1. 3

    So, ASLR on OpenBSD isn’t really ASLR?

    1. 1

      If you like internet fights: correct, it’s not

      1. 3

        I didn’t ask to cause a fight. I asked because I want to know. Is there a technical reason or is it just because it doesn’t follow the PaX model? Is that reason enough? Is it because it doesn’t use the same deltas or because it uses none? Is it just a naming issue? The difference between ASR and ASLR have been briefly explained to me before in another comment here. However, that was in reference to FreeBSD’s rather recent implementation. There’s also this: https://hardenedbsd.org/content/easy-feature-comparison which is from the author but that means he’s not being consistent. Is there a reason for that? Maybe just an oversight? New information? I’m very curious about this. I have a very basic understanding of these things and maybe I’m just overlooking something that I should have picked up on. Here’s the other comment: https://lobste.rs/s/curktg/implement_address_space_layout#c_aok28i

        1. 3

          PaX introduced ASLR, and in that sense it had a specific meaning. It has since then been used to refer generically to various sorts of allocation address randomization. In a claim about ASLR the specific implementation is unclear, absent additional context.

          About two decades ago PaX ASR had performance and fragmentation concerns (on i386 Linux) which were addressed by PaX ASLR. However, those concerns are not necessarily applicable to other operating systems on contemporary 64-bit processors in today’s context.

          1. 1

            Yep. This all makes sense. The explanation about the difference between ASR and ASLR makes sense too. Though I’d never seen the term ASR mentioned before or by anyone else. However, it does seem as though OpenBSD uses some of those deltas or maybe ones that aren’t in line with the PaX model. Looking here: http://inertiawar.com/openbsd/hawkes_openbsd.pdf which is old and specific to OpenBSD 3.9 (i386) but still seems to imply that there’s the randomized stack top + randomized stack gap.

          2. 2

            I need to update the feature comparison page such that the mouse hover text mentions ASR rather than ASLR for OpenBSD. Thanks for the reminder!

            1. 3

              I reckon OpenBSD should update their innovations page as it specifically mentions ASLR also.

              https://www.openbsd.org/innovations.html

      1. 1

        I flagged this as spam. I like and respect some of the things that came out of grsecurity/PaX. However, this blog post mostly seems like a way to promote the product.

        1. 8

          Gonna disagree pretty strenously on that one. While they do sell a product, the post is a good breakdown, with actual code listings. I hope others don’t follow your example

          1. 3

            I agree with you here. And I prefer this kind of advertising over yet another bollocks node.js-startup that creates blogs to recruit people. I swear to god, something dies inside of me every time I read something along the lines of “Our young and fresh startup is looking for new SOAP heroes. Apply now using our REST API!”

            1. 1

              I’d prefer no advertising but that’s unrealistic.

            2. 2

              That’s fine. I think it would be a good breakdown without the product plug and the “but we offer this service to our customers” nonsense.

              1. 2

                fair enough. its a find line to be sure

            3. 2

              This feels like an ad, but with a technical mindset. I dislike their attitude the most. They maybe correct, but they come over as assholes. Oh look how great we are and how bad the kernel team is…

              1. 2

                True, there’s certainly an element of that, but honestly I was pleasantly surprised at how much less snipey and insulting this post was than most things I’ve seen from the PaX/grsec team (I feel like they’re usually worse in that regard).

                1. 2

                  Yeah, if you ever read anything that grsecurity/PaX folks write it’s always the same thing. Everyone else is stupid and not doing what they’re supposed to be doing (or stealing their code and not giving credit to them) and everything they do is the proper and only way to do it. I still like some of the things they do but this attitude will always be a problem.

                2. 2

                  Also I’m not completely clear when they noticed it. I hope at the latter end of this story, and then reported it. But by interspersing “we did x” in between all the “they did y” this makes me read “we noticed and just didn’t tell them”.

              1. 3

                Curious why this is downvoted? He is one of the most powerful and accomplished programmers in the world, and opening himself up big time. I think this along deserves big kudos, and I’m very much looking forward to watching it.

