OpenBSD Journal

Tartalom átvétel OpenBSD Journal
The OpenBSD Community.
Frissült: 1 óra 1 perc

BSDCan 2016 Presentations Online

p, 2016-06-17 15:57
The BSDCan 2016 conference in Ottawa has just concluded, with a number of OpenBSD-themed talks. These are the talks by OpenBSD developers:

Reyk Flöter: An OpenFlow implementation for OpenBSD - Introducing switchd(8) and more about SDN (slides)

Henning Brauer: Running an ISP on OpenBSD - Why OpenBSD and several uncommon uses of it (slides)

Peter Hessler: Bidirectional Forwarding Detection (BFD) implementation and support in OpenBSD. Or: A new protocol actually did improve our routing. (slides)

Mike Belopuhov: Implementation of Xen PVHVM drivers in OpenBSD (slides)

Antoine Jacoutot: OpenBSD rc.d(8) (slides)

Sebastian Benoit: Opensource Routing - Running an enterprise network on OpenBSD (slides)

In addition, two OpenBSD-centric tutorials were offered by people who are not themselves OpenBSD developers:

Peter Hansteen: Building The Network You Need With PF, The OpenBSD Packet Filter (slides)

Aaron Poffenberger: OpenSMTPD for the Real World (slides)

Kategóriák: *BSD

Understanding the modernization of the OpenBSD network stack, part 1: ART single thread performances

p, 2016-06-17 15:53
Martin Pieuchot (mpi@) wrote in, saying

OpenBSD network developers are doing some great work at modernizing and improving the network stack. But even if you're following tech@, it might be tricky to understand what's going on. Read more...

Kategóriák: *BSD

ARMv7 now has a bootloader

v, 2016-05-29 17:41
Progress on the armv7 platform continues, and Jonathan Gray writes in to the arm@ mailing list with some promising news:

There is now a bootloader for armv7 thanks to kettenis@ Recent armv7 snapshots will configure disks to use efiboot and install device tree dtb files on a fat partition at the start of the disk.

u-boot kernel images are no longer part of the release but can still be built for the time being. We are going to start assuming the kernel has been loaded with a dtb file to describe the hardware sometime soon. Those doing new installs can ignore the details but here they are. Read more...

Kategóriák: *BSD

W^X now mandatory in OpenBSD

szo, 2016-05-28 00:27
Traditional Unix has allowed memory to be mapped W | X. Everyone now knows that’s a bad practice from a security standpoint, but the software ecosystem hasn't made much progress in this area. Theo de Raadt has just committed a change to begin blocking W^X violations in OpenBSD.

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2016/05/27 13:45:04 Modified files: lib/libc/sys : mmap.2 mount.2 mprotect.2 sbin/mount : mntopts.h mount.8 mount.c sbin/mount_ffs : mount_ffs.c sbin/mount_nfs : mount_nfs.c sys/kern : kern_sysctl.c vfs_syscalls.c sys/sys : mount.h sysctl.h sys/uvm : uvm_mmap.c usr.sbin/pstat : pstat.c Log message: W^X violations are no longer permitted by default. A kernel log message is generated, and mprotect/mmap return ENOTSUP. If the sysctl(8) flag kern.wxabort is set then a SIGABRT occurs instead, for gdb use or coredump creation. W^X violating programs can be permitted on a ffs/nfs filesystem-basis, using the "wxallowed" mount option. One day far in the future upstream software developers will understand that W^X violations are a tremendously risky practice and that style of programming will be banished outright. Until then, we recommend most users need to use the wxallowed option on their /usr/local filesystem. At least your other filesystems don't permit such programs. Read more...

Kategóriák: *BSD

Privilege Separation and Pledge (video)

sze, 2016-05-25 15:34
This year's dotSecurity conference featured a presentation from OpenBSD founder Theo de Raadt, titled "Privilege Separation and Pledge."

The video is now available here, in addition to the slides.

Kategóriák: *BSD

p2k16 Hackathon Report: pirofti@ on octeon and TPM

cs, 2016-05-19 13:27
The next hackathon report comes from Paul Irofti, who writes:

This was probably the shortest hackathon I attended. The 4 days flew by and I realised we have to pack and go with nothing to show for.

