hardenedbsd.org Header Art


No announcement yet.

HardenedBSD June 2022 Status Report

  • Filter
  • Time
  • Show
Clear All
new posts

  • HardenedBSD June 2022 Status Report

    June saw some cool security enhancements to HardenedBSD. So let's kick off our usual list:
    In src, 14-CURRENT:
    1. The HardenedBSD amd64 kernel configs have been unified to be based off of HARDENEDBSD-CORE.
    2. OpenSSH's ssh-sk-helper program violates the cfi-icall scheme. Until I get time to dive in (or if someone beats me to it), I've disabled the cfi-icall scheme for that program. Users can now use the integrated FIDO2/U2F key support in OpenSSH.
    3. Our Trusted Path Execution feature from secadm now exists in base. There are some differences, which I will document in our wiki soon. TPE violations are logged. One major thing left to do is integrate with mmap(fd, PROT_EXEC). This would also prevent a PaX NOEXEC bypass by virtue of creating a file with an executable payload, mapping it in memory, and executing it.
    4. The RTLD has been significantly hardened. This has the potential to cause issues, especially when building ports/packages. A new sysctl node (hardening.harden_rtld) has been added and is defaulted to 1 (enabled).
    I plan to MFC all of the above to 13-STABLE soon. If you build your own packages or ports, please take special note of item four above. Here's a few more details on how we've hardened the RTLD (when hardening.harden_rtld is set to 1):
    1. LD_PRELOAD is fully prohibited.
    2. Set dangerous_ld_env, which isn't used much in the RTLD, but could be used more in the future.
    3. Sensitive LD_* environment variables are scrubbed.
    4. Using the RTLD to execute applications is prohibited.
    5. Tracing of loaded objects is prohibited. This change in particular breaks ldd(1), which is used by a lot of ports during the build process. This is what can cause the most headaches.
    In ports:
    1. SafeStack and CFI are disabled if PKGNAMESUFFIX ends with -static.
    2. PaX PAGEEXEC is disabled for sysutils/syslog-ng
    3. New port added: sysutils/pc-sysinstall
    4. SMB support was added to multimedia/ffmpeg
    5. PaX MPROTECT is disabled for emulators/wine
    6. PaX MPROTECT is disabled for emulators/wine-proton
    7. PaX MPROTECT is disabled for net-im/nheko
    8. PaX MPROTECT is disabled for net-im/quaternion
    9. PaX MPROTECT is disabled for www/node16
    Other projects:
    1. Work is now officially underway to provide the HardenedBSD community with a HardenedBSD 13-STABLE based fork of OPNsense. We're really close to providing a proof-of-concept build--likely before the end of July 2022. We will provide periodic (montly? bi-weekly?) updates. If you'd like to follow along, the repos are here.
    2. The old 12-STABLE package building server will be used to perform periodic automated builds of Loic's LiveCD project, making it an official HardenedBSD project. This server will also build the HardenedBSD+OPNsense builds. Time frame for completing this will likely be in August 2022.