Episode 85
PIE in the Sky
April 15th, 2015
1 hr 20 mins 42 secs
Tags
About this Episode
This time on the show, we'll be talking with Pascal Stumpf about static PIE in the upcoming OpenBSD release. He'll tell us what types of attacks it prevents, and why it's such a big deal. We've also got answers to questions from you in the audience and all this week's news, on BSD Now - the place to B.. SD.
This episode was brought to you by
Headlines
Solaris' networking future is with OpenBSD
- A curious patch from someone with an Oracle email address was recently sent in to one of the OpenBSD mailing lists
- It was revealed that future releases of Solaris are going to drop their IPFilter firewall entirely, in favor of a port of the current version of PF
- For anyone unfamiliar with the history of PF, it was actually made as a replacement for IPFilter in OpenBSD, due to some licensing issues
- What's more, Solaris was the original development platform for IPFilter, so the fact that it would be replaced in its own home is pretty interesting
- This blog post goes through some of the backstory of the two firewalls
- PF is in a lot of places - other BSDs, Mac OS X and iOS - but there are plenty of other OpenBSD-developed technologies end up ported to other projects too
- "Many of the world's largest corporations and government agencies are heavy Solaris users, meaning that even if you're neither an OpenBSD user or a Solaris user, your kit is likely interacting intensely with both kinds, and with Solaris moving to OpenBSD's PF for their filtering needs, we will all be benefiting even more from the OpenBSD project's emphasis on correctness, quality and security"
- You're welcome, Oracle ***
BAFUG discussion videos
- The Bay Area FreeBSD users group has been uploading some videos from their recent meetings
- Sean Bruno gave a recap of his experiences at EuroBSDCon last year, including the devsummit and some proposed ideas from it (as well as their current status)
- Craig Rodrigues also gave a talk about Kyua and the FreeBSD testing framework
- Lastly, Kip Macy gave a talk titled "network stack changes, user-level FreeBSD"
- The main two subjects there are some network stack changes, and how to get more people contributing, but there's also open discussion about a variety of FreeBSD topics
- If you're close to the Bay Area in California, be sure to check out their group and attend a meeting sometime ***
More than just a makefile
- If you're not a BSD user just yet, you might be wondering how the various ports and pkgsrc systems compare to the binary way of doing things on Linux
- This blog entry talks about the ports system in OpenBSD, but a lot of the concepts apply to all the ports systems across the BSDs
- As it turns out, the ports system really isn't that different from a binary package manager - they are what's used to create binary packages, after all
- The author goes through what makefiles do, customizing which options software is compiled with, patching source code to build and getting those patches back upstream
- After that, he shows you how to get your new port tested, if you're interesting in doing some porting yourself, and getting involved with the rest of the community
- This post is very long and there's a lot more to it, so check it out (and more discussion on Hacker News) ***
Securing your home fences
- Hopefully all our listeners have realized that trusting your network(s) to a consumer router is a bad idea by now
- We hear from a lot of users who want to set up some kind of BSD-based firewall, but don't hear back from them after they've done it.. until now
- In this post, someone goes through the process of setting up a home firewall using OPNsense on a PCEngines APU board
- He notes that you have a lot of options software-wise, including vanilla FreeBSD, OpenBSD or even Linux, but decided to go with OPNsense because of the easy interface and configuration
- The post covers all the hardware you'll need, getting the OS installed to a flash drive or SD card and going through the whole process
- Finally, he goes through setting up the firewall with the graphical interface, applying updates and finishing everything up
- If you don't have any experience using a serial console, this guide also has some good info for beginners about those (which also applies to regular FreeBSD)
- We love super-detailed guides like this, so everyone should write more and send them to us immediately ***
Interview - Pascal Stumpf - pascal@openbsd.org
Static PIE in OpenBSD
News Roundup
LLVM's new libFuzzer
- We've discussed fuzzing on the show a number of times, albeit mostly with the American Fuzzy Lop utility
- It looks like LLVM is going to have their own fuzzing tool too now
- The Clang and LLVM guys are no strangers to this type of code testing, but decided to "close the loop" and start fuzzing parts of LLVM (including Clang) using LLVM itself
- With Clang being the default in both FreeBSD and Bitrig, and with the other BSDs considering the switch, this could make for some good bug hunting across all the projects in the future ***
HardenedBSD upgrades secadm
- The HardenedBSD guys have released a new version of their secadm tool, with the showcase feature being integriforce support
- We covered both the secadm tool and integriforce in previous episodes, but the short version is that it's a way to prevent files from being altered (even as root)
- Their integriforce feature itself has also gotten a couple improvements: shared objects are now checked too, instead of just binaries, and it uses more caching to speed up the whole process now ***
RAID5 returns to OpenBSD
- OpenBSD's softraid subsystem, somewhat similar to FreeBSD's GEOM, has had experimental RAID5 support for a while
- However, it was exactly that - experimental - and required a recompile to enable
- With some work from recent hackathons, the final piece was added to enable resuming partial array rebuilds
- Now it's on by default, and there's a call for testing being put out, so grab a snapshot and put the code through its paces
- The bioctl softraid command also now supports DUIDs during pseudo-device detachment, possibly paving the way for the installer to drop the "do you want to enable DUIDs?" question entirely ***
pkgng 1.5.0 released
- Going back to what we talked about last week, the final version of pkgng 1.5.0 is out
- The "provides" and "requires" support is finally in a regular release
- A new "-r" switch will allow for direct installation to a chroot or alternate root directory
- Memory usage should be much better now, and some general code speed-ups were added
- This version also introduces support for Mac OS X, NetBSD and EdgeBSD - it'll be interesting to see if anything comes of that
- Many more bugs were fixed, so check the mailing list announcement for the rest (and plenty new bugs were added, according to bapt) ***
p2k15 hackathon reports
- There was another OpenBSD hackathon that just finished up in the UK - this time it was mainly for ports work
- As usual, the developers sent in reports of some of the things they got done at the event
- Landry Breuil, both an upstream Mozilla developer and an OpenBSD developer, wrote in about the work he did on the Firefox port (specifically WebRTC) and some others, as well as reviewing lots of patches that were ready to commit
- Stefan Sperling wrote in, detailing his work with wireless chipsets, specifically when the vendor doesn't provide any hardware documentation, as well as updating some of the games in ports
- Ken Westerback also sent in a report, but decided to be a rebel and not work on ports at all - he got a lot of GPT-related work done, and also reviewed the RAID5 support we talked about earlier ***