1. 4

    My initial fix for HardenedBSD actually introduced a couple new bugs. I blame the violent food poisoning for my lack of attention to detail. ;)

    But, seriously, had I felt better, I would’ve used asprintf to begin with in my fix of the vulnerable code. :)

    Lesson learned: do not commit code immediately after choking on own vomit.

    1. 2

      I’m hoping to see if HardenedBSD works on sparc64, thanks to a donation of a sparc64 server from Baltimore’s hackerspace, Unallocated Space. I’m also hoping to completely finish up a project at work I’ve been hacking on for the past two months.

      1. 2

        I really like the author’s explanations, providing the reader clues into the author’s frame of mind. The reader learns what goes into exploiting this type of vulnerability step-by-step, not just from a mechanic’s perspective, but from a mindset perspective, too.

        1. 6

          Apple donated a whopping $500-999:

          https://www.freebsdfoundation.org/donors/

          I guess every penny is welcome, but it is sad considering how much they benefited from FreeBSD. Also interesting and impressive that Intel donated $250,000+.

          1. 3

            I’d be curious whether that’s a result of their employee-donation matching program. Apple does 2-to-1 matches on employee donations, so if Apple employees donated a collective $250-499 as individuals, that’d explain a $500-999 Apple contribution – if the FreeBSD donors list counts things that way. I notice Google is in the same tier, possibly for the same reason?

            1. 3

              I’m surprised Juniper Networks is not even in that list. Or Sony with their PS4, for that matter.

              1. 1

                There’s also more ways to contribute to a project than just financially. Apple was foundational and crucial in TrustedBSD’s MAC implementation, which is still used today in macOS for code signing and in FreeBSD (and its derivatives, like HardenedBSD and Juniper’s JunOS). Not many are aware of how just how much Apple contributes to open source, at the very earliest as TrustedBSD (or earlier) and even until today with Darwin and llvm. (Holy cow did I state that awkwardly. I blame the lack of sleep. Or perhaps the wonderful spa date night I just had with the missus. Or both.)

                I’ve also come to realize just how beneficial it is not to have an entitlement mentality. Apple is a for-profit business, answerable only to its shareholders. Apple’s lack of monetary contributions (regardless of accuracy of such a claim) demonstrates their priorities, which may end up including hiring open source contributors to continue doing their great work open and paid. Instead of a 501(c)(3) receiving funding, a family of five with three-point-one-four-one-five-nine dogs and a dead parrot named Steve, who died in a horrible plane crash,

                So, perhaps there’s another side to the story that paints a different picture. The world would be a very boring place if everyone thought like I did.

              1. 3

                I’m hoping to finish a project at work I’m writing in C between today and Wednesday afternoon. My wife and I will be celebrating the US’s Independence Day by taking our eight-month-old puppy (pic taken at around six months) to Kent Island in the Chesapeak Bay. He absolutely loves the water! I cannot wait to take him camping and hiking next year.

                1. 2

                  Adorable pupper! My little girl is eight-months as well, she’s going to her first water adventure this weekend. Have a safe and happy Fourth!

                1. 4

                  Great idea for spreading malware!

                  1. 2

                    All of these sites were picked by Mozilla, so I’m not sure why it would include malware. If you find something, I’m sure you can report it to bugzilla or @-mention a mozilla employee on here.

                    Also, running this thing slows my computer way down…

                    1. 3

                      Ad networks, even “safe” ones, occasionally carry malicious ads. A couple years back, I had to reinstall a brand spanking new netbook (literally took it out of its package) after a malicious ad popped up on a google search while Windows was applying updates (yeah, yeah, I shouldn’t have opened up IE before Windows was finished applying initial updates).

                      1. 1

                        “yeah, yeah, I shouldn’t have opened up IE before Windows was finished applying initial updates”

                        Ive done it, too. Hard not to when you have new toy to play with. I put in NoScript to keep risk low. I think it stayed clean for the updates. ;)

                  1. 3

                    The Ethernet controller on the main SoC is connected to an external Broadcom PHY over a dedicated RGMII link, providing full throughput.

                    Finally, a Raspberry Pi worthy of running OPNsense!

                    1. 2

                      It’d be very interesting to see the testing procedure reproduced on FreeBSD 12.

                      1. 7

                        It’s story time!

