headers
Dmitri Nikulin | 11 Nov 2004 13:41
Picon

Preventative security features?

Is there any reason NetBSD doesn't implement many preventative security 
features? Even FreeBSD has quite a lot imported/cloned from OpenBSD (I'm 
assuming so anyway, since that's where they'd come from), but NetBSD 
doesn't seem to have many, even those that could be implemented as 
2/3-liners portably. NetBSD has the passive security that comes from 
good code, but a little extra can't hurt.

If nobody else wants to do it, I could try my hand at porting some 
features, or at least reproducing. Browsing over FreeBSD 5.3-STABLE 
source, I'm seeing things like this...

    728         if (blackhole) {
    729             switch (blackhole) {
    730             case 1:
    731                 if (thflags & TH_SYN)
    732                     goto drop;
    733                 break;
    734             case 2:
    735                 goto drop;
    736             default:
    737                 goto drop;
    738             }

...that deserve http://thedailywtf.com/ inclusion. Clearly re-writes are 
the way here.

Is there a reason these things (blackholes, randomization of kernel 
data, etc) aren't done in NetBSD? If not, does anybody object to work 
done to bring them in to -current? I'd certainly like features like 
that, even if I have to code them myself.
(Continue reading)

Permalink | Reply | 18 comments |
headers
Martin Husemann | 11 Nov 2004 14:38
Picon

Re: Preventative security features?

On Thu, Nov 11, 2004 at 11:41:06PM +1100, Dmitri Nikulin wrote:
> At the very least, the ability to run nmap against a NetBSD machine and 
> have it be completely unknown, even with plenty of open and closed ports 
> available.

I don't see the security benefit of this. I prefer script kiddis noticing
NetBSD, sighing loud, and giving up ;-)

Martin
P.S.: the nmap 3.55 I had lying around has not been able to guess the OS on any
NetBSD machine I pointed it at.
Permalink | Reply | 2 comments |
headers
Steven M. Bellovin | 11 Nov 2004 14:44
Picon

Re: Preventative security features?

In message <20041111133815.GF6553 <at> drowsy.duskware.de>, Martin Husemann writes:
>On Thu, Nov 11, 2004 at 11:41:06PM +1100, Dmitri Nikulin wrote:
>> At the very least, the ability to run nmap against a NetBSD machine and 
>> have it be completely unknown, even with plenty of open and closed ports 
>> available.
>
>I don't see the security benefit of this. I prefer script kiddis noticing
>NetBSD, sighing loud, and giving up ;-)
>
>Martin
>P.S.: the nmap 3.55 I had lying around has not been able to guess the OS on an
>y
>NetBSD machine I pointed it at.
>
Indeed.  I just pointed nmap 3.70 at a 2.0rc4 machine and was told

  Running: NetBSD, Microsoft Windows 95/98/ME|NT/2K/XP
  OS details: NetBSD 1.6ZD, Microsoft Windows NT 3.51 SP5, NT 4.0 or 95/98/98SE

I mean, it's rather slanderous, calling NetBSD a version of Windows...

		--Steve Bellovin, http://www.research.att.com/~smb
Permalink | Reply | 1 comment |
headers
Hubert Feyrer | 11 Nov 2004 14:49
Picon
Favicon

Re: Preventative security features?


> Indeed.  I just pointed nmap 3.70 at a 2.0rc4 machine and was told
> 
>   Running: NetBSD, Microsoft Windows 95/98/ME|NT/2K/XP
>   OS details: NetBSD 1.6ZD, Microsoft Windows NT 3.51 SP5, NT 4.0 or 95/98/98SE
> 
> I mean, it's rather slanderous, calling NetBSD a version of Windows...

Now, why not the other way 'round?
Windows wouldn't be the first operating systems that's based (as a whole 
or in part) on NetBSD, and there were rumours before that Microsoft uses a 
BSD-based network stack. Go figure.

  - Hubert

--

-- 
NetBSD - Free AND Open!      (And of course secure, portable, yadda yadda)
Permalink | Reply | 1 comment |
headers
Alexander Yurchenko | 11 Nov 2004 14:50
Picon
Picon
Favicon

Re: Preventative security features?

On Thu, Nov 11, 2004 at 08:44:59AM -0500, Steven M. Bellovin wrote:
> In message <20041111133815.GF6553 <at> drowsy.duskware.de>, Martin Husemann writes:
> >On Thu, Nov 11, 2004 at 11:41:06PM +1100, Dmitri Nikulin wrote:
> >> At the very least, the ability to run nmap against a NetBSD machine and 
> >> have it be completely unknown, even with plenty of open and closed ports 
> >> available.
> >
> >I don't see the security benefit of this. I prefer script kiddis noticing
> >NetBSD, sighing loud, and giving up ;-)
> >
> >Martin
> >P.S.: the nmap 3.55 I had lying around has not been able to guess the OS on an
> >y
> >NetBSD machine I pointed it at.
> >
> Indeed.  I just pointed nmap 3.70 at a 2.0rc4 machine and was told
> 
>   Running: NetBSD, Microsoft Windows 95/98/ME|NT/2K/XP
>   OS details: NetBSD 1.6ZD, Microsoft Windows NT 3.51 SP5, NT 4.0 or 95/98/98SE
> 
> I mean, it's rather slanderous, calling NetBSD a version of Windows...

May be it just means that old windows versions use netbsd's tcp/ip stack?

> 
> 		--Steve Bellovin, http://www.research.att.com/~smb
> 

--

-- 
   Alexander Yurchenko (aka grange)
(Continue reading)

Permalink | Reply | 0 comments |
headers
Ken Seefried | 11 Nov 2004 16:05

Re: Preventative security features?

