a systematic evaluation of openbsd s mitigations
play

A systematic evaluation of OpenBSD's mitigations 36c3 stein - PowerPoint PPT Presentation

Mar 17, 2023 •180 likes •675 views

A systematic evaluation of OpenBSD's mitigations 36c3 stein Agenda Why Mitigations Attack surface reduction Hardware vulnerabilities Memory corruption Misc Missing ones Conclusion 2 Earlier

  1. A systematic evaluation of OpenBSD's mitigations 36c3 — stein

  2. Agenda ● Why ● Mitigations ○ Attack surface reduction ○ Hardware vulnerabilities ○ Memory corruption ○ Misc ○ Missing ones ● Conclusion 2

  3. Earlier this year, on an irc channel… ze > whenever I read ROP-chain I'm reminded why I run OpenBSD :D stein > why? ze > because OpenBSD is taking security seriously … a couple of weeks later ts > You should do a talk at the CCC about this 3

  4. OpenBSD? Fork of NetBSD in October 1995 by Theo de Raadt Goals: Pay attention to security problems and fix them before anyone else does. (Try to be the #1 most secure operating system.) […] Be as politics-free as possible; solutions should be decided on the basis of technical merit. 4 Source: https://www.openbsd.org/goals.html

  5. Heated responses to this talk ● Just look at https://www.openbsd.org/innovations.html ● Just look at https://www.openbsd.org/events.html ● “There are almost no exploits for OpenBSD” ● “OpenSSH and opensmtpd are the best!” ● “All the mitigations are complementary” ● “Just read undeadly.org” ● “the talk title sure is clickbait...” Sources: ● bsd.network/@yuki_is_bored ● https://www.reddit.com/r/openbsd/comments/dy7b3v/openbsd_markets_itself_as_a_secure_operating/ 5

  6. How do we measure exploit mitigations anyway? MitiGator. The well-intentioned, but short-sighted and not terribly effective alligator, always working to make exploitation harder. — Halvar Flake Source: https://twitter.com/halvarflake/status/836492121339211776 6

  7. How do we measure exploit mitigations anyway? In the words of Ryan Mallon: Threat modelling rule of thumb: if you don’t explain exactly what you are securing against and how you secure against it, the answers can be assumed to be: “bears” and “not very well”. Source: https://twitter.com/ryiron/status/1150924668020203521 7

  8. So here we go ● Where are the mitigation coming from? ● Against what are they defending? ● Are they effective? ● How is the outside world doing? 8

  9. Attack surface reduction 9

  10. Pledge ● Linux: Seccomp was created in 2002, merged in 2005, seccomp-bpf 2012 ● OpenBSD: Tame pledge was born in 2015 Amazing attack-surface reduction mitigation ● Simple to use: only a couple of options: stdio, inet, dns, exec, id, … ○ Capability-based, not syscall-based. ● Used: more than seccomp ● Super effective! 10

  11. Unveil ● “Pledge but for files” ● Doesn’t abort on violation ● Used by 77 userland programs as of OpenBSD 6.6 A pretty good mitigation, a bit like Apparmor/SELinux, but cooler. 11

  12. Privilege separation and privilege drop ● 1997: qmail by djb, several processes, only one as root ● 1997: postfix did the same ● 2002: OpenSSH got privsep Almost all OpenBSD-written programs are using privsep and privdrop! 12

  13. Hardware vulnerabilities 13

  14. Hyperwhat? OpenBSD disabled HyperThreading support by default in June 2018! This allowed them to (partially) dodge at least: ● L1TF in userland ● MDS (and its variants) in userland 14

  15. Spectre v1, v2 and v3 Windows Linux OpenBSD Compiler-based Manually removing Spectre v1 Nothing Day 0 gadgets Day 0 for arm Retpolines Retpolines Spectre v2 3 months for -current for Day0 Day 0 amd64 Day 0 for arm KPTI KPTI Spectre v3 1 month for -current for Day 0 Day 0 amd64 15

  16. The other ones™ Windows Linux OpenBSD L1TF PTE inversion PTE inversation L1 trashing L1 Trashing L1 Trashing Day 9 Day 0 Day 0 MDS Day 0 Day 0 Day 3 SWAPGS Day 3 Day 0 Day 3 16