                        Exactly a week ago today, my wife and I took our puppy, a black goldendoodle aptly named Vader, to get neutered. The day before his operation (so Sunday, 02 Jun 2019), I took my dog on his “last adventure” before becoming a eunuch. We usually walk every day around five to ten miles. Half way through, it starts to rain. Not much, just a few sprinkles. We continue walking, thinking this was as bad as it was going to get. I couldn’t have been more wrong.

                        The heavens opened. Things got moist. Drenched from head to toe in less than one second–it looked as if we had dunked ourselves, clothing and all, in a pool of water of the wettest kind. And we still had two miles to go to get back to our car.

                        I’m happy to report that my dog LOVES the rain! I cannot wait to take him camping and hiking with me. I’m going to train him to run next to me as I bike.

                        This experience reminded me back when I hiked the Bob Marshall wilderness as an eleven-year-old pipsqueak who weighed only eighty pounds. We hiked fifty miles in five days; ten miles per day. We had to carry everything in our packs. My pack started out forty pounds, but with a devious older brother, ended up being around fifty after he continuously snuck small rocks in to my pack each day. An eighty-pound weakling with a forty-to-fifty pound backpack. Four out of the five days, I always brought up the rear, sobbing and crying the entire way.

                        It rained four out of the five days straight. We pitched our tents in the rain, slept in the rain, woke in the rain, hiked in the rain. You get the deal. On day five, the rain stopped. What a relief! However, the non-aqueous environment was now filled with mosquitoes as big as your thumb’s last knuckle. The bringer of death travelling from miles. I’m sure that ten boys and three adults not showering for five days brought a stench that would even offend Sam. You’d wipe a death herd of twenty mosquitoes off your arm, and twenty more would immediately replace them.

                        I broke down. I had enough. My entire body ached. The only way backwards was forwards. So I marched on, faster than even the sixteen-year-olds with their long strides. My dad had a hard time keeping up with me. He and I were the first to the cars. But neither of us had car keys. And the last mile stretch was through desert…

                        I looked back at that experience as my seven-month-old puppy and I walked and had fun in the rain. The winds picked up to around fifty miles per hour as we got closer to our car. I thoroughly enjoyed this experience at thirty-three years old. Why is it that my seven-month-old puppy enjoyed walking two to three miles in this torrential downpour, yet I hated a similar experience at eleven years old?

                        At just seven months old, my dog is teaching me more about life than I ever thought possible.

                        So, I tell those two stories to set the stage for this week:

                        1. Follow-up visit with the vet, make sure Vader’s healing okay
                        2. Watch the Sigur Ros live stream
                        3. Continue learning arm64
                        4. Figure out the best plan of action for HardenedBSD’s amd64 package building server, which is experiencing hardware failures
                        5. Go to dinner with an old friend that I haven’t seen in a while
                        6. Take care of my puppy, start expanding little-by-little his walks post-surgery
                        7. Figure out why some applications at work that communicate programmatically over ssh are malfunctioning

                        It’s gonna be a crazy week!

                        1. 2

                          This was a great story, paired with an incredible link. Thank you. Makes me jones to camp again, fall asleep to trees rocking with wind and rain, waves crashing, that sorta thing. Eat bean salad.

                        1. 3

                          Nice to see the differentiation between ASR and ASLR.

                          1. 3

                            I’m trying to understand this from an attacker’s perspective. If the attacker has gained arbitrary code execution, the attacker already has… code execution. The attacker would simply need to make use of a syscall gadget (doesn’t have to be the actual syscall libc stubs).

                            The only case where this makes sense is when both of these conditions are met:

                            1. OpenBSD’s address space randomization is disabled. I don’t think that’s even possible.
                            2. The attacker is too lazy to use ret2libc techniques even in a RWX memory mapping.

                            Neither of those conditions would particularly be met in the real world. Lazy attackers don’t go after OpenBSD systems.

                            1. 45

                              I’M GONNA MAKE A MARRIAGE PROPOSAL TO A LADY.

                              1. 8

                                Don’t forget to protect yourself with a pre-nuptial agreement.

                                1. 1

                                  Maybe everyone feels like this when they decide to get married, but I’m as sure as a guy can be that this one is gonna be forever.

                                  I get that things change, people change. But even if something terrible were to happen between us, there is no way that it would end any way but amicably.