Hubert Feyrer writes:
> there were rumours before that Microsoft uses a 
> BSD-based network stack. Go figure.

FWIW...not a rumour.  Microsoft acknowledged that the NT TCP/IP stack was 
BSD based (circa BSD 4.4, AFAIK), at least in part.  They apparently rewrote 
everything from scratch in the Win2k timeframe, tho. 

It's one of the sticks the GPL folks always drag out with which to try and 
flog the BSD license. 

Ken
Permalink | Reply | 0 comments |
headers
Curt Sampson | 12 Nov 2004 03:26
Gravatar

Re: Preventative security features?

On Thu, 11 Nov 2004, Alexander Yurchenko wrote:

> May be it just means that old windows versions use netbsd's tcp/ip stack?

Hmm. So *that's* where Soda-san got all that new TCP/IP code!

cjs
--

-- 
Curt Sampson  <cjs <at> cynic.net>   +81 90 7737 2974   http://www.NetBSD.org
     Make up enjoying your city life...produced by BIC CAMERA
Permalink | Reply | 0 comments |
headers
Tim Kelly | 12 Nov 2004 04:15

overfilling mfs partitions over 600M cause kernel panics?

I have confirmation of this on a system independent of my own, and now
we're trying to determine if this is an architectural issue or farther
reaching.

Net7300# mkdir /mfs
Net7300# mount_mfs -s 600m ffs /mfs
Net7300# cp -R /usr/* /mfs
panic: kernel diagnostic assertion "pcb->pcb_kmapsr == 0" failed: file
"../../..
/../arch/powerpc/powerpc/trap.c", line 546
Stopped in pid 371.1 (mount_mfs) at     netbsd:cpu_Debugger+0x10:
lwz r0, r1, 0x14
db{1}> bt
0xd521fc40: at panic+0x19c
0xd521fcd0: at __assert+0x28
0xd521fce0: at copyout+0x14c
0xd521fd70: at mfs_doio+0x84
0xd521fd90: at mfs_start+0xa8
0xd521fdd0: at sys_mount+0x414
0xd521fed0: at syscall_plain+0xc8
0xd521ff40: user SC trap #21 by 0x418839b8: srr1=0xf032
            r1=0xffffd990 cr=0x22000044 xer=0 ctr=0x418839b0

I'm posting here because it's been pointed out to me that if a
server is using a large mfs as /tmp, it might be possible for any user
that can download files in a web browser (like PDFs) to cause the above
kernel panic. This seems like a good forum for finding people willing to
test this on different archs (macppc -current kernel, RC4 userland for
me does this). I've tried 300M and below and I get file system full
errors, but 600M and higher cause kernel panics. I haven't pinpointed
(Continue reading)

Permalink | Reply | 1 comment |
headers
Hernani Marques Madeira | 12 Nov 2004 13:06

Re: overfilling mfs partitions over 600M cause kernel panics?

On Thu, Nov 11, 2004 at 10:15:12PM -0500, Tim Kelly wrote:

> I'm posting here because it's been pointed out to me that if a
> server is using a large mfs as /tmp, it might be possible for any user
> that can download files in a web browser (like PDFs) to cause the above
> kernel panic. This seems like a good forum for finding people willing to
> test this on different archs (macppc -current kernel, RC4 userland for
> me does this). I've tried 300M and below and I get file system full
> errors, but 600M and higher cause kernel panics. I haven't pinpointed
> the exact number, but I didn't figure that all that important.

I tried it on a i686 lap that only has 256 MB of RAM with a 600 MB mfs
mounted at /mfs.

I did it based on 2.99.10 sources from the 25th of October, kernel+userland.

The only messages I got were such:
/netbsd: UVM: pid 5443 (xearth), uid 1000 killed: out of swap
/netbsd: UVM: pid 9583 (mozilla-bin), uid 1000 killed: out of swap
/netbsd: UVM: pid 21325 (XFree86), uid 0 killed: out of swap

and some other messages from userland that said that no more memory
could be allocated what resulted in /mfs not getting further filled.

But it did not hang.

> thanks,
> tim

--

--
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jaromir Dolecek | 12 Nov 2004 20:43
Picon

Re: Preventative security features?

Dmitri Nikulin wrote:
> Is there any reason NetBSD doesn't implement many preventative security 
> features?

Why do you think so - can you privide any examples of particular
security feature you'd like to see in NetBSD?

> Is there a reason these things (blackholes, randomization of kernel 
> data, etc) aren't done in NetBSD? If not, does anybody object to work 
> done to bring them in to -current? I'd certainly like features like 
> that, even if I have to code them myself.

Useful additions are always welcome :) But don't get yourself
fooled into thinking that certain things a bit more random provides
any security benefit.

> At the very least, the ability to run nmap against a NetBSD machine and 
> have it be completely unknown, even with plenty of open and closed ports 
> available. Free and OpenBSD can do this just with a few sysctl runs, 
> Linux stands no chance, but NetBSD should be up with its brothers and 
> not alongside Linux.

Why would anonymizing be any useful? Security by obscurity? 

Jaromir
--

-- 
Jaromir Dolecek <jdolecek <at> NetBSD.org>            http://www.NetBSD.cz/
-=- We should be mindful of the potential goal, but as the Buddhist -=-
-=- masters say, ``You may notice during meditation that you        -=-
-=- sometimes levitate or glow.   Do not let this distract you.''   -=-
(Continue reading)

Permalink | Reply | 14 comments |

Gmane