                1. 7

                  Because it’s an ad for a film focusing on his personality and philanthropy; there’s zero mention of programming. Even if there was any topical material, a trailer isn’t really designed to learn from or prompt new discussion. We’d likely just rehash old arguments about him or Microsoft’s business practices.

                  1. 1

                    But he’s a talented programmer who started the current largest software company (and company generally by market cap) in the world. So surely there are aspects of his personality and habits that can shed light on how and why he has done the things he has done. Any programmer looking to make an impact should probably watch this.

                    Disclosure: I used to work at MS, but I have mixed feelings about MS and BG, due to: https://en.wikipedia.org/wiki/Open_Letter_to_Hobbyists, https://www.theregister.co.uk/2001/06/02/ballmer_linux_is_a_cancer/, and http://techrights.org/2009/06/25/bill-gates-office-patents/

                    1. 5

                      No one has denied he was a programmer. I’m saying that this is not about the programs he wrote, or the way he wrote programs, or the effects of those programs, or the business selling those programs, or the career that followed, it’s about what he’s up to after that business. That’s a lot of steps away from topicality, and then there’s one more giant leap away because this is an ad, it’s not even the mini-series itself. Notice that none of the justifications you gave pointed to content present in this link. It’s like the joke about how La Croix flavors aren’t even flavors.

                      1. 2

                        I guess I find it interesting and relevant, as someone who is always on the lookout for ways to improve my programming ability. Does knowing what BillG’s favorite food is help me become a better programmer? It turns out, no, but I didn’t know that prior to seeing this. (If he had said “bran muffins” instead of “Hamburgers”, perhaps I’d look into it more).

                        I don’t care whether or not people check it out, I just want to register my surprise that it’s being downvoted. An analogy would be if this were a forum about basketball and people were downvoting an official autodocumentary from Michael Jordan because it might be only 20% about basketball.

                        1. 3

                          It’s not downvoted because it’s about Bill Gates, it’s downvoted because it’s an ad. See my other comment here: https://lobste.rs/s/3fxyl0/inside_bill_s_brain#c_okluxr

                      2. 3

                        If you want that, watch Pirates of Silicon Valley. It’s the only movie Wozniak endorses as accurate about the personalities and nature of what they were doing. Even if, as always, the specifics weren’t all right.

                        Give you a nice head start, anyway.

                      3. 1

                        Thanks for explaining. There are a number of mentions related to programming, even in this short clip, btw.

                      4. 6

                        I flagged this because it’s a twitter link, he’s promoting something about himself, and I don’t care what Bill Gates’ favorite animal is.

                        1. 1

                          I disagree, but like that you explained why. :)

                        2. 4

                          I flagged this just before going to bed.

                          I’m trying to be more open and transparent in my flagging of late, so here’s my explanation.

                          It’s an ad for an ad for an ad.

                          First ad: new content on Netflix.

                          Next ad: billg is on Twitter!

                          Third ad: a trailer for a show - which is an ad per definition.

                          Relevant link for this particular piece of content (the Netflix show):

                          • a review - either by a knowledgeable insider, or a good TV reviewer, or just a crustacean
                          • something from Netflix that explains a bit more about this - who’s directing, what kind of access they have, what other stuff have they done. There’s docs and there’s docs - some are investigative journalism, some are corporate puff-pieces
                          • the actual show itself (“There’s a documentary about Bill Gates on Netflix. I’ve watched it, and I think it would be a good watch for others on this site)

                          [Bill Gates] is one of the most powerful and accomplished programmers in the world

                          He’s a very successful businessman who also has deep technical and commercial knowledge and instincts. The company and products he’s helped make have made a lasting impression - not always positive! - on the world, and on the free software/open source community. See for example this discussion which shows that distrust of MSFT is still deeply felt, and that many associate Bill Gates with it.

                          1. 2

                            Good point. A text link with more information that also included the video would be more appropriate.

                        1. 1

                          This reads like an infomercial.

                          1. 1

                            yeah it does. i think it’s weird that they want contact info for access to the whitepaper as well.

