Threads for lattera

  1. 3

    Still have COVID, so I’m gonna stay home and hack on HardenedBSD and do chores.

    FreeBSD is working on native kernel support for netlink. Problem is that the quality of that code is severely lacking, with a number of NULL derefs, which I’ve fixed downstream in HardenedBSD. I took the time to harden parts of the kernel malloc implementation because of that. I’ve also applied -ftrivial-var-auto-init=zero to key parts of the kernel, including the netlink module. I plan to continue down the path of kernel heap hardening and provide more complete application of trivial auto var init to zero.

    I also hope to finalize the new HardenedBSD build framework and infrastructure work this weekend, opening the path for new mirrors of our installation media. For the first time, we’ll also have mirrors of our OS update artifacts.

    I guess COVID is somewhat beneficial to the project. ;-)

    1. 1

      netlink

      Congrats! I work on Linux networking and it’s always so weird to use Unix and not have the “ip” command.

    1. 3

      I’ve been having a really hard time getting over COVID. I’m just gonna take it easy. Perhaps hack a little bit on Cross-DSO CFI in HardenedBSD.

      1. 1

        I’m going to try to get a new build of hbsdfw out the door. hbsdfw is a HardenedBSD-based build of OPNsense I maintain. I’m making progress on Cross-DSO CFI in HardenedBSD. I’m working in the ports tree now, trying to wrap my brain around all the breakages that come from having the base OS fully built with Cross-DSO CFI.

        A coworker needed a tool to download all of an organization’s repos on GitHub, so I started on a little script to do that. I plan to put the finishing touches on it, enabling support for both public and private repos: https://git.hardenedbsd.org/shawn.webb/random-code/-/blob/main/github/org_repo_clone/org_repo_clone.zsh

        1. 1

          I’m starting a new job at IOActive as a Senior Security Consultant! After two months of being unemployed, it feels really good to be back in business. :-)

          1. 5

            As of March 2022, HardenedBSD does this by default for the entire OS userland ecosystem (the OS itself and 33,000+ packages). We’ve only had to disable auto-var-init-to-zero for a small subset of packages.

            Applying to the kernel will require more research, but is on the roadmap.

            1. 6

              Can you share any details on why you’ve had to disable it for some packages? Is it performance concerns? Buggy software relying on uninitialised variables to be non-zero?

              1. 1

                I can’t speak for u/lattera but in my experience the big carve out/exception is code that has “large” stack allocated arrays where the compiler is unable to avoid large pre-zeroing of values that will otherwise be initialized. It’s really easy to see

                int a[1000]
                for (int j = 0; I j< 1000; j++) a[j]=0;
                

                but for example

                int a[1000]; f(a, 1000);

                Should the compiler initialize a? clang (and I assume gcc) know the existence and semantics of bzero, memset, etc so can both treat that as a call the initializes a, but if you have a bunch of code that has large amounts of on stack data that has less trivial initializing logic, then it becomes much harder (esp. in C/C++)

            1. 1

              I’m going to work through HackTheBox challenges, re-acquainting myself with offensive techniques that I once used to know. I have a feeling and a desire to get back to my roots in offensive security research. I’ve spent over a decade on the defensive side.

              1. 2

                Fixing incorrect code by making things slower for correct code. Not gonna happen.

                I can see this as opt-in, but we already have more than a handful of ways to initialize automatic variables.

                1. 2

                  HardenedBSD recently switched to auto init to zero by default for the entire userland OS/ecosystem, including 33,000+ packages. Very quite literally zero noticeable performance hit. I would like to see a performance engineer test the before and after of our change, though.

                  1. 1

                    Fixing incorrect code by making things slower for correct code. Not gonna happen.

                    Except auto initializing everything by default isn’t a performance hit, and pretty much every language other than C and C++ some how manages it.

                    Also while it took the NSA and NIST saying not use C or C++ to get WG21 to get off it’s delusional horse, the committee finally seems to have started to grasp that continuing to aggressively avoid fixing known safety problems with the language means that it will die.