  17. Randomization 17

  18. AS(L)R ● July 2001: PaX’ ASLR ● August 2001: OpenBSD added a random offset for the stack ● 2003: OpenBSD’s added a random offset for libraries and mmap ● 2005: Linux added a random offset for stack and mmap ● … ASR and not ASLR. At least it's not per-boot. 18

  19. KARL ● July 2017: OpenBSD relinks kernel objects in a random order after every boot. ● Kills single-pointer leaks ● Useful against attackers without ○ A large-enough arbitrary read ○ a CPU side-channel (local) 19

  20. Libc/libcrypto symbols randomisation ● 2016: OpenBSD randomize symbols order in libc and libcrypto at boot time ● Defeated by arbitrary read or BROP ● Kill single-pointer leaks and relative overwrite 20

  21. Library order randomisation ● November 2003: OpenBSD randomize the order of libraries ● Small improvement over ASLR ● A single-leak is usually a complete bypass ● Entropy is pretty low 21

  22. Position Independent Code/Executable ● August 2001: PaX implements PIE ● 2003 ○ Gentoo hardened builds its whole userland with PIE/PIC ○ Fedora/RHEL uses PIE/PIC for setuid/network-facing binaries ● 2008: OpenBSD supports PIE ● 2011: PIE by default on iOS and OSX ● July 2012: Android 4.1 supports PIE, and compiles system binaries with it ● August 2012: PIE enabled by default in OpenBSD 22

  23. Position Independent Code/Executable OpenBSD 5.3 was the first widely used operating system to enable it globally by default, on seven hardware platforms. ● Android was first for 6 different architectures ● Fedora was first for 8 different architectures ● Gentoo Hardened, Adamantix and Apple enabled PIE by default before OpenBSD 23 Source: https://www.openbsd.org/innovations.html

  24. W^X 24

  25. W^X — OpenBSD ● W^X is a cool mitigation, since 1997 ○ Prevents the introduction of new code ● OpenBSD was late to the party ○ 2002 for userland ○ 2015 for kernel-land ● Lack of PAX_MPROTECT/ACG/KTRR ○ Theo de Raadt even argued in 2003 that this would break POSIX 25

  26. W^X "refinement" in 2019 Theo de Raadt said in 2019: I wish to block direct system calls from those areas, thereby forcing the attacker to deal with the (hopefully) more complex effort of using JIT support environment code, or probably even harder discovering the syscall stubs directly inside the randomly-relinked libc. ● Block syscalls from executable memory ● Block syscalls from memory that doesn’t have the msyscall flag 26 Source: https://marc.info/?l=openbsd-tech&m=155899373514678&w=2

  27. Memory corruption mitigations 27

  28. Userland heap management ● July 2008: Otto-malloc, by Otto Moerbeek and Damien Miller ● Out-of-band metadata, read-only structures, quarantine via delayed free, junking, canaries, page-alignment, optional guard pages, randomisation everywhere, … ● An amazingly secure allocator! ○ Unfortunately a bit slow 28

  29. RELRO ● Created in January 2004 by Red Hat ● 2016: Partial RELRO in OpenBSD ● 2017: Full RELRO Plot twist: lazy bindings! ● The kbind syscall ○ Behind a call-site verification (TOFU) and a cookie ○ Provides an arbitrary write 29

  30. TRAPSLED Invented in 2017 by Todd Mortimer I have attached a patch that converts NOP padding from the assembler into INT3 padding on amd64. The idea is to remove potentially convenient NOP sleds from programs and libraries, which makes it harder for an attacker to hit any ROP gadgets or other instructions after a NOP sled. 30 Source: https://marc.info/?l=openbsd-tech&m=149792179514439&w=2

  31. ROP gadgets removal ● Change register selection priority ● Replace some instructions with others ○ xchg A, B; mov B, α; xchg B, A instead of mov A, α. ● Force alignment with TRAPSLED ○ jmp A; int3; int3; … int3; A: ● RETGUARD to protect aligned ret ○ No more ROP gadgets on arm64! ○ More on this later 31

