tag:blogger.com,1999:blog-2687870468506445300.post2169536420812750734..comments2024-03-09T07:05:56.532+01:00Comments on Network Filter: SECURITY : OPENBSD VS FREEBSDGuillaume Kaddouchhttp://www.blogger.com/profile/14646179323194334376noreply@blogger.comBlogger25125tag:blogger.com,1999:blog-2687870468506445300.post-52830559832962955882017-11-12T04:49:40.417+01:002017-11-12T04:49:40.417+01:00Agree with Chrcoluk.. not only, but an adamant sta...Agree with Chrcoluk.. not only, but an adamant stay of old A.end binaries in FreeBSD, and perhaps all BSD's .. like ELF Cache binaries.. surprisingly hard to get source or any decent info on how they interact with >2.6kernel its a bit scary when u hear CentOS 7.2 (ok thats a fork of RHEL) suffers in datagram mode on IB.. WHY ? What about other i/O ?Anonymoushttps://www.blogger.com/profile/16393538776793511645noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-37422876462253391032017-08-08T08:14:50.043+02:002017-08-08T08:14:50.043+02:00"..Capsicum allows programs to have capabilit..."..Capsicum allows programs to have capability flags, granting them only needed system calls. A capsicum enabled program will only be able to make system calls its capabilities allow it to. For instance if a developer makes an application to read files, he can build capsicum calls in its application to request only file reading/opening capability" ABOUT TIME.. what took kernel writer so long<br /><br />Why use an OS without this in the first place? i kno, falling over each other 1st 2market with front panel features hidden by behind-scenes crapola SysCalls<br /><br />THIS needs to happen at Layer 2,3,4 not @ App layer.. as it is currently (except for magical SysCalls to address hardware - what layer is that App to App or App to board firmware) speaking of which : packet sniffer interacts with ARP table is this effectively wire talking to layer 2 thru compiled object code that remains vulnerable to insertion ? No matter what u do, any open socket is a hole. https://notes.shichao.io/lkd/ch5/<br /><br />Is there an equiv to W^X (an overdue security fitted to OpenBSD) for sockets.. May i ask why W^X is said to be fitted only to OpenBSD ? IS it possible to compile into FreeBSD (not that anythings wrong with OpenBSD) or Alpine Linux. <br /><br />Guillaume sums it up nicely when it comes to choice : " highly vary depending on the software installed and associated risks (a single Postfix VS Apache + MySQL + PHPMyAdmin + Drupal, or a webserver VS a router). Another point of view, is if your webserver is compromised, with all client data, it does not matter if the host will be compromised or not, it's already lost (in that case you may prioritize memory protection with OpenBSD) "<br /><br />.. there are those who try to secure promiscuous PHP with OpenBSD !!!<br /><br />YEs please, in a DRAM held array database.. Could anyone point to an install proceedure of AeroSpike (via Apache2) on OpenBSD .. does this work in periodic key exchange for remote clients.. looks interesting, tho dont need the buggy backward compatibility nodule.. https://github.com/aerospike/aerospike-common/blob/master/src/main/aerospike/crypt_blowfish.c<br /><br />Even tho this is not slash forum.. it does illustrate dilemma facing all, juggling fireballs, guarantee to get burnt. Leave this to the hackers.. Anyone ready to write a new kernel that does not compile to a Von Neumann architectureAnonymoushttps://www.blogger.com/profile/16393538776793511645noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-63910359784217241022017-08-08T04:46:22.366+02:002017-08-08T04:46:22.366+02:00Guillaume has that producer spirit making more sen...Guillaume has that producer spirit making more sense than the gameplay itself. Look at it this way: More an authority on human Psychology than programming i like to think of C as a ball of string that unravels as programmers toss it around like cats, then some magic, client interpreted Ruby out of the box.. Python.. always had Perl & TCL (sandbox took on VM of today). Now PHP rules the reusable object roost, by speedups over resource management in frameworks like Zend, yet the interpreter is written in C.. that ball of string) One reason not to learn C, are nightmare pointers that allow external addressing to R/W pages, bounds checking / type variable declarations.. Infinitely implemented in so many specific environments, that fixes cannot be shared without rewriting code<br />https://github.com/PowerShell/xSQLServer/issues/90, as example for SQLers.<br /><br />Ok whats the point (i hear u question) that in the quest for speed (permissive coding) the entire network becomes faulty. ITs not even possible to open a socket without hazard, (containers and VM's go a distance there, yet still cant determine if a handler is passing segmented worms) Congratulations, in the rush for market dominance, u forgot the 2 digit year, that cost the planet trillions of dollars (more than the entire computing effort, in one bubble). Is that smart commerce? its absolutely Stupid commerce, just like compiled rubbish (alright, C has produced RTOS's that block preemption) but where do we go from here.. In a nutshell, a change of paradigm is needed at the CPU level, such as is happening with HMC, the only serious adventure into supercomputing is the Pico SB-801 (& its modular siblings) , even tho Xilinx KU115 is a beast u're not going to find 4 of these bridging one HMC, thus Altera quad-bridge is an exciting re-programmable fabric on an available PCIe board level compiler Lab.