                    I can see this as opt-in, but we already have more than a handful of ways to initialize automatic variables.

                    And yet 10% of CVEs are the result of uninitialized locals.

                    1. 1

                      The entire point of the proposal is that it does not slow down correct code. That’s also where most of effort was spent.

                    1. 3

                      I’m learning the various AWS Python APIs (boto3). I’ve deliberately put off dealing with anything revolving around AWS in my career, but it seems like today’s world loves vendor lock-in, so…

                      I’ve got various job interviews lined up for the week. I’m hoping to work towards having an offer on my desk by the 16th of this month so that I can start on or around the 21st.

                      Tomorrow (Tuesday), I’m going to serve as an election judge in my local gubernatorial elections. I suspect we’ll have a huge turnout.

                      1. 10

                        I’m now on the job market (link to resume/CV below). I’m going to look for and apply to a number of infosec jobs. So if anyone’s hiring someone who loves anything related to infosec, please let me know.

                        I’m also hoping to spend some time hiking Patapsco State Park with my dogs. And perhaps work on Cross-DSO CFI in HardenedBSD. I’d like to start work on deep integration of llvm’s CFI runtime and the RTLD.

                        Link to resume: https://hardenedbsd.org/~shawn/2022%20Shawn%20Webb%20Resume%20Sanitized.pdf

                        1. 1

                          Saturday morning, I’m going to chaperone a friend’s child to a mountain bike race. My friend had undergone surgery and the recovery isn’t going as well as he’d hoped, so he’ll have to sit this ride out. Even though it’s not my kid, I’m excited to go. I’m just 33 miles shy of my goal of 1000 miles biked this year, so hopefully I’ll close that gap a little further tomorrow. :-)

                          I’ve got a few hours of work to make up, so I plan to make up those hours.

                          For HardenedBSD, I’m going to start investigating what we need to implement the mremap syscall. I also need to figure out a way to remain syscall-compatible with FreeBSD while still adding new syscall (or syscall-like) functionality. I want HardenedBSD to always be able to run unmodified FreeBSD binaries, which would mean maintaining syscall compat.

                          1. 2

                            One very unique aspect to me of this particular exploit is the abuse of Capsicum syscalls. It seems quite unique to use an API specifically made to increase security posture to aid in exploiting the kernel.

                            1. 1

                              On Saturday, I plan to play all day with our puppy and dog. On Sunday, I’m going to head into the datacenter to perform some much-needed maintenance on the HardenedBSD build infrastructure.

                              1. 5

                                FYI, there’s a surplus “/“ at the end of the URL that’s causing the server to reject it. Removing it takes you to the home page.

                                1. 1

                                  Whoops! Sorry about that. I must’ve made a typo just as I submitted it.

                                1. 5

                                  For ${DAYJOB}, I’m getting my feet wet with Windows-centric C++ development.

                                  For ${REAL_LIFE}, I’m volunteering as an election judge for the Maryland gubernatorial elections. The primaries are tomorrow (Tuesday), so I’ll be at my assigned polling place from 5:30am to at least 11pm. This is the first time I’ve served as an election judge. I’m excited for the experience and am hoping to learn a bit more about our democratic process.

                                  Last week, the missus stepped on a nail, so taking care of our new puppy is going to take a lot more time out of my day. Other than the election judge work, I just plan on working and taking care of the missus, our puppy, and our three-and-a-half-year-old dog.

                                  1. 3

                                    Ick. Stepping on a nail has been a low-key ~nightmare of mine since I was about 9, stepped on a board while wearing sandals, and had a long rusty nail come up right between my toes. Sorry she’s lived it!

                                    1. 2

                                      Sorry to hear about the nail.

                                      I’m so out of date with Win32 C++ dev - are you using any kind of a framework at all? Or is the state of the art still message crackers ?

                                      1. 2

                                        No framework (yet?) We’re using native Windows APIs. We’re working on old code that was hacked up in the weirdest of ways.

                                        1. 1

                                          Wow that sounds deeply unpleasant!

