HardenedBSD September 2022 Status Report
6 views
Skip to first unread message
Shawn Webb
Oct 3, 2022, 5:42:19 PM10/3/22
to HardenedBSD Users
Hey all,
I apologize for the delay in getting the September 2022 status report out. But
alas, it has arrived!
My time was spent mostly on infrastructure. We're slowly aging out some
incredibly old servers in our infrastructure, occasionally not by choice. The
Dell R410 server that ran our auto-sync cron jobs decided to die. So I rebuilt
the auto-sync jail on another Dell R410 server of the same age, but the PERC
controller decided to die. So now, the auto-sync jail is hosted on another
server--but this time on a performant, stable system.
In src and ports land, I spent most of my time just resolving the occasional
merge conflict.
In src:
1. Shawn ensured that the HardenedBSD copyright is always applied
2. Loic did some house cleaning with a few files in src
3. Loic removed leftover cruft from our LibreSSL-in-base experiment
4. MrUnix0 changed the HardenedBSD pkg repo configuration in 14-CURRENT to use
HTTPS rather than HTTP. We're still exploring whether this change can be
safely MFC'd to 13-STABLE, but we're being very conservative here.
5. FreeBSD updated `less(1)` to v608, which introduced a number of CFI
violations. Shawn fixed two that were readily apparent.
6. Loic set `-fstack-protector-strong` for the kernel.
7. Loic fixed a few compiler warnings/errors when using a modified kernel
config.
In ports:
1. Shawn enabled PulseAudio support for net/freerdp. Having audio over RDP seems
pretty useful.
2. Loic enabled the sort plugin for editors/pluma.
3. Loic added games/scratch
4. Loic fixed the uname output in sysutils/mate-system-monitor
5. Loic disabled Java support by default for editors/libreoffice
6. Loic Fixed textproc/docbook2mdoc
7. Shawn fixed the llvm compiler toolchain component tests, fixing CFI
applicability detection
8. Loic forced lld for graphics/cimg, science/cdo, and math/octave
9. Loic disabled PaX MPROTECT for emulators/qemu70
10. Loic fixed java/openjdk11
11. MrUnix0 disabled PaX MPROTECT and PaX PAGEEXEC for games/assaultcube
12. MrUnix0 disabled PaX MPROTECT and PaX PAGEEXEC for x11/lumina-core
13. MrUnix0 disabled PaX MPROTECT and PaX PAGEEXEC for games/xonotic
I did a new build of hbsdfw in late September, but I didn't get around to
deploying it at home as a good first test. I'm following some of the work the
OPNsense folks are doing and it seems best to hold off on a new build until some
things settle down in their core repo. I plan to kick off a new build once I'm
confident the dust has settled.
Upcoming plans:
Many of those in the HardenedBSD community know that I've worked (incredibly
slowly) off-and-on throughout the years on Cross-DSO CFI support in HardenedBSD.
In October, I plan to resume that work starting mid-October. Here's where we
stand on Cross-DSO CFI today:
I can compile (nearly) the entire dynamic world with Cross-DSO CFI. However,
there is an interesting recursion issue at early application startup with some
applications. The Cross-DSO CFI runtime intercepts calls to dlopen and dlclose.
In certain cases, libc itself may call dlopen and/or dlclose. Some applications,
even some in base (like `id(1)`) call libc functions that call into
dlopen/dlclose. This presents problems with llvm's Cross-DSO CFI runtime.
libc is an incredibly attractive target given its large surface area. It's
incredibly complex. At this time, I feel applying Cross-DSO CFI to libc itself
may be too large of an undertaking, preventing tangible progress. Thus, my
initial goal will be to apply CFI to as many shared libraries in base as I can,
but likely not libc at this time. As Rome was not built in a single day, neither
will a Cross-DSO CFI HardenedBSD be. It is my hope that we will indeed apply CFI
in the future to libc (in whole or in part), but that day is not today.
Building ports/packages will be another huge aspect of this. Back in 2018, the
last time I made tangible progress on Cross-DSO CFI, the memory footprint
balooned when building packages due to CFI'd libraries in base. Eventually, the
experimental package build failed due to memory pressure.
My main objective: end 2023 (yes: 2023) with Cross-DSO CFI enabled in
HardenedBSD by default. Whether libc is a part of that is unknown, but we can
hope.
To fit that main objective, I plan to take a back seat to most other development
aspects of the project, with the exception of hbsdfw. I will definitely be
involved in all other aspects of the project (the infrastructure, the
Foundation, etc.) The only thing that is changing: I am formally delegating the
implementation of new security and hardening techniques to the wider HardenedBSD
community.
I appreciate all the help the community has given the project to date. I'm
especially grateful for the continued contributions, the advocacy, the support.
