freebsd security - Feb 2018 - Fwd: [tor-relays] FreeBSD 11.1 ZFS Tor Image

---------- Forwarded message ----------
From: Shawn Webb <shawn.webb at hardenedbsd.org>
Date: Sun, Feb 25, 2018 at 5:17 PM
Subject: Re: [tor-relays] FreeBSD 11.1 ZFS Tor Image
To: tor-relays at lists.torproject.org


On Sun, Feb 25, 2018 at 04:03:49PM -0600, Conrad Rockenhaus
wrote:
> Wow, I didn't expect my friendly gesture to start another debate, but
the
> reasoning behind offering this image was mainly for people who were
operating
> on OpenStack clouds who wanted to upload the image to their infrastructure
> using glance and start things up quickly. I'm more than willing to
provide the
> ansible scripts I use to initially spin things up, once I clean things up
> since there's still some manual things that can be automated.
>
> I'll just consider this idea dead in the water. That being said:
>
> On Sunday, February 25, 2018 3:50:44 PM CST Shawn Webb wrote:
> > On Sun, Feb 25, 2018 at 09:05:00PM +0000, George wrote:
> > > Conrad Rockenhaus:
> > > > Hello All,
> > > >
> > > > If anyone is interested, I have a RAW image of a FreeBSD
11.1 ZFS image
> > > > that is fully configured and ready to run Tor. Right now
it's an eight
> > > > GB image, but I'm reducing the size by removing all of
the extra stuff
> > > > on it from the upgrade from FreeBSD 11 to 11.1.
> > >
> > > I think it's great to ease the implementation of Tor relays,
> > > particularly on BSDs.
> > >
> > > However, I'd be wary of an image that I didn't build
myself, personally.
> >
> > I agree with that sentiment. I would rather Tor relay operators set up
> > their systems themselves so that they know how that system is
> > configured.
> >
> > I would also suggest users run operating systems that specialize in
> > security, like OpenBSD or HardenedBSD. Running Tor on FreeBSD opens
> > the door to mass exploitation via copy and paste style exploits. I
> > would caution against such setups. Tor has a very unique threat
> > landscape and the security of the relay should be of upmost
> > importance.
>
> I'll be honest, I have never heard of a copy and paste style exploit.
What is
> it? Could you provide me a link with info about it, because I run several
> FreeBSD instances and if I have a ticking timebomb on my hands, I need to
fix
> it.
With FreeBSD's complete lack of exploit mitigations, all tor instances
running on like FreeBSD systems can be exploited the same way. The
memory layout is predictable, memory mappings can be writable and
executable, etc.

The virtual memory layout of tor on your FreeBSD 11.1-RELEASE-p6
instance is going to be the exact same as John Smith's instance. This
means that attackers can write their exploits with 100% reliability,
even with virtual memory addresses hardcoded.

There's no need for ROP, JOP, SROP, etc. on FreeBSD. FreeBSD is
literally stuck in 1999-era security. Writing exploits for such
systems is extremely easy for today's offensive security researchers.

FreeBSD really needs ASLR and W^X, at a minimum, for me to put even
the slightest trust in for applications that are security-sensitive
(like tor). Until then, I'd encourage Tor relay operators to make use
of operating systems that put a focus on security, like OpenBSD or
HardenedBSD.

Just yesterday, I was notified of yet another FreeBSD box getting
popped by an offensive security researcher.

Thanks,

--
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE

_______________________________________________
tor-relays mailing list
tor-relays at lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 849 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20180226/c72ba4be/attachment.sig>

> Just yesterday, I was notified of yet another FreeBSD box getting
> popped by an offensive security researcher.
> 
Dear Shawn,

If there is a post-mortem analysis and details on that incident, it would be
really interesting what the MO is of that/those attackers who massively own
all the FreeBSDs

There must be quiet a few PoCs out there yet in-depth analysis (that are on
recent versions of FreeBSD) might be interesting.

Depending on the various attack vectors, perhaps other mitigations can be
discussed.

But honestly, I run fairly recent FreeBSD machines and they aren't popped,
that I know of, on a regular basis.

Sincerely,

-- 
Steve Clement
https://www.twitter.com/SteveClement
mailto:steve at localhost.lu
.lu: +352 20 333 55 65
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20180227/25825a97/attachment.sig>

Shawn Webb wrote:
> There's no need for ROP, JOP, SROP, etc. on FreeBSD. FreeBSD is
> literally stuck in 1999-era security.
This is doubly true for ports, including Tor.  I submitted a vuxml entry
for apache-tomcat 5 days ago that still has not been committed.  A
follow-up resulted in two replies from a helpful member of the
ports-secteam, but which took as long to write as the vulxml would have
taken to validate and commit.  Its CVE is priority 7 (remotely
exploitable) but almost a week later pkg audit still won't tell you if
you're running an exploitable Tomcat.

The explanation I received is that the ports-secteam is a volunteer
effort and nobody really expects 'pkg audit' to be timely anyhow.

Such easily fixable problems.  Even the FreeBSD Foundation for all the
projects it funds, and could fund with +$2.5M in the bank, doesn't seem
to care.

Roger Marquis