Introducing HardenedBSD's New Binary Updater
4 January, 2016 - 15:17 — latteraOne feature our users have been asking us ever since we officially launched over a year ago was to provide binary updates for base and kernel. We are excited to announce that we are launching the framework for binary updates today! We still need to tie in the update build script to our continuous integration infrastructure. For now, updates for the hardened/current/master branch of the HardenedBSD repo will be done manually. When we create the next installers/distsets for the HardenedBSD-stable repo, we'll also support updates there. You will notice two new programs, /usr/sbin/hbsd-update and /usr/sbin/hbsd-update-build, which apply and build update packages, respectively. This work was sponsored by G2, Inc, who has an immediate need for binary updates. Read on for the full design specification.
Weekly IRC Meetings and Wallpaper Contest
4 November, 2015 - 11:38 — RaTIt's been awhile since I've posted any news as I've been focused on some back end changes (*cough* new server) as well as VIP content. Things are moving slower than I'd like, but I'm happy that we're still making progress. The point of this news post is mostly to announce that we're moving our weekly IRC meetings from Thursdays at 4pm EST to Wednesdays at 3pm EST. We've had a number of complaints about the later time on Thursdays as well as most of our crew feeling that Wednesdays are the least busy day. This is effective immediately, so we will be having an IRC meeting today.
The other thing I wanted to mention is that we haven't received that many entries for our 2015 Wallpaper Contest. If you have art skills or know anybody that does, please enter our contest with a submission. The number of submissions will influence our decision to create other contests, as there's no point in making contests if the community isn't interested in participating.
SOLDIERX Wallpaper Contest is BACK!
1 September, 2015 - 11:11 — RaTI'm happy to announce that the SOLDIERX Wallpaper Contest has returned after a 3 year hiatus. As many of you know, we've been busy getting VIP releases out left and right - so we wanted to give members of the community who can't afford VIP a chance for (mostly) free access. With that being said, here is the official announcement:
SOLDIERX proudly presents the official 2015 SX Wallpaper Contest. The contest begins now and lasts until 12-31-2015. This year we are doing a two part voting system so that everybody has a fair chance. We are stressing quality over quantity. Please see the contest page for more details. Currently 1st place wins their choice of shirt or poster with their design as well as free VIP access. Good luck to all who enter!
SX at Defcon 23
31 July, 2015 - 16:23 — RaTThanks to corporate funding, SX will be hosting an event similar to those that we used to host at Defcon when it was at the Alexis Park. The event will take place at a secret location starting Thursday, August 6th, at 18:00 PDT. Confirmed SX Crew are Everest, Amp, Blake and even a surprise visit by cisc0ninja. If you're interested in attending, please contact me. Please put some way for us to contact you, either an email address that you'll be checking during Defcon or a phone number that we can send an SMS number to. If you're not really part of the SX community, please put in the message why I should let you attend our event. We also put up a new shirt design over at RedBubble just for Defcon. I hope everybody has a great time in Las Vegas next week!
HardenedBSD Call For Donations
19 July, 2015 - 21:01 — latteraIt takes a lot to run a project like HardenedBSD. We're grateful for SoldierX's sponsorship. In 2014, we asked the community for help in funding a development server. The community responded quickly and our server was fully-funded within a short amount of time. That server is now being put to great use as our package building server. We appreciate all the help everyone has given us to date.
We would like to ask the community today for further donations. Our target is $7,000 USD. The funds will go towards hardware updates, hosting requirements, and potentially setting up a not-for-profit (501(c)(3)) organization so further donations will become tax-deductible.
If you'd like to donate, please donate via PayPal at address [email protected]. We also accept BitCoin at address 1FmbSRvZK4yC1b6ajeZWSvYXV2nmvwdWQq. If you donate and wish your name to be added to the Donors page, please drop an email to [email protected]. Every donation counts and is appreciated, even donations as small as $1.00 USD.
HardenedBSD Completes Its ASLR Implementation
14 July, 2015 - 11:20 — latteraOver the July 4th weekend, we implemented randomization of the VDSO (Virtual Dynamic Shared Object). The VDSO is a spot in memory that is shared between the kernel and userland memory. It contains the signal trampoline and time-related code (like gettimeofday(2)). Even though the amount of code is small in the VDSO, it could still theoretically be used to generate ROP gadgets. Removing that piece of determinism makes generating ROP gadgets based on code in the VDSO more difficult. Randomizing the VDSO was the last piece of the address space to randomize.
Now that VDSO randomization is implemented, our ASLR implementation is now complete. You'll notice a new sysctl(8): hardening.pax.aslr.vdso_len. That controls the amount of entropy applied to the VDSO base. Our version of ASLR is the strongest form ever implemented in any BSD operating system.
Our ASLR implementation features:
- Execution base randomization of Position-Independent Executables (PIEs)
- Full stack randomization in addition to a random stack gap
- RTLD base randomization
- mmap randomization
- VDSO randomization
- Shared object load order randomization
You will still see further improvements. We are looking into making our shared object load order randomization more efficient with help from Michael Zandi. We need to update our aslr(4) manpage. We need to clarify some of the inline comments. These improvements are mostly cosmetic and result in no functionality changes.
