Messages

166

16.1 Legacy Series / Re: Kernel panic since upgrade

« on: June 17, 2016, 12:44:12 am »

At the boot loader, could you escape to the loader prompt then use these commands:

set hardening.pax.aslr.status=0
boot

Does it boot fine for you after doing that?

167

16.1 Legacy Series / Re: Kernel panic since upgrade

« on: June 17, 2016, 12:28:10 am »

Hey bugbuster,

Can you tell us a bit more about your setup? Can you tell us if Suricata is enabled and is in IPS mode? What other services  are set up? At what point does the kernel panic happen? Before even init runs?

Thanks,

Shawn

168

16.1 Legacy Series / Re: 16.1.16 kernel HBSD ASLR message in log

« on: June 08, 2016, 03:43:12 pm »

Are you running on a 32bit or 64bit box? If you're on 32bit, you may see this occasionally. It's safe to ignore. It simply means that ASLR couldn't properly randomize the stack. There's simply not enough bits in 32bit architectures to shuffle things around.

169

General Discussion / The Future of HardenedBSD-Based Builds

« on: May 26, 2016, 05:16:23 pm »

Hey All,

I've been thinking about this quite a bit for the past few weeks. My life is getting busier and busier and my available hobbyist time is diminishing. I've decided to scale back on a few items, including producing custom OPNsense builds based on HardenedBSD. Doing so takes a good chunk of my time from my main project (HardenedBSD). I will be focusing more of my efforts on HardenedBSD.

In talking with Franco, I'm happy to continue providing patches to OPNsense on behalf of HardenedBSD. My next goal is to help OPNsense implement PIE (and maybe with RELRO + BIND_NOW) across the board for both base and ports. I hope to have that both started and completed sometime in July. I feel I'll take more of a consulting role rather than the custom build producer role.

I'm excited for all the great things OPNsense is doing, especially with regards to security. If you have any questions, comments, or concerns, please let me know.

Editing this to comment: even though I'm scaling back right now doesn't mean that I won't resume doing HardenedBSD-based builds in the future. I've loved doing my own builds and seeing HardenedBSD running on my hardware firewall appliances. If my available hobbyist time increases in the future, I may pick up custom builds again.

Thanks,

Shawn Webb

170

General Discussion / Re: ASLR, PIE and the future of i386

« on: May 25, 2016, 10:08:40 pm »

Hey All,

I just wanted to expound upon the i386 performance impact a little. The reason why Position-Independent Executable (PIE) support on i386 has a performance impact is due to the limited amount of CPU registers. The amd64 architecture has enough registers that it can dedicate one to use for the calculation of offsets. Since i386 is limited, it has to resolve symbols (functions, global variables, etc.) inefficiently. It cannot make use of a dedicated register for symbol offset calculations.

It's important to note that the 12% performance hit is a worst-case scenario. In some cases, the performance hit might be as low as 5%. The point is that you will definitely see a performance hit. This is not due to HardenedBSD or its ASLR implementation, but rather the underlying computer architecture. All operating systems, including Linux and Windows, will have a performance hit when running Position-Independent Code (PIC) on i386.

Which brings up another point: most of your applications will hit PIC. libc is a PIC library. All applications used within OPNsense depend on libc. The RTLD is a PIC library as well. (Fun fact: the RTLD relocates itself.) All dynamically-compiled applications rely on the RTLD.

Thanks,

Shawn Webb

171

General Discussion / Re: [SOLVED] Can't fetch updates: "Repository problem"

« on: May 12, 2016, 02:44:40 pm »

I also just realized that switching out opnsense-update for hbsd-update would also require changes to tools.git to use hbsd-update-build to build the distsets. Now you've got me curious about how this will work.

172

General Discussion / Re: [SOLVED] Can't fetch updates: "Repository problem"

« on: May 12, 2016, 03:01:29 am »

Hey Shawn! Thanks for working on this despite your busy schedule, we appreciate it.

Having all the goodies of HardenedBSD baked right into OPNsense seems like the perfect match for building a very secure router. I'm glad features have already been backported to FreeBSD 10 and integrated into OPNsense.

Although I might not fully understand, I'm curious about the technical reasons why binary upgrades don't work?

My pleasure. I'm grateful that OPNsense has created such an easy way to perform builds, allowing me to do what I do. The main reason why binary updates don't work is that I still need to stand up the infrastructure to host the files. I also need to patch the OPNsense codebase (which I have forked on GitHub) to point to my infrastructure rather than theirs. Since I started doing the new builds, I created a new binary update mechanism for HardenedBSD itself, called hbsd-update. I'd like to use that instead of opnsense-update for updating base. So that'll involve a little more than just replacing utilities. I gotta make sure that where those utilities (opnsense-update, pkg upgrade, etc.) are called call my utilities instead and call them in the right way. When all is said and done, there's not much work on the side of the code, but mostly I need to get the infrastructure piece working.

173

General Discussion / Re: [SOLVED] Can't fetch updates: "Repository problem"

« on: May 12, 2016, 01:19:59 am »

If the HardenedBSD version of OPNsense can't be binary upgraded, then should anyone really be using it? Are there any plans to make binary upgrades work?

