Topics

1

Intrusion Detection and Prevention / [SOLVED] ET Pro Telemetry Edition token

« on: February 11, 2019, 07:16:51 pm »

Hey all,

How soon after hitting the "go" button to "order" the free ET Pro Telemetry Edition ruleset should I get the email with the token?

2

19.1 Production Series / cpdup failure in 19.1-rc1 installer

« on: January 21, 2019, 08:59:30 pm »

Attempting to install 19.1-rc1/amd64 on an APU4c4, the installer fails when it's trying to cpdup into /usr/local. Screenshots linked below:

https://photos.app.goo.gl/DhCeDMHXTV4yMTcm6

https://photos.app.goo.gl/31FJd2xEDonahhrW9

https://photos.app.goo.gl/2kUkd2uHbVHTe1Z9A

3

17.1 Legacy Series / [Merged into 17.1.8] SafeStack in Ports

« on: May 18, 2017, 08:37:54 pm »

It is with pleasure that I announce the Call-For-Testing (CFT) for SafeStack in the OPNsense ports tree. While SafeStack is already deployed for the base operating system, it has not yet been applied to the ports tree (which contains third-party software). This CFT applies SafeStack to the ports tree.

SafeStack is an exploit mitigation developed by the clang/llvm folks. It helps mitigate stack-based buffer overflows. SafeStack depends on Address Space Layout Randomization (ASLR) in order to be effective. OPNsense fulfills that dependency by including HardenedBSD's ASLR implementation, which follows PaX's design. Without ASLR, SafeStack is ineffective as an attacker would know where the SafeStack lies in memory and could use that information to his/her advantage.

To help test, please follow these procedures. Please note that the SafeStack CFT package repo uses LibreSSL instead of OpenSSL as the default crypto library.

1. Login to the web GUI.
2. Click on the System tab.
3. Click on the Firmware subtab.
4. Click on the Settings subtab.
5. Change "Firmware Flavour" to "(other)" and type in "17.1/safestack" into the text field that will appear below. Remove the double-quotes.
6. Check for and apply updates
7 Reboot your OPNsense firewall.
8. Add a reply to this thread letting us know the status of your testing. Success stories are just as important as bug reports.

A sample screenshot with the firmware settings has been attached.

To relate the importance of SafeStack (and exploit mitigations in general), take a look at this article I wrote: https://github.com/lattera/articles/blob/master/infosec/Exploit%20Mitigations/General/2017-03-21-importance/article.md

I'm excited to see OPNsense be the first firewall distribution to ship with SafeStack.

4

Development and Code Review / CFT: Ports PIE, RELRO + BIND_NOW

« on: August 17, 2016, 01:46:11 am »

I've now finished porting over HardenedBSD's ports PIE with RELRO + BIND_NOW support. If you make your own builds of OPNsense and you're feeling adventurous, give the hardening/pie ports feature branch a try: https://github.com/opnsense/ports/tree/hardening/pie

HardenedBSD is currently running a package build for their 12-CURRENT/LibreSSL/amd64 repo. Once that is done, I will do an experimental run (aka, exp-run) to make sure there aren't dragons lurking in corners. If the exp-run finishes successfully, I plan to merge the feature branch into master.

5

Announcements / New Core Team Member - HardenedBSD's Shawn Webb

« on: August 15, 2016, 03:15:43 pm »

Over the past year, I have had the wonderful experience of working with the OPNsense core team in porting over HardenedBSD’s robust ASLR implementation. It is with pleasure and humility that I have accepted their invitation to join the core team. My overarching goal will be to port the main features of HardenedBSD to OPNsense.

Address Space Layout Randomization, or ASLR for short, is an exploit mitigation technology that aims to make certain kinds of vulnerabilities harder to successfully exploit. In order to fully apply ASLR, applications must be compiled as a Position-Independent Executable (PIE). In the short term, my next goal is to enable PIE fully across OPNsense’s ports tree. As this is a feature HardenedBSD also needs, I’m using HardenedBSD’s ports tree and package building infrastructure as a test bed prior to importing into OPNsense.

OPNsense is investigating migrating to 11.0-RELEASE for its 17.1 release. The Virtual Memory (VM) subsystem has changed drastically between FreeBSD 10 and FreeBSD 11. Since ASLR deals with the VM subsystem, extreme care must be taken in the update of the codebase from FreeBSD 10.3 to 11.0. I will assist in those efforts by freshly porting over the ASLR implementation from HardenedBSD 11.0 to OPNsense’s FreeBSD 11.0 codebase.

I look forward to being a part of the OPNsense core team. The coordination between HardenedBSD and OPNsense will bring a more solid foundation on which home users and enterprises alike can build secure and scalable networks.

Stay safe,

Shawn Webb, on behalf of the OPNsense team.

