSD becoming official two years ago. We've implemented the strongest form of Address Space Layout Randomization (ASLR) in all the BSDs. We've ported over a number of grsecurity features. FreeBSD, upon which HardenedBSD is based, serves at least 36% of all peak North American Internet traffic, thanks to Netflix. Juniper, Cisco, NetApp, iXsystems, and others all use FreeBSD under-the hood. Yet FreeBSD lacks any low-level exploit mitigation technologies. Exploiting vulnerable applications has never been easier. The NSA must love FreeBSD-based systems. HardenedBSD aims to implement low-level exploit mitigations and security hardening technologies, starting with porting the grsecurity patchset. We've come a long way, and we have even longer to go.This presentation discusses in detail the advancements we've made, including comparisons to Linux and OpenBSD. Attendees will understand why exploit mitigation is an absolute must and will learn the technical details of each feature.

Amp Commissioned For "Don't Copy That: No Longer Floppy"

Amp has been commissioned by the SIIA for the role of Disc Protector Junior in a new Don't Copy That sequel. The new anti-copyright infringement campaign will be called "Don't Copy That: No Longer Floppy". The SIIA decided on Amp due to his freaky eyes, as well as the poor performance of "Don't Copy That". Amp has decided to take the campaign back to its roots, donning the original outfit of the Disk Protector from 1992. We have included a small snippet below:

If you want to see more footage, please see Full Scene, Full Scene (half size), and Amp Dancing

We hope that he'll talk about SOLDIERX and his OFACE Project in the video, but we'll have to wait for the full release to see if he does. Please feel free to comment if you have any ideas to make the video better than the original "Don't Copy That Floppy" as well as the seqel, "Don't Copy That".

Introducing CFI in HardenedBSD

Control Flow Integrity, or CFI, is an exploit mitigation technique that helps prevent attackers from modifying the behavior of a program and jumping to undefined or arbitrary memory locations. Microsoft has implemented a variant of CFI, which they term Control Flow Guard, or CFG. The PaX team has spent the last few years perfecting their Reuse Attack Protector, RAP. CFI, CFG, and RAP all attempt to accomplish the same goal, with RAP being the most complete and effective implementation. Clang's CFI is stronger than Microsoft's CFG and PaX Team's RAP is stronger than both CFI and CFG. RAP would be a great addition to HardenedBSD; however, it requires a GPLv3 toolchain and is patented.

HardenedBSD is excited to announce the integration of Clang's CFI into base. CFI is enabled by default in HardenedBSD 12-CURRENT on amd64 and can be disabled by setting WITHOUT_CFI in src.conf. CFI is not applicable to architectures other than amd64, though Shawn is working on porting SafeStack to arm64.

Clang's CFI requires a linker that supports Link-Time Optimization (LTO). On 02 March 2017, version 4.0.0 of the lld linker from the llvm project was imported into both FreeBSD and HardenedBSD. lld 4.0.0 is the first version of lld that is usable in base and provides HardenedBSD with a linker that supports LTO. We have been working hard over the past few months in developing and testing the integration of Clang's CFI in HardenedBSD's base. All CFI schemes have been enabled for all of base in HardenedBSD 12-CURRENT/amd64, with the exception of the cfi-icall scheme for a handful of applications. It is possible that we may need to disable the cfi-icall scheme for more applications and we'll need to rely on our user base to identify edge cases. Any application that calls function pointers resolved via dlopen+dlsym will require the cfi-icall scheme to be disabled.

Ogma Promoted to Crew

It is with great honor that I would like to announce the decision to promote Ogma to the status of full crew member of SOLDIERX. During the past year, Ogma has worked hard on VulnTrack as well as being an awesome member of the SX community. As with all members promoted to the status of full crew, we hope that Ogma will continue his efforts and show the same enthusiasm and workmanship that he showed during his inductee status. Congratulations Ogma!

In other news, we are in the process of creating a podcast (talk show) with segments! Hosted by Shinobi, Redcircle, and ThoughtPhreaker.

Introducing SafeStack in HardenedBSD

SafeStack is an exploit mitigation technique that creates two stacks: one for data that needs to be kept safe, such as return addresses and function pointers; and an unsafe stack for everything else. SafeStack promises a low performance penalty (typically around 0.1%).

SafeStack requires both ASLR and W^X in order to be effective. With HardenedBSD satisfying both of those prerequisites, SafeStack was deemed to be an excellent candidate for default inclusion in HardenedBSD. Starting with HardenedBSD 12-CURRENT, it is enabled by default for amd64. Support for non-amd64 architectures is limited by upstream clang.

As of 28 November 2016, with clang 3.9.0, SafeStack only supports being applied to applications and not shared libraries. Multiple patches have been submitted to clang by third parties to add support for shared libraries. As such, SafeStack is still undergoing active development.

SafeStack has been made available to the HardenedBSD ports tree as well. Unlike PIE and RELRO+BIND_NOW, it is not enabled globally for the ports tree. Some ports, like ports-mgmt/pkg have SafeStack enabled by default. Only those ports that have been tested to work fine will have SafeStack enabled by default. Users are able to toggle SafeStack by using the config target. Additionally, the SafeStack option is only applicable to amd64 architectures. Attempting to enable SafeStack for a non-amd64 port build will result in a NO-OP. SafeStack will simply not be applied.

Here's some good weekend reading for you if you'd like more info about SafeStack and CFI/CPI in general:

  1. SafeStack - Clang documentation
  2. Fine-Grained Control-Flow Integrity through Binary Hardening (PDF)
  3. Control-Flow Bending: On the Effectiveness of Control-Flow Integrity (PDF

VulnTrack 1.0 by Ogma Publicly Released

The first full version of VulnTrack has been released, providing the full implementation of the base functionality and several interface and functionality enhancements. For those that haven't had a chance to check out the Alpha or Beta releases, VulnTrack provides monitoring and alerting of security vulnerabilities and exploits based on a provided rule set. VulnTrack uses the rules you enter into the config file and regularly checks NIST and Exploit-DB data for matched vulnerabilities/exploits. This is especially useful for alerting on vulnerabilities that don't fall into your typical patch management system (Web Applications, Network devices, etc) or for profiling a target network to be notified when a vulnerability or exploit becomes public. As always, any feedback or feature requests are greatly appreciated.

Head over to SX Labs and download a copy - https://www.soldierx.com/sxlabs/VulnTrack

Syndicate content