                            there’s this too: https://arstechnica.com/information-technology/2019/08/silent-windows-update-patched-side-channel-that-leaked-data-from-intel-cpus/

                            also i added linux tag since it seems like it may affect linux.

                          1. 2

                            In more detail, the Linux and PaX (FreeBSD, HardenedGentoo and others use the PaX ASLR approximation) ASLR designs rely on the same core ideas, in that they define four partial-VM areas: (1) stack, (2) libraries/mmaps, (3) executable and (4) heap.

                            FreeBSD’s implementation:

                            1. Is disabled by default.
                            2. Is ASR, not ASLR (ASR does not use deltas, whereas ASLR does).
                            3. Is incomplete, and therefore cannot be relied upon in academia.
                            4. Building applications as PIEs in FreeBSD is disabled by default.
                            5. They incorrectly list FreeBSD in the PaX list–it’s HardenedBSD (a derivative of FreeBSD that aims to provide the BSD community with a clean-room reimplementation of the publicly-documented bits of the PaX/grsecurity patchset) that uses the PaX model. As mentioned previously, FreeBSD is working on their own ASR implementation.
                            1. 2

                              I noticed this mistake as well but I knew you or someone else here would be able to clear up any confusion around that. I’m curious to know your thoughts on the rest of the paper once you have time to read it.

                              1. 2

                                I’ve added it to my “thorough reading” list. Problem is, that list is growing exponentially and hopelessly. I think I have enough in my list to last me a few years now. ;)

                              1. -8

                                This is a joke right? “verification” by sig checking? didn’t they (openbsd) write a fucking tool (signify) to make them not do this stupid shit any more? I guess we can’t remember what happened all of 4 years ago when it comes to people’s actual security. Really underscores the trend of bsd mania being really disinterested in actual user security.

                                1. 8

                                  They use signify?: “Verify SHA256.sig using unprivileged signify(1)” - slide 11 of linked PDF.

                                  source: https://github.com/openbsd/src/blob/7f3597a0e5ea0b10e5130afef0c253a58e676224/usr.sbin/syspatch/syspatch.sh#L168

                                  1. 7

                                    Feel free to make your point. But please don’t be an angry/aggressive asshole in how you say it. We are all people here.

                                    1. 4

                                      How would you do verification?

                                      1. 2

                                        what are some other examples of this “trend” you mention?

                                        1. 2

                                          This is a joke right? “verification” by sig checking? didn’t they (openbsd) write a fucking tool (signify)

                                          What exactly do you think signify does? hint, it’s in the ‘sig’ part of the name.

                                          1. 6

                                            Actually, this particular operation is in the ify part of the name. :)

                                            1. 2

                                              ifysign has a nice ring to it too ;)

                                          1. 4

                                            As a topic near and dear to my heart, I was curious who was claiming that bloat reduction is the solution to ROP. Omg, have I said that??? I don’t think so. And I haven’t read any of the cited papers.

                                            I think the security benefit of bloat reduction is decreased attack surface. Possible ROP reduction would be a tangential benefit, but given the small number of gadgets needed for an exploit, it does seem unlikely you’ll get to exploit proof by random function elimination. You would need to start with a list of gadgets, target them and eliminate the whole class, possibly by rewriting functions. Or you can have the compiler do it for you.

                                            1. 1

                                              I read this paper as saying that gadget reduction is the same as bloat reduction.

                                              Something along the lines of what Todd Mortimer has been working on.

                                              I don’t know enough about the topics to have an informed opinion though.

                                            1. 3

                                              i flagged this as spam.

                                              i don’t think linking to unverified claims from social media is a good idea.

                                              1. 10

                                                Note that the implementation resembles ASR, not ASLR, and is a rather expensive NO-OP from a security perspective since the stack and the shared page are not randomized. ;P

                                                1. 2

                                                  can you explain the difference between ASR and ASLR and why it matters?