My usual hackathon work flow is: waste 3-4 days trying to figure how some device works, and then polish the driver(s) for the remaining days while congratulating myself with coffee, Günther and beer. Read more...

Kategóriák: *BSD

p2k16 Hackathon Report: jasper@ on gnome, puppet and more

k, 2016-05-17 14:37
Our next report comes from Jasper Lievisse Adriaanse, who writes:

Hackathons have long since had two themes for me, gnomes and puppets. However this hackathon I actually didn't want to play with puppets for once, yet I ended up importing Puppet 4 after all. More on that later. Read more...

Kategóriák: *BSD

SROP mitigation committed

cs, 2016-05-12 05:28
In a recent email, Theo de Raadt explains the SROP mitigation technique, a recent team effort.

This is the first demonstration of a mitigation against SROP.

Utilizing a trick from kbind(2), the kernel now only accepts signal returns from the PC address of the sigreturn(2) syscall in the signal trampoline. Since the signal trampoline page is randomized placed per process, it is only known by directly returning from a signal handler.

As well, the sigcontext provided to sigreturn(2) now contains a magic cookie constructed from a per-process cookie XOR'd against the address of the signal context. That part is similar to the LWN discussion mentioned above. I came to the same conclusion semi-independently as a result of Antoine's ports builds, which identified all the parts of the application software ecosystem I had to study. Woe is me!

Read more...

Kategóriák: *BSD

p2k16 Hackathon Report: krw@ on pdisk, softraid and more

sze, 2016-05-11 18:31
The next hackathon report comes from Ken Westerback, who writes:

I arrived at CDG, got on my train and arrived in Nantes just before a national train strike started. Whew. Did a pleasant walk paralleling the tram tracks to the appropriate tram stop and consulted the documentation. "Hackroom is nearby." Hmmm. Wandered around for a while without stumbling across it, and finally noticed the large neon sign for the hotel. From which I *did* have directions. Got to the hackroom building and found that the doors had been locked early. A few frantic texts later I got in and the normal hackathon routine took hold. Read more...

Kategóriák: *BSD

p2k16 Hackathon Report: ajacoutot@ on Gnome, rc and rcctl improvements

v, 2016-05-08 16:09
Our next p2k16 report comes from Antoine Jacoutot, who writes:

First of all I'd like to give a big thank to gilles@, Epitech Nantes and the OpenBSD Foundation for making this event a real blast. The hackroom accomodation was very nice and so was the location.

Disclaimer: I have a goldfish memory so I am probably forgetting a lot of small things I did during this week, next time I should probably start writing what I'm doing as I go. Read more...

Kategóriák: *BSD

p2k16 Hackathon Report: landry@ on mozilla ports

k, 2016-05-03 20:49
The next report in our p2k16 series is from Landry Breuil, who writes:

For once we had a hackathon in France, so travel should be simple... turns out, at the last minute the past week i had engaged myself in a motorbike rally race, taking place in Corsica on the weekend right before the hackathon. Driving to south of france on Thursday, night boat to corsica, two days racing, then boat back to the mainland, then driving all night to come back to my place, change backpack, sleep 1h, and hop on the cheap bus from my place to Nantes. Arrived there at 21h, i was of course totally destroyed from the 30h trip and after meeting the others for a heavy meal, i crashed early to bed... Read more...

Kategóriák: *BSD

p2k16 Hackathon Report: naddy@ on graphics libs progress (yes, packages!)

k, 2016-05-03 18:07
Fresh from the p2k16 hackathon comes this report from Christian Weisgerber, who writes:

Coming to p2k16, I had only vague plans what to work on. The last few hackathons I had tackled some projects that didn't quite result into something committable, so this time I decided to keep it basic. The idea was to update some ports and maybe make a dent in the use of the obsolete libiconv and gettext modules. Read more...

