Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
[Merged into 17.1.8] SafeStack in Ports
« previous
next »
Print
Pages: [
1
]
Author
Topic: [Merged into 17.1.8] SafeStack in Ports (Read 8941 times)
lattera
Full Member
Posts: 207
Karma: 82
[Merged into 17.1.8] SafeStack in Ports
«
on:
May 18, 2017, 08:37:54 pm »
It is with pleasure that I announce the Call-For-Testing (CFT) for SafeStack in the OPNsense ports tree. While SafeStack is already deployed for the base operating system, it has not yet been applied to the ports tree (which contains third-party software). This CFT applies SafeStack to the ports tree.
SafeStack is an exploit mitigation developed by the clang/llvm folks. It helps mitigate stack-based buffer overflows. SafeStack depends on Address Space Layout Randomization (ASLR) in order to be effective. OPNsense fulfills that dependency by including HardenedBSD's ASLR implementation, which follows PaX's design. Without ASLR, SafeStack is ineffective as an attacker would know where the SafeStack lies in memory and could use that information to his/her advantage.
To help test, please follow these procedures. Please note that the SafeStack CFT package repo uses LibreSSL instead of OpenSSL as the default crypto library.
1. Login to the web GUI.
2. Click on the System tab.
3. Click on the Firmware subtab.
4. Click on the Settings subtab.
5. Change "Firmware Flavour" to "(other)" and type in "17.1/safestack" into the text field that will appear below. Remove the double-quotes.
6. Check for and apply updates
7 Reboot your OPNsense firewall.
8. Add a reply to this thread letting us know the status of your testing. Success stories are just as important as bug reports.
A sample screenshot with the firmware settings has been attached.
To relate the importance of SafeStack (and exploit mitigations in general), take a look at this article I wrote:
https://github.com/lattera/articles/blob/master/infosec/Exploit%20Mitigations/General/2017-03-21-importance/article.md
I'm excited to see OPNsense be the first firewall distribution to ship with SafeStack.
«
Last Edit: June 01, 2017, 08:18:36 pm by franco
»
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: [CFT] SafeStack in Ports
«
Reply #1 on:
May 18, 2017, 09:03:05 pm »
Thanks Shawn for the work you've put into this!
Been running this successfully for a while now. We know that the git package currently has issues with it, but that's all. If you see something let us know!
It's worth mentioning that this is a test for 17.1.7/LibreSSL/amd64 only. There will be no updates to this repository, so testers must switch back to the standard repositories to track updates.
i386 is not going to be SafeStack-enabled and Shawn likely has a better grasp on why that is.
Cheers,
Franco
Logged
lattera
Full Member
Posts: 207
Karma: 82
Re: [CFT] SafeStack in Ports
«
Reply #2 on:
May 18, 2017, 11:22:13 pm »
Hey Franco,
You're correct that SafeStack hasn't been enabled for i386. I've only enabled it for amd64 as it has received extensive testing by the HardenedBSD community on amd64. Additionally, ASLR on 32-bit systems is rather weak--there simply isn't enough bits in the address space to randomize. SafeStack would likely be too weak to be worth it on 32-bit systems.
Thanks,
Shawn
Logged
lattera
Full Member
Posts: 207
Karma: 82
Re: [CFT] SafeStack in Ports
«
Reply #3 on:
May 26, 2017, 04:00:56 pm »
I've been testing the SafeStack repo since 18 May. I haven't experienced any issues. Can anyone else confirm whether they've had issues?
Logged
weust
Hero Member
Posts: 650
Karma: 57
Re: [CFT] SafeStack in Ports
«
Reply #4 on:
May 26, 2017, 09:06:40 pm »
Just got installed in my Hyper-V 2016 setup. My PS4 Pro still connects to PSN, so let's see how gaming goes.
Logged
Hobbyist at home, sysadmin at work. Sometimes the first is mixed with the second.
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: [CFT] SafeStack in Ports
«
Reply #5 on:
May 30, 2017, 03:05:00 pm »
Quagga works
Tinc works
OpenVPN (RA) works
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
lattera
Full Member
Posts: 207
Karma: 82
Re: [CFT] SafeStack in Ports
«
Reply #6 on:
May 30, 2017, 04:23:55 pm »
Great to hear! Thank you very much for helping out.
Logged
weust
Hero Member
Posts: 650
Karma: 57
Re: [CFT] SafeStack in Ports
«
Reply #7 on:
May 30, 2017, 05:26:48 pm »
As known, I don't use a lot of special features in OPNsense, but regular internet, online gaming and Netflix run just fine.
Logged
Hobbyist at home, sysadmin at work. Sometimes the first is mixed with the second.
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: [CFT] SafeStack in Ports
«
Reply #8 on:
May 30, 2017, 08:28:51 pm »
Thanks for the feedback. This ended up in 17.1.8, so yay for being able to wrap this up this week!
Cheers,
Franco
Logged
tillsense
Sr. Member
Posts: 325
Karma: 49
Re: [CFT] SafeStack in Ports
«
Reply #9 on:
June 01, 2017, 07:25:27 pm »
Late but the update on 17.1.8 looks good!
cheers till
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: [Merged into 17.1.8] SafeStack in Ports
«
Reply #10 on:
June 01, 2017, 08:18:59 pm »
Looks like we made it through.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
[Merged into 17.1.8] SafeStack in Ports