Yup. I've got it on my list of things to do. However, ENOTIME. Remember that I make the OPNsense + HardenedBSD builds solely for my own purposes, but publish the builds in case anyone finds them useful. The way to upgrade right now is: backup config, reinstall, restore config. It'll be that way for some time until either someone hands me patches + an infrastructure or I get to it myself. With me buying my first home while working 80-110 hours a week while still running and maintaining HardenedBSD, you'll probably understand my lack of time.

174

16.7 Legacy Series / Re: New HardenedBSD Build

« on: May 04, 2016, 05:49:59 pm »

FreeBSD has been going to town on code correctness, including fixing memory leaks in various places. Whether this fixes your specific memory leak is another issue. I'm unsure where your memory leak is coming from as it stands. However, I've got this build installed on multiple appliances and am keeping an eye on it.

175

16.7 Legacy Series / Re: New HardenedBSD Build

« on: May 04, 2016, 02:52:07 pm »

New builds have been published. Usual caveats apply. To upgrade: backup your config, reinstall, restore config. This build includes the OpenSSL fixes and application of PIE + RELRO + BIND_NOW to more programs. You'll notice that I'm also not doing any Netgate builds and that I now support PC-Engines APU2.

Download here: https://hardenedbsd.org/~shawn/opnsense/hbsd-exp-11-16.7/

176

16.7 Legacy Series / Re: New HardenedBSD Build

« on: April 19, 2016, 04:23:46 am »

Also, Weust, FreeBSD made changes to HYPERV thingies. Can you let me know if you upgrade and if it succeeds/fails?

177

16.7 Legacy Series / Re: New HardenedBSD Build

« on: April 19, 2016, 04:21:37 am »

I've now published a new build that has the pfSense and OPNsense vulnerability fixes, along with PIEified base and base compiled with RELRO + BIND_NOW (brand spankin' new features hot off the press from HardenedBSD). The usual caveats apply (no wireless, no pfsync, no binary updates) due to ENOTIME. Integriforce in whitelisting mode is still active and working flawlessly.

Download here: https://hardenedbsd.org/~shawn/opnsense/hbsd-exp-10-16.7/

I'm running it with Suricata in IPS mode and OpenVPN client enabled at home. Let me know if you have any issues.

178

16.7 Legacy Series / Re: Support List of WIFI cards?

« on: April 17, 2016, 07:33:17 pm »

Im using the 16.7 alpha and the HBSD kernel. Im trying to get my intel wifi card to work as wifi. I have an AP which works great actually, I'm just trying to get experience configuring them, because you never know. Unfortunately while I can see my NIC enabling it is a different beast entirely, I cannot set it to access point mode. It seems only capable of finding other networks.

Hey Solaris17,

If you're using the HardenedBSD-based build, wireless is broken. FreeBSD 11-CURRENT switched to a new wireless networking stack that prevents OPNsense's UI from working right with regards to wireless. Fixing this is on my list of things to do, but ENOTIME.

If you're looking for wireless capabilities, I'd suggest you run vanilla OPNsense.

179

16.7 Legacy Series / Re: [CALL FOR TESTING] HardenedBSD's ASLR

« on: April 13, 2016, 01:46:04 am »

But looking at the smooth run it's merge time soon if Shawn agrees.

I tried finding a meme for "But of course!" but I couldn't really find one that fit my groove. So: YES! And yay!

180

16.7 Legacy Series / Re: [CALL FOR TESTING] HardenedBSD's ASLR

« on: March 30, 2016, 07:20:27 pm »

I'd first like to say thank you to Franco and the rest of the OPNsense team for working with me on this. Their continual focus on security and community development never ceases to impresses me. They have been a delight to work with.

The ASLR patch that OPNsense imported came directly from HardenedBSD. Last week, I took a few hours to backport our patch from 11-CURRENT to a format that OPNsense could import into 10-STABLE and 10.2-RELEASE. Franco was extremely kind to help in testing the backported patch. I'd like to thank him for his efforts and contributions.

There has recently become available a patch for FreeBSD for their own ASLR implementation. Being a fresh effort, it will require more work and peer review until it is going to be included in FreeBSD. And it is actually ASR, not ASLR. Due to being ASR, it has the potential to fragment the virtual address space. If the virtual address space is fragmented enough ASR could be disabled. FreeBSD's implementation also provides an API for non-root users to disable ASR for their own processes. HardenedBSD's implementation provides no such API and does not cause address space fragmentation issues. FreeBSD's patch under review can be found here: https://reviews.freebsd.org/D5603

No matter the architecture (amd64 vs i386 vs arm vs arm64, etc.), the HardenedBSD ASLR patch provides a performance impact so small that the authors of the patch (Oliver Pinter and myself) do not know how to accurately measure the impact.

As of this writing, OPNsense does not support building applications as Position-Independent Executables (PIEs). That will come soon. Compiling an application as a PIE allows that application to take full advantage of ASLR.

On amd64, compiling the application as a PIE incurs zero overhead. On i386, the performance impact could be as large as 12%. It's important to note that the overhead on i386 is _NOT_ due to HardenedBSD's ASLR implementation, but due to the i386 architecture. PIE on i386 places additional requirements that cause performance degradation.

HardenedBSD's ASLR implementation has proven to be rock solid over the multiple-year span it has been developed. It performs extremely well and, of all the BSD ASLR implementations, introduces the most entropy into the process' address space. I know of no other ASLR implementation that introduces 41 bits of entropy into the stack on amd64.