Shawn,
Please, note, that I said, these are the things I've heard, and there
should be people able to answer those better. As such, you should consider
them to be opinion, not pure facts.
On Wed, Mar 9, 2016 at 4:22 PM, Shawn Webb <shawn.webb at hardenedbsd.org>
wrote:
> (Responding inline)
>
> On Wed, Mar 09, 2016 at 04:05:12PM +0000, Big Lebowski wrote:
> > Hi Piotr,
> >
> > There are people who can probably answer it better, but until they do,
I
> > can share what I've heard about it: on the FreeBSD side there are
few
> > things that stop ASLR implementation:
> >
> > - there's no actual agreement between the influencial developers
on
> wether
> > ASLR is viable or needed in first place
>
> Some FreeBSD developers think ASLR would be a good addition and others
> don't. We at HardenedBSD believe that ASLR provides a great foundation
> for further exploit mitigation technologies. We don't hold the belief
> that ASLR is the "end-all-be-all" of security as some would like
you to
> believe.
>
That's pretty much what I wanted to say.
>
> > - there was no planning or discussion how to implement ALSR in
FreeBSD,
> > Shawn simply started writing the code, and some developers would like
to
> > discuss and plan things first
>
> Discussions took place over a period of over two years. I was very
> cooperative. If you take a look at the two reviews on FreeBSD's
> Phabricator instance (linked to below), you'll notice that there's
a lot
> of back-and-forth discussion.
>
Discussing patches and designing a feature such as ASLR is not exactly the
same thing. In the spirit of this, some developers would expect some form
of academical approach, a whitepaper, and so on, not the reviews
discussion, and that's what lacking in their opinion.
>
> > - there are doubts expressed in the code reviews about code quality
and
> > compliance to FreeBSD standards. Some developers dedicated their time
to
> > review the code and provide feedback, there were few cycles of
rewrite,
> > review, rinse, repeat, but if you'd look into the reviews, Shawn
closed
> > them, and I understand they'd only be considered for inclusion if
they'd
> > meet the code quality standards expected
>
> Initial patches did not meet code quality standards. However, those
> style(9) violations were fixed early on.
>
> Even though the patches on Phabricator are closed, they can still be
> looked at for independent review. However, the code is now old and does
> not reflect the current implementation in HardenedBSD.
>
> We closed the reviews so that we could focus on making HardenedBSD
> great, not because of the lack of code quality.
>
> I'm not sure whether the patches would be considered for inclusion.
> That's up to FreeBSD to decide. Given that the last patch went months
> without any input from FreeBSD--input that was promised to be delivered.
>
I dont know C and I am not a security expert, however, the code quality was
questioned by people who I respect for their achievement in security,
operating systems and C knowledge, and I can simply rely what I've heard:
that there are doubts, some people even mentioned actual bugs, so its not
all about style(9). Yet again, not something I can verify myself, only
something I've heard and can share.
The lack of input is directly caused by my first two points: lack of
agreement that FreeBSD needs it, and lack of academical style on how
FreeBSD would like to implement it.
>
> >
> > As a side note, one person saying 'ASLR implementation is
finished' and
> > proper ASLR implementation that's properly tested, functional and
not in
> > fact opening other security issues are two vastly different things,
that
> > should be approached very carefully.
>
> Does "being tested over the period of three or so years through many
> full package builds, production deployments, and dogfooding" not mean
> "properly tested?" What does "properly tested" mean to
you?
>
> The developers at HardenedBSD make it a point to run HardenedBSD on all
> their hardware--even laptops.
>
> HardenedBSD has been available for over two years, so it can be tested
> by anyone who downloads it and runs tests themselves. If there's a test
> you'd like me to run, please let me know.