                                          Admittedly this was in the Win16 days but I remember memory corruption being a TERRIBLE bear to get around when working with low level Windows APIs.

                                          Back in the 90s I had to write a “Thunking layer” to proxy between WIN16 Visual Basic and Win32 DLLs.

                                          I’ll spare you the viewing of the scars :)

                                    1. 1

                                      At ${DAYJOB}, I’m going to make an attempt at deploying a MISP instance in a HardenedBSD VM. Unfortunately, all of their documentation and install scripts assume Linux, so I’m going to need to go manually sift through all their scripts. I suspect there’s a freakton of Linux-isms in their codebase (outside of just the install scripts.)

                                      For ${REAL_LIFE}, I’m hoping just to sleep. On Thursday of last week, we adopted an eight-week-old puppy. Having a mix of a really mentally-intensive job and taking care of an energetic little puppy is going to take a lot out of me (it already has.) I have a lot of respect for those with children. I don’t know how they have any energy or keep any semblance of sanity.

                                      For HardenedBSD, I mainly plan just to perform package builds. Due to the demands describe above, I’m probably going to lessen the amount of time I spend on my hobby project.

                                      1. 12

                                        My wife and I adopted a dog, who we named Ahsoka Tano. I’ll be taking care of her along with our existing three-and-a-half year old dog, Vader. I gotta work Sunday to make up for hours missed yesterday since we took the day yesterday going through the adoption process.

                                        1. 2

                                          OMG that dog is cute

                                        1. 1

                                          For HardenedBSD:

                                          1. Over the weekend, I got a working build of a HardenedBSD 13-STABLE-based fork of OPNsense. I need to get the public infrastructure set up to provide the ability to publish the package repo for this fork.
                                          2. The server which used to build our 12-STABLE package repo is now sitting unused (since we delegated support for 12-STABLE to the community and no longer provide official support). I’m going to get that prepared to do periodic builds of mfsBSD-based HardenedBSD, and LiveCD distro that one of our developers created, and the HardenedBSD OPNsense fork.

                                          For personal life:

                                          1. Try to hit my goal of biking 60 miles in a singular week. I’ve lost 25 pounds since I started biking regularly in March. My target weight is 170lbs and I’m at 177lbs now.
                                          2. Completely finish constructing our backyard fence.

                                          For work:

                                          1. Finish up the business logic code I’m writing in C (as a shared object).
                                          2. Integrate that new logic in our PHP extension and CPython module.
                                          3. Finish getting set up on CIRCL’s MISP instance.
                                          1. 1

                                            Nearly impossible to detect on the running server. However, if you have something like a pihole looking for dns exfiltration attempts, this becomes much easier to detect. It does require multiple layers of protection though, I’ll give it that.

                                            1. 2

                                              Since I haven’t seen any mention of it tampering with the kernel or hooking actual syscalls (as opposed to userspace syscall wrappers), it sounds like its concealment mechanisms should be pretty simple to bypass using statically-linked executables? (A static busybox build, say.)

                                              1. 1

                                                This was my take. LD_PRELOAD wouldn’t work in the statically linked context

                                              2. 1

                                                Or if you’re running in AWS there’s also their guardduty alert which I hope would pick it up: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-ccactivitybdns

                                                1. 1

                                                  The grsecurity patchset includes a feature called Trusted Path Execution (TPE). It can integrate with the RTLD to completely mitigate LD_PRELOAD abuses. I’m working on implementing something similar in HardenedBSD this weekend. :-)

                                                1. 3

                                                  Note that I had submitted the paper here originally, but the paper was removed. The original lobsters link: https://people.csail.mit.edu/weontaek/pubs/PACMAN_ISCA22.pdf

                                                  1. 3

                                                    On Wednesday, a huge storm hit my area. Our (luckily unfinished) basement flooded with one inch of standing water, two inches in a couple places (near corners). We have a lot of stuff stored in our basement, so we’re going through that. Using the opportunity to declutter by donating stuff that hasn’t seen the light of day in over a year.