[CALL FOR TESTING] HardenedBSD's ASLR

Started by franco, March 30, 2016, 02:38:46 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
April 16, 2016, 05:31:02 PM #15
Super. :) So to go the extra mile before releasing it to the public, there is one last ASLR test kernel based on the current kernel (16.1.9 as 16.1.10 has no new kernel):

# opnsense-update -kr 16.1.9-aslr && /usr/local/etc/rc.reboot

Report back, even if ok. Thanks everyone!!!
April 16, 2016, 08:16:26 PM #16
I actually cant :/ I cant access my router VIA putty, Im certain the password for root is correct and even logged in via the GUI to change it incase it wasnt and yet I still receive Access Denied when attempting to login via SSH
April 16, 2016, 08:54:09 PM #17
Is password authentication enabled and allowed?
April 16, 2016, 09:04:11 PM #18
found it, It was; but allow root login wasn't checked.
April 17, 2016, 04:05:04 AM #19
I'm using the ASLR based kernel with OPNsense 16.1.10. I'll report back in a few days if I notice any issues.
May 20, 2016, 08:54:39 AM #20 Last Edit: May 20, 2016, 09:00:09 AM by franco
Hello everyone,

All the commits have been moved into place for the new kernel with ASLR.

There is one final testing kernel that y'all can try out and report back. It would be nice to get a note in the form of "now running amd64 ASLR" or "now running i386 ASLR" respectively so we know that when there are no more reports about issues that we can go full-speed ahead.

The kernel is identical to 16.1.14 except for the ASLR additions. You can upgrade like this:

# opnsense-update -hkr 16.1.14-aslr && /usr/local/etc/rc.reboot

(-h is new, it will register the kernel as 16.1.14 instead so it is not lost on firmware upgrades that do not update the kernel.)

FWIW, now running amd64 ASLR :)


Cheers,
Franco

PS: You can confirm ASLR using the following command...

# dmesg | grep HBSD
May 20, 2016, 05:43:33 PM #21
Would be great to have a branch on Github for people who compile their own kernel :)
May 20, 2016, 06:27:57 PM #22
The commits have been on the master branch of src.git for almost two months now.

The stable branches have been adjusted yesterday to build ASLR too.

I am unsure what you are referring to?
May 20, 2016, 06:33:51 PM #23
QuoteThe commits have been on the master branch of src.git for almost two months now.

I saw 2 commits in March, but didn't know if changes were made after that.

QuoteThe stable branches have been adjusted yesterday to build ASLR too.

I built "stable/16.1" yesterday, but didn't get a kernel with ASLR. I see now that there was a new commit made after my build, so will try again :)
May 20, 2016, 07:14:51 PM #24
There were no changes after the merge on March 28. The only thing I had to change was to move the build options out of GENERIC (that was the third commit actually).

Build errors can happen on the master branches, questions can always be asked. For master there is still a bit of work to do with ports (e.g. the impending mpd4 removal) yet some things need to be stuck in order for stable to still work in the first place. Lots of bits and bolts, but nothing that a conversation and a manual edit can't solve.

Let me know how your build goes. :)
May 21, 2016, 01:13:34 PM #25
Building went fine. Same warnings were shown. I didn't see any new messages.
Same when running it, same old problems, nothing new so far :)
May 21, 2016, 04:48:46 PM #26
Oh yeah and I can't wait for PIE :)
Print
Go Up Pages 1 2
User actions