>
Sorry, but I completely disagree here. I dont know the actual numbers, but
I can safely assume that HardenedBSD user numbers are way smaller than
FreeBSD, and thus, I would say that amount of dogfooding over so short
period of time (since ASLR is considered to be completed by you) is nowhere
close for my taste, to consider it production ready. Moreover, do you have
any tests results available? Do you have a complete automated test suite
exposed somwhere? Have you done static code analysis? Have you used fuzzers
or any similar tools?
Dont get me wrong, I highly appreciate your work in that area, however, I
would like to see more complete, thorough and cautios approach to such
complicated thing as computer security.
Cheers,
BL
>
> Thanks,
>
> Shawn
>
> Original Phabricator review: https://reviews.freebsd.org/D473 (warning:
> huge load time since this review spans around two years).
>
> New Phabricator review for a smaller prereq patch:
> https://reviews.freebsd.org/D3565
>
> Thanks,
>
> Shawn
>
> >
> > Cheers,
> > BL
> >
> > On Wed, Mar 9, 2016 at 2:05 PM, Piotr Kubaj <pkubaj at
anongoth.pl> wrote:
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA256
> > >
> > > Shawn Webb has recently announced that ASLR is complete on
HardenedBSD.
> > > There are patches ready for FreeBSD to use and it's ready to
be shipped
> > > in FreeBSD. However, for some reason FreeBSD developers do not
want to
> > > ship ASLR in FreeBSD. Why can't it be included at least as
non-default
> > > src.conf option and marked as experimental?
> > >
> > > FreeBSD is the only OS that matters that doesn't have ASLR.
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v2
> > >
> > > iQIcBAEBCAAGBQJW4C2QAAoJEHpZm4Ugg5yd2MoQAMPZ+UxbpTo9YvJz6YYB8wtH
> > > tRw3jQMUb4K6s26IO1mp/K6p+DM+HXcVvamO2cxjRKseQy/oLBGizgfR1ktBqdXQ
> > > xuqQJc5BCSdKgTsBs0IvNQghvUQkEyvYi+wn9EY9qJh6oEguAkcAWUhl5rGN2FhM
> > > Gwf9VDoPAR+n9Pjl6brcqyQvWczfDx9+VFpF0joeiI5PRRMF1UUsTYM/OHvtVoQA
> > > n1f8qNppIdprjwUjWE/BX6POaDhs4ZZKJRaFmbCuYudDPpX7P1yj7CHz/xthjMYG
> > > 325NnCJpN81fwCmcgvDFU3BYkEC9JSkBoA+5oDdRU3MALsJNQ10rz+IhAaeAsCMb
> > > oz7Oy0Gykeic60NLuMZlhOfl79XW666T1B9wOWlkrAlBPCY6v2kz6t/oJbHHGQOf
> > > CCBuhQJCdzdqyTnv0Bx4ZXiiecwhjvxaAPCwgppnxf2qLuBgxr9BsswMVp7wgYfM
> > > 2sfxk0pS0RuV5M2qWN9UATOyOiO5aPsC4f+WUzUM0LC6MbuHVDJu3QaUo7F3b3Ic
> > > KX150B3gWtsGlZZs8N9mIM3Aj/O5E496JHEf6zmlz6ssLuE6gIO8ICqpFSaXzkJC
> > > IWzgIVdL88gK6niVg7KCOAuzVZ1sxcx7cBCtGzAhVy9RhYKqwAtN9T2YOBC75cQW
> > > OdRGf2V3trcK664nKgEA
> > > =lM/6
> > > -----END PGP SIGNATURE-----
> > > _______________________________________________
> > > freebsd-security at freebsd.org mailing list
> > > https://lists.freebsd.org/mailman/listinfo/freebsd-security
> > > To unsubscribe, send any mail to "
> freebsd-security-unsubscribe at freebsd.org
> > > "
> > >
> > _______________________________________________
> > freebsd-security at freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-security
> > To unsubscribe, send any mail to "
> freebsd-security-unsubscribe at freebsd.org"
>
> --
> Shawn Webb
> HardenedBSD
>
> GPG Key ID: 0x6A84658F52456EEE
> GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
>