  32. Rop gadgets removal, but why? ● It kills the magical libc gadget! ● Because ROPGadget can’t build a complete execve rop chain with the kernel binary! ● It reduces the number of gadgets of about 11% on amd64 ● It doesn’t kill JOP, COOP, PCOP, … and all the ret-to-… ● Theo de Raadt said “we believe once standard-RET is solved those concerns become easier to address seperately in the future. In any case a substantial reduction of gadgets is powerful.” 32

  33. RETGUARD ● 1997: stackguard, by Crispan Cowan et Al. ● 2003: OpenBSD added stack cookies in userland and kernelland ● 2017: RETGUARD ○ XOR the return address at top of stack with the stack pointer value itself. 33

  34. RETGUARD 2018 Prologue Epilogue mov r11, qword [obj.__retguard_3111] xor r11, qword [rsp] xor r11, qword [rsp] cmp r11, qword [obj.__retguard_3111] je XXX int3, int3, int3, int3… XXX: ret 34

  35. NULL-deref in kernel-land ● 2004: PaX' KERNEXEC in 2004 and UDEREF in 2006 ● 2006: Ilja van Sprundel’s "Unusual bugs" at 23C3 ● 2007: mmap_min_addr added in Linux 2.6.23 ● June 2008: OpenBSD prevents the mapping of the first page Theo de Raadt said: For the record, this particular problem was resolved in OpenBSD a while back, in 2008. We are not super proud of the solution, but it is what seems best faced with a stupid Intel architectural choice. However, it seems that everyone else is slowly coming around to the same solution. 35 Source: http://www.uaoug.org.ua/archive/msg01089.html

  36. SMAP, SMEP and their friends ● PaX’ UDEREF in August 2006 ● Everybody added SMEP/SMAP support in 2012 ● OpenBSD’s SMAP support had a trivial bypass until September 2017 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Porting OpenBSD Niall OHiggins <niallo@openbsd.org> Uwe Sthler <uwe@openbsd.org>

Porting OpenBSD Niall OHiggins <niallo@openbsd.org> Uwe Sthler <uwe@openbsd.org>

Porting OpenBSD Niall OHiggins <niallo@openbsd.org> Uwe Sthler <uwe@openbsd.org> OpenCON, 2005 Outline 1 Porting OpenBSD What It Takes Preparation Cross-Development The Boot Loader Building The Kernel Adapting Startup

1.59k views • 88 slides
Evaluation & Research 27 August 2019 NPN- Chicago Evaluation is a systematic process to

Evaluation & Research 27 August 2019 NPN- Chicago Evaluation is a systematic process to

Evaluation & Research 27 August 2019 NPN- Chicago Evaluation is a systematic process to determine merit, worth, value or significance. -The American Evaluation Association Evaluation helps coalitions Name and frame community

730 views • 44 slides
Supporting Radio Clocks in OpenBSD Marc Balmer < mbalmer@openbsd.org > micro systems/OpenBSD

Supporting Radio Clocks in OpenBSD Marc Balmer < mbalmer@openbsd.org > micro systems/OpenBSD

Supporting Radio Clocks in OpenBSD Marc Balmer < mbalmer@openbsd.org > micro systems/OpenBSD BSDConTr, Istanbul, Turkey Agenda 1 Introduction 2 Radio Clocks 3 Architectural Overview 4 Support for GPS-Receivers 5 Support for Time Signal

745 views • 35 slides
Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org

Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org

Reflections|Projections 2007 Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org Overview of OpenBSD History Berkeley Software Distribution (BSD) First freely distributable BSD was released in June

810 views • 24 slides
Systematic Evaluation of Complex Systems Acknowledgement: Parts of these slides are based on

Systematic Evaluation of Complex Systems Acknowledgement: Parts of these slides are based on

Systematic Evaluation of Complex Systems Acknowledgement: Parts of these slides are based on [Jai91] 1 Telematics 2 / Performance Evaluation (WS 17/18): 11 Systematic Evaluation of Complex Systems Systematic Evaluation of Complex Systems

566 views • 40 slides
Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist <anton@openbsd.org> Introduction

Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist <anton@openbsd.org> Introduction

Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist <anton@openbsd.org> Introduction Fuzzing the OpenBSD kernel using the syzkaller kernel fuzzer. Heard about first on the BSD Now podcast back in April 2018. Ongoing effort, hence 1/N in