                                                  1. 10

                                                    Sure! Address Space Randomization (ASR) differs from Address Space Layout Randomization (ASLR) by ASR’s lack of deltas. In pipacs’ original paper on ASLR, he described using deltas to avoid fragmenting the address space and to avoid hurting performance.

                                                    A more thorough breakdown can be found here.

                                                    1. 1

                                                      thanks!

                                                1. 2

                                                  It’s a good article and a useful starting point, I would like to see follow ups with analysis and approaches when one or more of the security hardening flags are enabled.

                                                  In particular it may not be possible to exploit the example vulnerable program at all with modern security hardening added, programmers I talk to who have not studied exploitation do not really seem to understand this. All buffer overflows are thought of as the end of the world. It may need a more complex interactive vulnerable binary from which we can first extract secrets then build an exploit payload.

                                                  1. 3

                                                    I wrote this as an accompanying text to MIT’s 6.858 Computer Security lab on buffer overflows, and in that lab we actually do have the students pull off a similar attack without -z execstack. Address randomization is harder, but doable through, for example, user-controlled format strings (though of course, there are also compiler checks that help mitigate that). The efficacy of stack canaries really depends on what kind of stack canaries are used, and the mechanism of attack. Terminator canaries for example are often fixed, and given a good attack vector you may be able to just blow right through them. Similarly, if you’re not doing just a classic buffer overflow, but something like a dangling pointer attack, then the canaries don’t help at all. D_FORTIFY_SOURCE similarly only helps when the compiler can guess appropriate bounds.

                                                    Overall, I think I’d say that if all compiler mechanisms are turned on, and the code is well written, it’s pretty darn hard to pull off an exploit. However, it’s so rare that both of those are true, especially in older software, and that’s why we end up with so many working exploits. In some sense, this is due to simple math: the attacker only needs one vulnerability, whereas the developer needs to ensure there are no vulnerabilities.

                                                      1. 1

                                                        Ah, yes, that looks like another interesting take on how to defeat stack canaries! Thanks for sharing.

                                                    1. 6

                                                      nice work

                                                        1. 3

                                                          So are existing mitigations sufficient or not? The article seems to contradict itself. Or at least the statement from Intel seems to contradict the rest of the article.

                                                          1. 4

                                                            https://lobste.rs/s/kayit2/systematic_evaluation_transient

                                                            If you take a look at the paper it seems like most of them are not sufficient.

                                                            1. 3

                                                              Thanks for posting this. Here’s an article that might help some folks follow what this paper presents: https://arstechnica.com/gadgets/2018/11/spectre-meltdown-researchers-unveil-7-more-speculative-execution-attacks/

                                                            1. 3

                                                              mine

                                                              nothing is going on

                                                              1. 5

                                                                I’ve been trying to get a patchfix into OpenBSD with no luck. No response to my patch on tech@openbsd.org. This isn’t the first time. Can any OpenBSD contributor help me out?

                                                                1. 7

                                                                  If you didn’t get any feedback, just keep asking the list for feedback every two weeks by replying to your own post. There’s a bit of luck to it because each patch has to catch someone’s interest in a moment when they have time to deal with it.

                                                                  1. 4

                                                                    Cool I can do that, thanks for the tip.

                                                                    1. -1

                                                                      just keep asking the list for feedback every two weeks by replying to your own post.

                                                                      What a ridiculous response. Not even an apology. That’s no way to run a welcoming community or encourage people to contribute.

                                                                      1. 9

                                                                        Nothing to apologize for - what did you expect? Sending reminders is a common idiom on tech@ where a mail gets drown easily by other threads.

                                                                        Making sure your submissions are well tested and reasoned helps getting a response, but you cannot demand anything.

                                                                        1. 1

                                                                          what did you expect?

                                                                          Maybe this is how OpenBSD runs things, if that’s the culture there, that’s fine, but don’t expect it to attract very many contributors.

                                                                          1. 5

                                                                            It does attract contributors. In fact, this culture is one of the reasons joined the project.