<br />Dump that register based Von Neumann architecture (apart from embedded SoC where of course playtime with C , continues.. i vote the PIC32 Harvard as the most cost effective controller, nothing wrong using multicore ARM+ GPU ($18 Orange Linux) for video related IoT .. where legacy code prevails. Why take buggy runtime / OS 's .. Any crew members?Anonymoushttps://www.blogger.com/profile/16393538776793511645noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-40173332675130604902016-04-07T23:26:30.139+02:002016-04-07T23:26:30.139+02:00Serious Writing, good that You did wonder in the e...Serious Writing, good that You did wonder in the end real life scenario about boxes with different access . Waffahttps://www.blogger.com/profile/07098830060455284824noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-18416823576094733672015-09-01T01:39:38.045+02:002015-09-01T01:39:38.045+02:00The list is alarming but does show the path FreeBS...The list is alarming but does show the path FreeBSD has been taking over the years has been the wrong one if your focus is a secure internet server. I would say the 2 most alarming issues is the lack of ASLR on the current release of FreeBSD and the now very old PF that is distributed with the OS. From what I seen on the mailing list the issue with PF is a combination of noone wanting to do the task without payment and the fact the FreeBSD version of PF was forked with SMP support which meant backporting revisions from openbsd became harder to do. It does appear there is a lack of manpower for development on FreeBSD, and they are prioritizing desktop features over keeping up with security. Which is sadly why I have migrated 100s of servers in the last 5 years from FreeBSD to linux. Most of my remaining FreeBSD servers are testing and personal hobby machines.<br /><br />I feel security features need to always have a higher priority than other features on FreeBSD development and they should always be backported to the oldest supported branch when possible, as when new security code does ever get added, its usually on CURRENT only meaning its years away from those who follow mature branches.chrcolukhttps://www.blogger.com/profile/07286563087540322040noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-990830821713198742015-08-19T04:36:58.499+02:002015-08-19T04:36:58.499+02:00Same issue on FreeBSD: Privilege Escalation flaws....Same issue on FreeBSD: Privilege Escalation flaws.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-59434792753139533232015-08-15T19:48:35.126+02:002015-08-15T19:48:35.126+02:00Dude, what about compare OpenBSD and NetBSD ? Dude, what about compare OpenBSD and NetBSD ? batencehttps://www.blogger.com/profile/01677122363557547099noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-40635753862924031632015-06-17T19:00:43.191+02:002015-06-17T19:00:43.191+02:00^^^ wrong page sorry.^^^ wrong page sorry.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-89392359141426121022015-06-16T18:50:00.062+02:002015-06-16T18:50:00.062+02:00curious why you haven't locked down ssh to unc...curious why you haven't locked down ssh to uncomment protocol 2. Is there a reason for this? Would doing this cause more damage than good?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-71220799478957655672015-01-19T21:29:41.373+01:002015-01-19T21:29:41.373+01:00Privilege escalations flaws can potentially exist ...Privilege escalations flaws can potentially exist in both FreeBSD and OpenBSD, both have at least one reference that can be found by doing a quick search (FreeBSD mmap & sysret, OpenBSD vga). However FreeBSD seems to have been hit more by this kind of vulnerability than OpenBSD, still from a quick search. That is definitely something I will look into.<br /><br />Regards,<br />GuillaumeGuillaume Kaddouchhttps://www.blogger.com/profile/14646179323194334376noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-69664977810042859632015-01-19T15:22:41.253+01:002015-01-19T15:22:41.253+01:00What about privilege escalation flaws in FreeBSD?What about privilege escalation flaws in FreeBSD?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-74956961408472022922015-01-19T01:23:35.316+01:002015-01-19T01:23:35.316+01:00I'd also like to see a comparison with Linux. ...I'd also like to see a comparison with Linux. Ideally, a network and security oriented distribution should be taken for that, and a good candidate would be Alpine Linux, since this one emphasizes these two aspects. I wonder, if OpenWrt, being a distro targeting routers, would offer similar functionality but sort of doubt it. So, I'd definitely like to see Alpine Linux in the mix, since it appears to be uniquely lean while still being complete with out-of-the-box PaX, PIE, LXC and Xen support and an in-memory operation mode.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-65163216942143841612015-01-16T18:57:18.662+01:002015-01-16T18:57:18.662+01:00Hello,