668 views • 15 slides
Triangulation applied to the identification of evaluation findings Experiences with systematic

Triangulation applied to the identification of evaluation findings Experiences with systematic

Triangulation applied to the identification of evaluation findings Experiences with systematic triangulation in the GEF Carlo Carugi Senior Evaluation Officer Independent Evaluation Office Global Environment Facility 1 Overview Rationale

399 views • 15 slides
Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler

Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler

Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler phessler@openbsd.org OpenBSD 17 March, 2013 1 / 27 what is this spamd uses IP host entries, to whitelist, blacklist or greylist hosts spamd can import and

412 views • 27 slides
Mininet on OpenBSD Using rdomains for Interactive SDN Testing and Development Ayaka Koshibe

Mininet on OpenBSD Using rdomains for Interactive SDN Testing and Development Ayaka Koshibe

Mininet on OpenBSD Using rdomains for Interactive SDN Testing and Development Ayaka Koshibe akoshibe@openbsd.org AsiaBSDCon 2018 SDN? Network split into programmable nodes that handle traffic and entities that program them

372 views • 26 slides
07 Introduction to MiLE+ : a systematic method for usability evaluation Prof. Garzotto In a

07 Introduction to MiLE+ : a systematic method for usability evaluation Prof. Garzotto In a

HCI - Lesson 6 07 Introduction to MiLE+ : a systematic method for usability evaluation Prof. Garzotto In a nutshell... MiLE+ (Milano-Lugano Evaluation) Developed in cooperation between HOC-Lab (Politecnico di Milano) and TEC-Lab

838 views • 44 slides
Economic Evaluation Studies of Self-Management Interventions in Chronic Diseases: a systematic

Economic Evaluation Studies of Self-Management Interventions in Chronic Diseases: a systematic

Economic Evaluation Studies of Self-Management Interventions in Chronic Diseases: a systematic review Mitchel van Eeden Caroline van Heugten Ghislaine van Mastrigt Silvia Evers (speaker) IHEA Dublin Thursday July 15th Health Services

486 views • 13 slides
LSE Summer Week 2016 16 July, 2016 Antoine Jacoutot <ajacoutot@openbsd.org> whoami(1)

LSE Summer Week 2016 16 July, 2016 Antoine Jacoutot <ajacoutot@openbsd.org> whoami(1)

OpenBSD rc.d(8) LSE Summer Week 2016 16 July, 2016 Antoine Jacoutot <ajacoutot@openbsd.org> whoami(1) OpenBSD developer since 2006 ajacoutot@ aka aja@ sysmerge, rc.d, rcctl, libtool, stuff, other stuff >400 ports,

1.19k views • 64 slides
OpenBSD: add VMM to packer The red pill taken to develop a Go plugin for packer.io to

OpenBSD: add VMM to packer The red pill taken to develop a Go plugin for packer.io to

OpenBSD: add VMM to packer The red pill taken to develop a Go plugin for packer.io to be able to create VM images on OpenBSD for VMM and many other virtualizers. Philipp Bhler <pb@sysfive.com> @pb_double sysfive.com portfolio

510 views • 20 slides
OpenSMTPD over the clouds the story of an HA setup Giovanni Bechis <giovanni@openbsd.org>

OpenSMTPD over the clouds the story of an HA setup Giovanni Bechis <giovanni@openbsd.org>

OpenSMTPD over the clouds the story of an HA setup Giovanni Bechis <giovanni@openbsd.org> Fosdem 2020, Brussels Historical setup some OpenBSD mail servers Postfix + Apache SpamAssassin + Amavisd-new + Courier Imap no shared

310 views • 20 slides
1 Connect | Communicate | Collaborate Distributed Denial of Service (DDoS) Effects, Mitigations

1 Connect | Communicate | Collaborate Distributed Denial of Service (DDoS) Effects, Mitigations

1 Connect | Communicate | Collaborate Distributed Denial of Service (DDoS) Effects, Mitigations & Future Tony Barber Nov 2013 TF-NOC Wayne Routly, DANTE GEANT APM, Vienna 8 October, 2013 Agenda Effects Real World Examples Mitigations

237 views • 13 slides
Removing ROP Gadgets from OpenBSD AsiaBSDCon 2019 Todd Mortimer mortimer@openbsd.org Overview

