[Merged into 17.1.8] SafeStack in Ports

[lattera]

It is with pleasure that I announce the Call-For-Testing (CFT) for SafeStack in the OPNsense ports tree. While SafeStack is already deployed for the base operating system, it has not yet been applied to the ports tree (which contains third-party software). This CFT applies SafeStack to the ports tree.

SafeStack is an exploit mitigation developed by the clang/llvm folks. It helps mitigate stack-based buffer overflows. SafeStack depends on Address Space Layout Randomization (ASLR) in order to be effective. OPNsense fulfills that dependency by including HardenedBSD's ASLR implementation, which follows PaX's design. Without ASLR, SafeStack is ineffective as an attacker would know where the SafeStack lies in memory and could use that information to his/her advantage.

To help test, please follow these procedures. Please note that the SafeStack CFT package repo uses LibreSSL instead of OpenSSL as the default crypto library.

1. Login to the web GUI.
2. Click on the System tab.
3. Click on the Firmware subtab.
4. Click on the Settings subtab.
5. Change "Firmware Flavour" to "(other)" and type in "17.1/safestack" into the text field that will appear below. Remove the double-quotes.
6. Check for and apply updates
7 Reboot your OPNsense firewall.
8. Add a reply to this thread letting us know the status of your testing. Success stories are just as important as bug reports.

A sample screenshot with the firmware settings has been attached.

To relate the importance of SafeStack (and exploit mitigations in general), take a look at this article I wrote: https://github.com/lattera/articles/blob/master/infosec/Exploit%20Mitigations/General/2017-03-21-importance/article.md

I'm excited to see OPNsense be the first firewall distribution to ship with SafeStack.

[franco]

Thanks Shawn for the work you've put into this!

Been running this successfully for a while now. We know that the git package currently has issues with it, but that's all. If you see something let us know!

It's worth mentioning that this is a test for 17.1.7/LibreSSL/amd64 only. There will be no updates to this repository, so testers must switch back to the standard repositories to track updates.

i386 is not going to be SafeStack-enabled and Shawn likely has a better grasp on why that is.


Cheers,
Franco

[lattera]

Hey Franco,

You're correct that SafeStack hasn't been enabled for i386. I've only enabled it for amd64 as it has received extensive testing by the HardenedBSD community on amd64. Additionally, ASLR on 32-bit systems is rather weak--there simply isn't enough bits in the address space to randomize. SafeStack would likely be too weak to be worth it on 32-bit systems.

Thanks,

Shawn

[lattera]

I've been testing the SafeStack repo since 18 May. I haven't experienced any issues. Can anyone else confirm whether they've had issues?

[weust]

Just got installed in my Hyper-V 2016 setup. My PS4 Pro still connects to PSN, so let's see how gaming goes.

[mimugmail]

Quagga works
Tinc works
OpenVPN (RA) works

[lattera]

Great to hear! Thank you very much for helping out.

[weust]

As known, I don't use a lot of special features in OPNsense, but regular internet, online gaming and Netflix run just fine.

[franco]

Thanks for the feedback. This ended up in 17.1.8, so yay for being able to wrap this up this week!


Cheers,
Franco

[tillsense]

Late but the update on 17.1.8 looks good!

cheers till

[franco]

Looks like we made it through.


Cheers,
Franco