Introducing SafeStack in HardenedBSD

28 November, 2016 - 09:56 — lattera

SafeStack is an exploit mitigation technique that creates two stacks: one for data that needs to be kept safe, such as return addresses and function pointers; and an unsafe stack for everything else. SafeStack promises a low performance penalty (typically around 0.1%).

SafeStack requires both ASLR and W^X in order to be effective. With HardenedBSD satisfying both of those prerequisites, SafeStack was deemed to be an excellent candidate for default inclusion in HardenedBSD. Starting with HardenedBSD 12-CURRENT, it is enabled by default for amd64. Support for non-amd64 architectures is limited by upstream clang.

As of 28 November 2016, with clang 3.9.0, SafeStack only supports being applied to applications and not shared libraries. Multiple patches have been submitted to clang by third parties to add support for shared libraries. As such, SafeStack is still undergoing active development.

SafeStack has been made available to the HardenedBSD ports tree as well. Unlike PIE and RELRO+BIND_NOW, it is not enabled globally for the ports tree. Some ports, like ports-mgmt/pkg have SafeStack enabled by default. Only those ports that have been tested to work fine will have SafeStack enabled by default. Users are able to toggle SafeStack by using the config target. Additionally, the SafeStack option is only applicable to amd64 architectures. Attempting to enable SafeStack for a non-amd64 port build will result in a NO-OP. SafeStack will simply not be applied.

Here's some good weekend reading for you if you'd like more info about SafeStack and CFI/CPI in general:

  1. SafeStack - Clang documentation
  2. Fine-Grained Control-Flow Integrity through Binary Hardening (PDF)
  3. Control-Flow Bending: On the Effectiveness of Control-Flow Integrity (PDF

VulnTrack 1.0 by Ogma Publicly Released

21 November, 2016 - 18:48 — Ogma

The first full version of VulnTrack has been released, providing the full implementation of the base functionality and several interface and functionality enhancements. For those that haven't had a chance to check out the Alpha or Beta releases, VulnTrack provides monitoring and alerting of security vulnerabilities and exploits based on a provided rule set. VulnTrack uses the rules you enter into the config file and regularly checks NIST and Exploit-DB data for matched vulnerabilities/exploits. This is especially useful for alerting on vulnerabilities that don't fall into your typical patch management system (Web Applications, Network devices, etc) or for profiling a target network to be notified when a vulnerability or exploit becomes public. As always, any feedback or feature requests are greatly appreciated.

Head over to SX Labs and download a copy - https://www.soldierx.com/sxlabs/VulnTrack

Update on HardenedBSD

16 November, 2016 - 12:01 — lattera

A Look Back on 2016

As 2016 is coming to a close, I'd like to reflect about what we've accomplished in HardenedBSD. A whole lot of work has been done and we still have a lot of work ahead of us.

  1. All of base and ports is compiled as Position-Independent Executables (PIEs) along with full RELRO (note: there are some exceptions).
  2. I started hardening some syscalls and sysctl nodes. You'll now notice that the gpart command must run as root because of that. Jailed environments and unprivileged users now cannot see which kernel modules are loaded and root cannot see the base address of kernel modules.
  3. Documentation is now a key priority. Work has started on the HardenedBSD Handbook. We have a long way to go, but the foundation has been laid.
  4. Work on cleaning up our PaX SEGVGUARD implementation has started. We're eventually going to take a whole different approach. Though the current implementation is useful, we haven't guaranteed its stability.
  5. Intel SMAP/SMEP support working in a private feature branch.
  6. LibreSSL imported into HardenedBSD base and made the default in 12-CURRENT.
  7. hbsd-update continues receiving more features and can be considered production-ready. Though there's still more work to do, it is feature complete for the vast majority of use cases.
  8. New, self-hosted package building server.
  9. Port HardenedBSD ASLR and SEGVGUARD to OPNsense, complete with PIE base/ports. Every single OPNsense install has ASLR enabled.
  10. Help FreeBSD with the RPI3 efforts. Test and research clang 3.9.0 and ld.lld on the RPI3. HardenedBSD works flawlessly on the RPI3, showing the strength of HardenedBSD's portability and robustness.
  11. Help FreeBSD with their efforts to port Linux DRM to FreeBSD. This includes buying multiple new laptops and running HardenedBSD with the drm-next-4.7 bits imported.

New Server Install - Downtime Ahead

26 August, 2016 - 11:53 — RaT

Just a heads up to all of our faithful readers, we are getting a new web server installed this weekend. The results will be a much faster user experience, with foundations laid for a site overhaul when the crew is ready. The downside is that there will be some downtime this weekend. Just wanted to give everybody a heads up, as I'm sure at least one lamer out there will claim to have DDoS'd us offline. Everything should be up and running no later than Monday, August 29th, 2016. While we're still online, you should check out new tutorials by r3q13m - our latest crew member of SX.

r3q13m Promoted to Crew

13 July, 2016 - 20:10 — Shinobi

Congratulations to r3q13m for being promoted to the rank of SoldierX crew for his hard work; on the software projects RAPTORRDP,Mirage Disk Image and his tutorial "Software as a Service (SAAS) demystified from a programming perspective." His enthusiasm is an encouragement, and we await to see more great feats. Again, congrats well deserved!

OFACE ISO Alpha now available!

14 June, 2016 - 12:15 — Amp

Up to this point, we have encouraged people to create their own ISOs and thumbdrives to run OFACE. After revisiting this topic though, I have decided to release a proof of concept ISO with the current version of OFACE. Please note that I am in the midst of looking at making OFACE itself more powerful so this is nowhere near finalized yet and that this release is for VIP only. All details along with a download link are available via its SX Labs entry for those who are interested.

Syndicate content