Removing ROP Gadgets from OpenBSD AsiaBSDCon 2019 Todd Mortimer mortimer@openbsd.org Overview

Removing ROP Gadgets from OpenBSD AsiaBSDCon 2019 Todd Mortimer mortimer@openbsd.org Overview Return Oriented Programming Removing ROP Gadgets Unaligned / Polymorphic Gadget Reduction Aligned Gadget Reduction Results Return

1.99k views • 99 slides
Importance of storytelling in open source projects Speaker : Justin W. Flory License : CC-BY-SA

Importance of storytelling in open source projects Speaker : Justin W. Flory License : CC-BY-SA

What open source and J.K. Rowling have in common Importance of storytelling in open source projects Speaker : Justin W. Flory License : CC-BY-SA 4.0 So, who are you? Fedora contributor Community Operations team lead, Fedora Magazine

351 views • 20 slides
Writing Software That's Safe Enough To Drive A Car @shnewto Clickbait ! Functional safety is...

Writing Software That's Safe Enough To Drive A Car @shnewto Clickbait ! Functional safety is...

Writing Software That's Safe Enough To Drive A Car @shnewto Clickbait ! Functional safety is... the absence of unreasonable risk due to hazards caused by malfunctioning behavior of E/E systems. State of the Art What is safe enough?

353 views • 17 slides
Exploration/Exploitation in Multi-armed Bandits Spring 2019, CMU 10-403 Katerina Fragkiadaki

Exploration/Exploitation in Multi-armed Bandits Spring 2019, CMU 10-403 Katerina Fragkiadaki

Carnegie Mellon School of Computer Science Deep Reinforcement Learning and Control Exploration/Exploitation in Multi-armed Bandits Spring 2019, CMU 10-403 Katerina Fragkiadaki Used Materials Disclaimer : Some of the material and slides

895 views • 67 slides
Drupal as a Learning Platform Drupal can manage learning, too https://skvare.com Presenter: Mark

Drupal as a Learning Platform Drupal can manage learning, too https://skvare.com Presenter: Mark

Drupal as a Learning Platform Drupal can manage learning, too https://skvare.com Presenter: Mark Hanna @Skvare Senior Developer, Skvare Drupal as a Learning Platform Has all the functionality one needs to create and operate an online

532 views • 32 slides
PROGRAMME 6.15pm Welcome & Briefing by Associate Chair (Academic) Introduction to NTU

PROGRAMME 6.15pm Welcome & Briefing by Associate Chair (Academic) Introduction to NTU

PROGRAMME 6.15pm Welcome & Briefing by Associate Chair (Academic) Introduction to NTU Libraries Resources and Access by 6.30pm Mr Law Loo Shien (CMIL) 6.45pm Proceed to Programme Briefing (venues): Info Studies & Knowledge Management

950 views • 22 slides
W l Welcome! ! The webinar will begin at The webinar will begin at 12:00 Eastern/9:00 Pacific

W l Welcome! ! The webinar will begin at The webinar will begin at 12:00 Eastern/9:00 Pacific

W l Welcome! ! The webinar will begin at The webinar will begin at 12:00 Eastern/9:00 Pacific Audio Tips Todays audio is streaming to your computers speakers or headphones. Too loud or soft? Adjust volume level in the Audio broadcast

502 views • 38 slides
Project INfrastructures for the Future Internet commuNITY Erik Rodenbach COST Exploratory

Project INfrastructures for the Future Internet commuNITY Erik Rodenbach COST Exploratory

Introduction to the Infinity Project INfrastructures for the Future Internet commuNITY Erik Rodenbach COST Exploratory Workshop on Smart Cities , 26 -27 Sep 2011, Paris Background and Overview of FI-PPP Supporting programmes that accelerate

183 views • 17 slides
About me Trevor Bryant Security minded DevOps nerd Knight of NIST Auditor,

About me Trevor Bryant Security minded DevOps nerd Knight of NIST Auditor,

About me Trevor Bryant Security minded DevOps nerd Knight of NIST Auditor, Analyst, Engineer, Architect Tech policy Instructor @DC_TOOOL Conference Organizer / Volunteer apporima.com @apporima api_security I

204 views • 17 slides

More recommend