Systrace alone is indeed not secure enough...Hello,<br /><br />Systrace alone is indeed not secure enough, it is mentioned in its man page at the end. However, combined with privileges separation/revocation, and chroot (which is not secure by itself too), then this 3-combo adds some hardening compared to a process running with no protection at all. I find it useful used in addition to other security measures, it should not be solely relied on.<br /><br />Regards,<br />GuillaumeGuillaume Kaddouchhttps://www.blogger.com/profile/14646179323194334376noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-66223139837621224432015-01-16T15:45:20.890+01:002015-01-16T15:45:20.890+01:00+1 for including comparision with Linux. :-)+1 for including comparision with Linux. :-)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-73580289369351277882015-01-16T11:25:00.711+01:002015-01-16T11:25:00.711+01:00Hi, IIRC systrace is buggy, cf. systrace(1), http:...Hi, IIRC systrace is buggy, cf. systrace(1), http://security.stackexchange.com/questions/19176/why-is-systrace-insecureAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-69045283561711737732015-01-16T09:46:42.665+01:002015-01-16T09:46:42.665+01:00A Debian vs. Ubuntu vs. Openbsd comparison would b...A Debian vs. Ubuntu vs. Openbsd comparison would be great!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-58249380944114806892015-01-03T22:45:13.383+01:002015-01-03T22:45:13.383+01:00Very informative article. I did not realize how f...Very informative article. I did not realize how far behind FreeBSD's pf was. I'm curious how much better pfSense and the BSD router project do in that area.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-62587521501582645752014-12-21T05:30:47.006+01:002014-12-21T05:30:47.006+01:00Regarding a comparison agains Linux, Alpine Linux ...Regarding a comparison agains Linux, Alpine Linux is one of the only few real security oriented Linux distributions worth comparing to OpenBSD: http://alpinelinux.orgAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-46921862582246323062014-12-20T15:22:18.904+01:002014-12-20T15:22:18.904+01:00This was a very nice comparison and I've learn...This was a very nice comparison and I've learned a lot from it. I would definitely like to see one comparing them against the latest Linux kernel and core apps with and without AppArmor, GrSecurity, and SELinux. I know it would be a lot of work, but I hope someone will do it someday. Thanks a lot for all your hard work!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-24103531487306306932014-12-18T07:21:09.158+01:002014-12-18T07:21:09.158+01:00Guillaume Kaddouch: You could test "enterpris...Guillaume Kaddouch: You could test "enterprise" Linux like CentOS (basically RHEL), and the most popular one, Ubuntu, I guess. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-4604030821293231712014-12-17T23:38:13.635+01:002014-12-17T23:38:13.635+01:00Great article. I liked your war like conclusion. I...Great article. I liked your war like conclusion. I was interested to read that freebsd does contain many of the same protections as openBSD but are disabled. (I didn't actually think it contained as many). Thankscan mckhttp://www.cam.mckenzie.comnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-77338150509990754092014-12-17T21:24:13.554+01:002014-12-17T21:24:13.554+01:00The article was updated to fix some points, includ...The article was updated to fix some points, including this one.<br /><br />Regards,<br />GuillaumeGuillaume Kaddouchhttps://www.blogger.com/profile/14646179323194334376noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-62003246256026466642014-12-17T21:22:55.486+01:002014-12-17T21:22:55.486+01:00"Linux" is available as many different d..."Linux" is available as many different distributions, they do not ship with the same features enabled (Apparmor or SELinux for instance). I would have to pick one, which would not necessarily be a simple step. Or choose more than one, which would require a good amount of time. So not for now, but who knows... I never know in advance what will be my next subjects :-)<br /><br />Regards,<br />GuillaumeGuillaume Kaddouchhttps://www.blogger.com/profile/14646179323194334376noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-56136776767812492082014-12-17T09:52:30.296+01:002014-12-17T09:52:30.296+01:00Could it be possible another comparison between Fr...Could it be possible another comparison between FreeBDS, OpenBSD and Linux ?<br />:)<br />Congrats for the blog.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-81811839606147206632014-12-16T21:01:11.448+01:002014-12-16T21:01:11.448+01:00The 'G' option for OpenBSD's malloc(3)...The 'G' option for OpenBSD's malloc(3) only adds guard pages. It returns randomized allocations by default.Anonymousnoreply@blogger.com