All, I have posted this question (username-scryptkiddy) in the forums: http://forums.freebsd.org/showthread.php?t=41875 but was suggested to bring it here to the mailing list for discussion. Basically, FreeBSD 8.3 (64bit) is what we use in our shop. We were inspected by a security team and they had issues with FreeBSD's memory management. Namely the transient memory and object reuse areas of FreeBSD. They claimed that FreeBSD did not have a Common Criteria (EAL1-4) evaluation completed, and therefore was vulnerable to the Transient memory problem. Our higher ups need some sort of documentation / testing that can be used to counter this, since changing Operating Systems is not something we have time / manpower to do, but might have too based on this supposed 'finding'. The post has all the details. Let me know I need to repost in this as well. JW
Jonathon Wright wrote this message on Wed, Sep 11, 2013 at 14:15 -1000:> I have posted this question (username-scryptkiddy) in the forums: > http://forums.freebsd.org/showthread.php?t=41875 > but was suggested to bring it here to the mailing list for discussion. > > Basically, FreeBSD 8.3 (64bit) is what we use in our shop. We were > inspected by a security team and they had issues with FreeBSD's memory > management. > > Namely the transient memory and object reuse areas of FreeBSD. They claimed > that FreeBSD did not have a Common Criteria (EAL1-4) evaluation completed, > and therefore was vulnerable to the Transient memory problem.Any system that uses malloc will have difficulties with this as most versions of free will not zero out the memory... You could make modifications to kernel malloc to always zero memory on free, and turn on the junk feature of jemalloc and that could possibly close this issue for them...> Our higher ups need some sort of documentation / testing that can be used > to counter this, since changing Operating Systems is not something we have > time / manpower to do, but might have too based on this supposed 'finding'. > > The post has all the details. Let me know I need to repost in this as well.I know that FreeBSD 4.7 and 4.9 has been EAL3 ceritfied. I worked for nCircle a number of years ago, and they got their products EAL3 cerified. Link: http://www.commoncriteriaportal.org:80/files/epfiles/nCircle%20CR%20v1.0.pdf It is possible someone else has received certification on a newer version, but I'm not aware of any at this time... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."
On 9/12/13 8:15 AM, Jonathon Wright wrote:> All, > > I have posted this question (username-scryptkiddy) in the forums: > http://forums.freebsd.org/showthread.php?t=41875 > but was suggested to bring it here to the mailing list for discussion. > > Basically, FreeBSD 8.3 (64bit) is what we use in our shop. We were > inspected by a security team and they had issues with FreeBSD's memory > management. > > Namely the transient memory and object reuse areas of FreeBSD. They claimed > that FreeBSD did not have a Common Criteria (EAL1-4) evaluation completed, > and therefore was vulnerable to the Transient memory problem. > > Our higher ups need some sort of documentation / testing that can be used > to counter this, since changing Operating Systems is not something we have > time / manpower to do, but might have too based on this supposed 'finding'. > > The post has all the details. Let me know I need to repost in this as well.Pretty much all they've proved to me is that they have no idea of what they are talking about. You need to ask them for a better description of the problem as so far all you've seen is about a hundred computer science professionals rolling around on the floor laughing when you showed them the paragraph from the report.. and you can quote me on that one.> > JW > _______________________________________________ > freebsd-security at freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org" >
FreeBSD has a "transient memory problem?" Not so far as I remember. But maybe I have a transient memory problem. ;-) --Brett Glass