This little project would not exist in its current state without the recurring
love and support you, the community, provide. As I focus my attention on a more
difficult and involved goal (that of Cross-DSO CFI), I'm hopeful for a renewed
sense of excitement and support from the community.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
I apologize for the delay in getting the September 2022 status report out. But
alas, it has arrived!
My time was spent mostly on infrastructure. We're slowly aging out some
incredibly old servers in our infrastructure, occasionally not by choice. The
Dell R410 server that ran our auto-sync cron jobs decided to die. So I rebuilt
the auto-sync jail on another Dell R410 server of the same age, but the PERC
controller decided to die. So now, the auto-sync jail is hosted on another
server--but this time on a performant, stable system.
In src and ports land, I spent most of my time just resolving the occasional
merge conflict.
In src:
1. Shawn ensured that the HardenedBSD copyright is always applied
2. Loic did some house cleaning with a few files in src
3. Loic removed leftover cruft from our LibreSSL-in-base experiment
4. MrUnix0 changed the HardenedBSD pkg repo configuration in 14-CURRENT to use
HTTPS rather than HTTP. We're still exploring whether this change can be
safely MFC'd to 13-STABLE, but we're being very conservative here.
5. FreeBSD updated `less(1)` to v608, which introduced a number of CFI
violations. Shawn fixed two that were readily apparent.
6. Loic set `-fstack-protector-strong` for the kernel.
7. Loic fixed a few compiler warnings/errors when using a modified kernel
config.
In ports:
1. Shawn enabled PulseAudio support for net/freerdp. Having audio over RDP seems
pretty useful.
2. Loic enabled the sort plugin for editors/pluma.
3. Loic added games/scratch
4. Loic fixed the uname output in sysutils/mate-system-monitor
5. Loic disabled Java support by default for editors/libreoffice
6. Loic Fixed textproc/docbook2mdoc
7. Shawn fixed the llvm compiler toolchain component tests, fixing CFI
applicability detection
8. Loic forced lld for graphics/cimg, science/cdo, and math/octave
9. Loic disabled PaX MPROTECT for emulators/qemu70
10. Loic fixed java/openjdk11
11. MrUnix0 disabled PaX MPROTECT and PaX PAGEEXEC for games/assaultcube
12. MrUnix0 disabled PaX MPROTECT and PaX PAGEEXEC for x11/lumina-core
13. MrUnix0 disabled PaX MPROTECT and PaX PAGEEXEC for games/xonotic
I did a new build of hbsdfw in late September, but I didn't get around to
deploying it at home as a good first test. I'm following some of the work the
OPNsense folks are doing and it seems best to hold off on a new build until some
things settle down in their core repo. I plan to kick off a new build once I'm
confident the dust has settled.
Upcoming plans:
Many of those in the HardenedBSD community know that I've worked (incredibly
slowly) off-and-on throughout the years on Cross-DSO CFI support in HardenedBSD.
In October, I plan to resume that work starting mid-October. Here's where we
stand on Cross-DSO CFI today:
I can compile (nearly) the entire dynamic world with Cross-DSO CFI. However,
there is an interesting recursion issue at early application startup with some
applications. The Cross-DSO CFI runtime intercepts calls to dlopen and dlclose.
In certain cases, libc itself may call dlopen and/or dlclose. Some applications,
even some in base (like `id(1)`) call libc functions that call into
dlopen/dlclose. This presents problems with llvm's Cross-DSO CFI runtime.
libc is an incredibly attractive target given its large surface area. It's
incredibly complex. At this time, I feel applying Cross-DSO CFI to libc itself
may be too large of an undertaking, preventing tangible progress. Thus, my
initial goal will be to apply CFI to as many shared libraries in base as I can,
but likely not libc at this time. As Rome was not built in a single day, neither
will a Cross-DSO CFI HardenedBSD be. It is my hope that we will indeed apply CFI
in the future to libc (in whole or in part), but that day is not today.
Building ports/packages will be another huge aspect of this. Back in 2018, the
last time I made tangible progress on Cross-DSO CFI, the memory footprint
balooned when building packages due to CFI'd libraries in base. Eventually, the
experimental package build failed due to memory pressure.
My main objective: end 2023 (yes: 2023) with Cross-DSO CFI enabled in
HardenedBSD by default. Whether libc is a part of that is unknown, but we can
hope.
To fit that main objective, I plan to take a back seat to most other development
aspects of the project, with the exception of hbsdfw. I will definitely be
involved in all other aspects of the project (the infrastructure, the
Foundation, etc.) The only thing that is changing: I am formally delegating the
implementation of new security and hardening techniques to the wider HardenedBSD
community.
I appreciate all the help the community has given the project to date. I'm
especially grateful for the continued contributions, the advocacy, the support.
This little project would not exist in its current state without the recurring
love and support you, the community, provide. As I focus my attention on a more
difficult and involved goal (that of Cross-DSO CFI), I'm hopeful for a renewed
sense of excitement and support from the community.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Reply all
Reply to author
Forward
0 new messages