6

General Discussion / The Future of HardenedBSD-Based Builds

« on: May 26, 2016, 05:16:23 pm »

Hey All,

I've been thinking about this quite a bit for the past few weeks. My life is getting busier and busier and my available hobbyist time is diminishing. I've decided to scale back on a few items, including producing custom OPNsense builds based on HardenedBSD. Doing so takes a good chunk of my time from my main project (HardenedBSD). I will be focusing more of my efforts on HardenedBSD.

In talking with Franco, I'm happy to continue providing patches to OPNsense on behalf of HardenedBSD. My next goal is to help OPNsense implement PIE (and maybe with RELRO + BIND_NOW) across the board for both base and ports. I hope to have that both started and completed sometime in July. I feel I'll take more of a consulting role rather than the custom build producer role.

I'm excited for all the great things OPNsense is doing, especially with regards to security. If you have any questions, comments, or concerns, please let me know.

Editing this to comment: even though I'm scaling back right now doesn't mean that I won't resume doing HardenedBSD-based builds in the future. I've loved doing my own builds and seeing HardenedBSD running on my hardware firewall appliances. If my available hobbyist time increases in the future, I may pick up custom builds again.

Thanks,

Shawn Webb

7

16.7 Legacy Series / New HardenedBSD Build

« on: March 06, 2016, 03:56:49 pm »

I'm excited to announce yet another experimental OPNsense + HardenedBSD build! This build brings OpenSSL updates along with more HardenedBSD 11-CURRENT goodness. Also in the build is a brand spankin' new feature called Integriforce Whitelist.

Integriforce is a feature in which all executable files along with the shared objects they depend on in the filesystem are hashed. The hashes are loaded into the kernel and when it comes time to execute an application, the hash is checked. If the hash doesn't match, execution is forbidden. Where whitelisting comes into play is if an application or the shared objects it depends on is not in the list of hashes at all, execution is forbidden.

So, you get two things: data integrity of executables and application whitelisting. The NSA recently stated that application whitelisting along with exploit mitigations make their lives extremely difficult.

I haven't had the time to fix wireless (major changes involved), debug pfsync, or fix binary updates. So those usual caveats apply here. To update an existing installation: backup your config, reinstall, restore your config.

Download here

8

16.1 Legacy Series / OPNSense 16.1.1 + HardenedBSD 11-CURRENT

« on: February 01, 2016, 11:15:54 pm »

Hey All,

I've published a new build of OPNSense 16.1.1 with HardenedBSD 11-CURRENT! You can grab the build from here: https://hardenedbsd.org/~shawn/opnsense/hbsd-exp-08-16.1/

Future things to work on:

• Wireless isn't working. This is likely due to the new 802.11 stack in FreeBSD 11-CURRENT causing issues with the network interface code in OPNSense. Part of the problem is that the raw wireless device is now hidden from `ifconfig`.
• binary updates are now not supported. I've yet to get time to work on binary updates. So, to update to a future version, you'll need to do the usual config backup, reinstall, config restore.
• pfsync is still disabled. I'm unsure as to why this causes a kernel panic. If you are a C developer with time on your hands and want to tackle this, that'd be freaking awesome and very much appreciated.

For item #1, I've started work on getting wireless working with this commit: https://github.com/HardenedBSD/opnsense-core/commit/7c4dd2a6178343fa37880810ea94cadc141c0c78. I need to ping Adrian Chadd to figure out how to get the MAC address and the other bits from ifconfig that are now hidden that the network interface code expects without having to do a temporary clone of the device.

For item #2, OPNSense recently revamped how they provide binary updates for base. HardenedBSD now has an official binary updating mechanism as well (thanks G2, Inc for sponsoring the work!). Instead of using OPNSense's updating mechanism, I'd rather eat my own dogfood and use hbsd-update. More info about hbsd-update can be found here: https://hardenedbsd.org/article/shawn-webb/2015-12-31/introducing-hardenedbsds-new-binary-updater

For item #3, I'll need help with this one. If I were to tackle this, I'd first redo the build, but with FreeBSD 11-CURRENT instead of HardenedBSD 11-CURRENT and see if the behavior matches. If it does, then it's not a problem with HardenedBSD. If it doesn't, then the behavior is specific to HardenedBSD. I currently don't have the time it would take to do these steps, but I'd certainly love to help someone debug this if they have the time.

If anyone wants to dig into the pfsync issue, here's the crash I got:

Code: [Select]

Fatal trap 9: general protection fault while in kernel mode
cpuid = 3; apic id = 06
instruction pointer     = 0x20:0xffffffff82c22050
stack pointer           = 0x28:0xfffffe024b62aa60
frame pointer           = 0x28:0xfffffe024b62aaf0
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 12 (swi1: pfsync)