                                                                            So I eventually started reviewing the diff but failed to do so because it was both malformed (did not apply) and broken (did not compile). That is, instead of focusing on the intented changes, reviewers get thrown back because they did not test it. Note how I explicitly mentioned this in my previous reply.

                                                                            Edit: I mixed you up with the OP/diff author, text adjusted.

                                                                            1. 4

                                                                              Thank you for the review kn, very much appreciated. I hastily reposted an old version of the patch. I’ll make sure the diff applies cleanly in my reply and fix up the SIGCHLD typo.

                                                                            2. 6

                                                                              Maybe this is how OpenBSD runs things, if that’s the culture there, that’s fine, but don’t expect it to attract very many contributors.

                                                                              Ah but whose job is it to reply to every mail? Whose job is it to apologize if whoever had the first job failed to deliver? What is this sentient entity called OpenBSD that supposedly runs things? Does it have the power to appoint an individual for such a role?

                                                                              1. -2

                                                                                What is this sentient entity called OpenBSD that supposedly runs things?

                                                                                It’s called the OpenBSD Foundation. You can read about it on its website. This year, it has about half a million to spend on answering your other questions.

                                                                                1. 8

                                                                                  You gotta be joking. They provide funding for the project. They don’t run the project.

                                                                                  1. 0

                                                                                    I assumed that in order to provide funding for a project you need to decide what to fund and what not to fund, and that sort of decision-making is called “running the project”, but I guess I was mistaken, my bad.

                                                                                    1. 7

                                                                                      I just decided to fund you as my personal assistant. Your salary is $20 a month, you work 24/7, aren’t you so glad that I run you now? Hand over the keys to your house by the way, because with this decision, I run it…

                                                                                      Actually the OpenBSD Foundation isn’t the OpenBSD Project. The OpenBSD Foundation doesn’t own OpenBSD, and there are things it cannot do because it does not own OpenBSD. It can’t hand out commit bits, it can’t change the website, it can’t turn people into mailing list admins.. it does not run OpenBSD. If someone or something really “runs” OpenBSD, I’d say it’s Theo… and no, Theo doesn’t run the Foundation. The Foundation doesn’t run Theo either. The Foundation doesn’t decide what Theo or the individual developers (volunteers mainly!) of the project do, though they can choose to support whatever it is by providing funding.

                                                                                      1. -1

                                                                                        What is this sentient entity called OpenBSD that supposedly runs things?

                                                                                        If someone or something really “runs” OpenBSD, I’d say it’s Theo

                                                                                        1. 5

                                                                                          Which leads to the follow up question.. you want him to force the volunteers to reply to every mail and apologize for every mail that wasn’t responded to? Or you want him to employ people for that purpose? Out of his own pocket?

                                                                                          Sorry, I just don’t see the issue of some messages directed at a volunteer-driven software group going unresponded to because the volunteers happened to be volunteering their time for something else at the time (or whatever the reason).

                                                                                          If people are so entitled to responses, I no longer wonder why some people get burned out on OSS development. I wouldn’t, at least not for that reason, because I have no trouble ignoring issues I don’t have time for. It is my own time.

                                                                                          IMHO kn is right, there is nothing to apologize for.

                                                                                          1. 0

                                                                                            I’ve seen small businesses provide better support to their users and developers on far less budget than OpenBSD has.

                                                                                            For the past 5 or so years they’ve received hundreds of thousands of dollars each year, and each year they had a surplus averaging ~$100k that they didn’t seem to use for anything.

                                                                                            Are you telling me they can’t afford to pay someone to say, “we’re looking into this”, or “we’re sorry the patch didn’t compile”, or even setup an automated patch submission system? Because if you are, according to their public finances page, that would be a lie.

                                                                                            1. 3

                                                                                              The OpenBSD Project isn’t a business. I think you’re just trolling here and it’s dumb.

                                                                                              1. -1

                                                                                                I’m not trolling, and I’m done with this conversation because it’s clear it’s going nowhere fast.

                                                                                                EDIT: and to be clear, from the OSS projects I’ve seen — even those that do not have a half-million dollar budget and a foundation — still somehow manage to reply to developers who’ve put in the time and effort into submitting a pull request. They also have pull requests. And automated build systems. And aren’t stuck in 1990 with their version control system.