                                  But we’ve joked around about writing responsibilities into our marriage contract. “No pets. no tickling. I handle all wired and wireless tech with the exception of smartphones.” I am terrible at phones.

                                  I think all laws should include a sunset clause, so that they have to be re-agreed upon every year. In my head it sounded kind of romantic, like we’d “renew our vows” or whatever every year. But I was explaining it poorly to my grandmother and she looked horrified. That idea got the kibosh :P

                                2. 4

                                  CONGRATS! I hope it goes well. :)

                                  1. 3

                                    Awesome!

                                    1. 3

                                      I hope she says yes!

                                      1. 3

                                        💍

                                        1. 2

                                          How did it go?

                                          1. 3

                                            It could have been a bit more romantic. I got down on one knee in front of a Medieval Times near Chicago… It was kinda neat :D

                                            So I had already asked her to marry me and she picked out a ring and we had it ordered from a jeweler in Israel. So I was just really nervous to surprise her with her ring :P

                                            Thanks for asking!

                                        1. 2

                                          I’m chilling in Ottawa, Canada for BSDCan.

                                          1. 5

                                            I’m having fun hacking all week on HardenedBSD in Ottawa, ON, Canada during BSDCan. I plan to spend a good portion of my time in research mode, learning more about the llvm codebase.

                                            1. 4

                                              I’ll be prepping for BSDCan this week. I need to install OPNsense on one more APU4c4.

                                              1. 8

                                                I’m back to getting paid to program in C, the language of loooooove. Yay!

                                                1. 3

                                                  I think getting paid to write C is probably the highlight of my current job. Isn’t it the best?

                                                  1. 1

                                                    How can I get in that love boat? (As in I’ve read THE book, and made trivial personal things, so how does one make the jump?)

                                                    1. 1

                                                      For me, it was making lots and lots of trivial things for years, then in jobs here and there finding opportunities to do small projects in C. Then I went for a job where C expertise was the main thing, and my combined experience paid off.

                                                1. 9

                                                  Unpopular opinion puffin meme: I really dislike that Docker is required, given that Docker is a form of open source vendor lock-in. I’m unable to use this solution due to Docker not being available/supported on the BSDs and I refuse to use Linux.

                                                  Granted, I don’t have an actual use case, but it still irks me that peeps made deliberate choices that prevent me from using and contributing to their solution.

                                                  1. 2

                                                    Run Docker in QEMU? :-) Only half-joking, because the way Docker is ported to Windows and macOS is by running Linux inside a VM.

                                                    I don’t care so much about stuff like this. I mean, can just run Postfix, Dovecot, etc. yourself and you don’t need this container. The annoying things are stuff like test runners that will only run with Docker :-(

                                                    1. 1

                                                      Nah, Windows supports docker natively on server. Desktop requires VM but in next release this is gone too, at leaast for linux containers as linux kernal will be included side by side with windows kernel.

                                                    2. 1

                                                      Aren’t there tools that could convert docker images to a BSD Jail-compatible format? They probably wouldn’t handle all the advanced use-cases but I can envision something like this working for 80% of the cases.

                                                      1. 1

                                                        I’m sure I’ve seen something like it. But really, you’d want the Docker tooling running and using jails as the “filesystem” driver.

                                                      2. 1

                                                        There are number of similar solutions using configuration management tools such as Ansible.

                                                      1. 7

                                                        I was originally planning on writing some DTrace-based flame graphs for Tor to find potential areas for performance improvements on HardenedBSD-based systems for Emerald Onion. However, my wife gently reminded me that this weekend is “date weekend” where we have something planned every day (Friday, Saturday, and Sunday). So, instead, I’ll be paying attention to my wife. :)

                                                        1. 7

                                                          “You have chosen… wisely.”

                                                          1. 3

                                                            I think we must have watched the same video. I wrote a little thread on Twitter about the very same topic.

                                                            1. 3

                                                              As someone in your twitter thing mentioned, some folks use it when they don’t trust the ‘first hop’, e.g. a public wifi network. Unfortunately all major VPN providers (PIA, etc) are somewhat misleading folks into thinking that VPN is secure and ‘privacy-protecting’ from the top down, when that’s clearly not the case. Folks who don’t know any better take the VPN bait though.

                                                              Reading anything more than a handful of sentences on twitter is painful.