Kategóriák: *BSD

OpenBSD Foundation Announces Gold Sponsor

k, 2016-05-03 17:35
OpenBSD Foundation director Ken Westerback (krw@) writes in with some great news:

The OpenBSD Foundation is happy to announce that DuckDuckGo has become the first Gold level contributor to the 2016 fundraising campaign.

This donation is part DuckDuckGo's annual initiative to help fund free and open source projects based on nominations from their community.

Not only is it great to hear that companies are giving back to the project, but also that OpenBSD was nominated by DDG users. A big thanks to them and their community!

Donations to the OpenBSD Foundation can be made on the donations page, and they can be contacted regarding corporate sponsorship at fundraising@openbsdfoundation.org.

Kategóriák: *BSD

libcrypto errata - May 2016

k, 2016-05-03 17:28
Ted Unangst just sent an announcement of LibreSSL patches

OpenSSL announced several issues today that also affect LibreSSL. - Memory corruption in the ASN.1 encoder (CVE-2016-2108) - Padding oracle in AES-NI CBC MAC check (CVE-2016-2107) - EVP_EncodeUpdate overflow (CVE-2016-2105) - EVP_EncryptUpdate overflow (CVE-2016-2106) - ASN.1 BIO excessive memory allocation (CVE-2016-2109) Thanks to OpenSSL for providing information and patches. Refer to https://www.openssl.org/news/secadv/20160503.txt Patches for OpenBSD are available: http://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/005_crypto.patch.sig http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/013_crypto.patch.sig

Kategóriák: *BSD

p2k16 Hackathon Report: tb@ on documentation, ports, wireless

h, 2016-05-02 15:42
The second p2k16 report comes from first time hackathon attendee Theo Buehler, who writes:

Earlier this year gilles@ invited me to attend p2k16 in Nantes. This was going to be my first hackathon. Despite the fact that it is in the middle of the semester, I could arrange to take a week off and thus got the opportunity to finally meet a few members of the project. Read more...

Kategóriák: *BSD

p2k16 Hackathon Report: espie@ on proot

v, 2016-05-01 01:06
Our very first p2k16 hackathon report comes from none other than Marc Espie, who writes:

Lots of thanks to Gilles Chehade, Epitech Nantes, and Aymeric Fouchault for the organization. It was top-notch. The only complaint I might have is that the food was so good that I might have eaten too much. Read more...

Kategóriák: *BSD

proot: dpb meets chroot

szo, 2016-04-30 18:32
With the p2k16 hackathon just coming to a close, Marc Espie has revealed one of the new things he worked on.

I've been using dpb(1) chroot'd for a long time, using my own methods. This is a first try at making things "simple." Basically,

proot -B /build

should more or less do something sane, and then you can build ports in that chroot. Read more...

Kategóriák: *BSD

anti-ROP mechanism in libc

h, 2016-04-25 16:59
Theo (deraadt@) writes in to the tech@ mailing list, with a clever idea that we would like to try.

This change randomizes the order of symbols in libc.so at boot time.

This is done by saving all the independent .so sub-files into an ar archive, and then relinking them into a new libc.so in random order, at each boot. The cost is less than a second on the systems I am using.

For now, this is only done for libc, because it is generally the most gadget heavy library; spilled registers are more likely to point within the libc segment; and also the gadgets are close to system call stubs. As a result of the change, gadgets are no longer found at fixed offsets from spilled registers.

More details are available on tech@. Please check the thread for any replies or updates.

Kategóriák: *BSD

The p2k16 hackathon has begun

h, 2016-04-25 16:23
OpenBSD developers from around the world have just gathered in Nantes, France for the p2k16 hackathon. This event is technically a ports hackathon, but many non-porters have showed up too, which means you can expect a variety of different improvements.

As an early example, ajacoutot@ has just set sysmerge to run automatically during the upgrade process.

Head over to the hackathons page to see the artwork, and stay tuned to Undeadly for some post-hackathon reports.

Kategóriák: *BSD

Undeadly and HTTPS

h, 2016-04-11 22:11
We here at Undeadly are looking to move the site to HTTPS-only. It's been discussed for quite a while, but there's one roadblock that we're looking for some help to overcome. Read more...
Kategóriák: *BSD