                                                                                                1. 6

                                                                                                  You are generalizing from one example and you don’t know our comunity well enough to judge it.

                                                                                                  During almost 10 years now I have committed many patches from other contributors and never had my own patches go ignored, which is why I stuck around in OpenBSD in the first place.

                                                                                                  1. 0

                                                                                                    You are generalizing from one example and you don’t know our comunity well enough to judge it.

                                                                                                    And how do you know how well I know the OpenBSD community? You have no clue.

                                                                                                    Over on Mastodon I pointed out that OpenBSD “perpetuates false and negative stereotypes that security people don’t care about usability, or that security must come at a cost of usability”.

                                                                                                    That’s a fact. And then OpenBSD developer @mulander jumped in to call me a troll, and on top of it, demand that I work for free to submit patches to the project. So I pointed out to him how the OpenBSD community treats those who work for free and submit patches.

                                                                                                    I’ve observed this project for many years, and I think it gets a bit too much hype on Lobsters lately for delivering a terrible user experience. Sure, there are lots of things to praise about it, but I don’t see anyone criticizing it for its glaringly obvious faults, so the end result is a community that is delusional, and a harmful role model.

                                                                                                    1. 4

                                                                                                      Link the thread so people can judge by themselves.

                                                                                                      Also link yourself trying to spin the thing around on Mastodon and on twitter.

                                                                                                      1. 0

                                                                                                        I did, see my reply below from before your comment. But sure I should have linked it here as well.

                                                                                                      2. 1

                                                                                                        Your opinions are not facts. I don’t think the “community” is what’s delusional here.

                                                                                                        1. -1

                                                                                                          It’s not an opinion, it’s a fact, and one OpenBSD fanbois don’t dispute.

                                                                                                    2. 1

                                                                                                      Great. I hope you feel better now that you’ve got this all out of your system.

                                                                              2. 4

                                                                                There is nothing to apologize for. It is a volunteer project. Developers are people who live lives, not borg drones assimilating other people’s patches.

                                                                                1. 4

                                                                                  All of your comments in this thread of inappropriate. They are inappropriate regardless of whether other folk’s comments are or are not appropriate and regardless of whether they do or do not contain true statements.

                                                                                  Please drop the issue, do not bring it back up, and do not engage in this style of discussion again on lobste.rs.

                                                                              3. 3

                                                                                What stsp said, but also, can you link us to the thread?

                                                                                  1. 2

                                                                                    I just get

                                                                                    I expected an e-mail address, but none was defined.

                                                                                    1. 2

                                                                                      Sorry I’m not entirely sure what the best way is to post a link to a thread on the OpenBSD listserv. If you log in you should be able to see the thread.

                                                                                      EDIT: use this http://openbsd-archive.7691.n7.nabble.com/lib-libfuse-Handle-signals-that-get-sent-to-any-thread-tp352472p353099.html

                                                                                      1. 2

                                                                                        marc.info works pretty well. I’d say it’s the preferred interface for most people.

                                                                                        1. 1

                                                                                          thanks for the pointer

                                                                                1. 2

                                                                                  Not a contributor, but I figure it might help to point out what patch you sent.

                                                                                1. 4

                                                                                  @fro, @tedu, @animatronic, @trousers

                                                                                  Hongyu Liu who co-authored the work just emailed me back:

                                                                                  “Thanks for your interests! Sam will make the source code public ASAP.”

                                                                                  So, keep an eye out.

                                                                                  1. 2

                                                                                    sweet. thanks @nickpsecurity

                                                                                    1. 2

                                                                                      looks like it’s up now. thanks!

                                                                                    1. 1

                                                                                      I guess the original link isn’t working now and I can’t change it. Link below seems to work.

                                                                                      https://search.proquest.com/openview/8e847f4ec90b7f8213d687acdf3476fd/1?pq-origsite=gscholar&cbl=18750&diss=y