Like any self-respecting Open Source conference, we have an exhibition space with commercial sponsors and “dot org” groups. Starting with the orgs, we’ll have tables for some of the BSD projects.  The peeps over at iXsystems have their usual display of FreeBSD and PC-BSD goodies.  The OpenBSD project is shipping out merchandise for the conference.  They always have a nice selection of t-shirts and CDs for sale.  The DragonFlyBSD project is working to send out free install media, we’re crossing our fingers.  Matt Dillon and the team at DragonFly have been doing some exciting things with cluster technologies.

Rumor is that Beastie will make a surprise appearance, so bring your cameras.  I’ll buy anyone a few rounds of stout if they manage to sneak in a Segway.

Of course, none of this would be possible without the generous contributions from our sponsors.  Even under normal circumstances, it can be challenging to procure sufficient funding to host a large conference.  During a global recession,  executives everywhere are pressured to cut costs and hunker down.  Fortunately for us (and one could argue, the entire economy), these companies and organizations recognize that such a stance is self-defeating and serves only to worsen an already difficult recession.  They understand that spending, not just for the sake of meeting operational requirements, but to further stimulize the markets, benefits everyone.  Cheers to our sponsors over at Message Systems, iXsystems, the FreeBSD Foundation, Freedom Technologies, MatrixGroup, ShmooCon, OmniTI and Google!

And I’ll be tipping back a pint for every single one of them.

News Beastie, dot-org, DragonFlyBSD, FreeBSD, OpenBSD, PC-BSD, sponsors

Today’s entry comes a bit late in the day.  I’ll continue to blame it on holiday festivities until someone calls my bluff.  Speaking of holidays (and eating), our next speaker really likes PIE.  This isn’t your typical pie though;  Position Independent Executables (PIE) are executable binaries made entirely from position-independent code.  Kurt Miller will discuss his work on adding this functionality to OpenBSD.

OpenBSD has randomized the load addresses of shared libraries for many years.  This helps prevent attacks that are described as return-to-libc attacks.  However, programs are linked at fixed addresses which provides some optimizations for executables over shared libs.  When a program is complied and linked to be position independent (e.g. Position Independent Executable/PIE) some of those optimizations are waived for the ability to load the program at a random address.  In this session, I will discuss OpenBSD’s PIE implementation, its impact on existing security mechanisms such as W^X on i386, and the various enhancements needed to the runtime linker, kernel and other system libs.

Kurt presented this talk at NYCBSDCon last year and it was very well received.  Many of us get to take for granted much of his work on features like PIE and as maintainer of the OpenBSD JDK ports.  Come join us for DCBSDCon and buy Kurt a pint in appreciation.  See you there!

News Kurt Miller, OpenBSD, PIE, security

Because I’m still in the holiday spirit (or maybe it was the spirits at lunch today), we’ve decided to announce our next two speakers.  Let’s get right to it.

Although well known for his Tao of Security blog, Richard Bejtlich’s official working title is the Director of Incident Response for General Electric.  He’s a highly sought-after speaker and the author of The Tao of Network Security Monitoring.  And wouldn’t you know, he’s a fan of FreeBSD.

I’ve been using FreeBSD as my preferred platform for Network Security Monitoring (NSM) since 2000.  In this presentation I’ll discuss my latest thinking on using FreeBSD to identify normal, suspicious, and malicious traffic in enterprise networks.  FreeBSD is a powerful platform for network traffic inspection and log analysis, and I’ll share a few ways I use it in production environments.

I’ve crossed paths with Richard due to our proximity and interest in BSD User Groups.  I heard him speak at ShmooCon 2006 and immediately appreciated his speaking style and expert knowledge in network security.  I think attendees will walk away from his talk with a fresh perspective on security monitoring.

Next up, we have the RAID and storage guru of the OpenBSD project.  Marco Peereboom introduced me to my first pint of Guinness, and for that I’ll be eternally grateful.  I think it’s rather apropos that I announce his presentation on New Year’s Eve.

Tired of tape and their weaknesses?  So am I!  Epitome is the next generation backup mechanism.  It is based on the idea of providing instant available backup data while removing duplicate files & blocks from backups (yes really!).  It is a disk based WORM backup system.

This talk will go into the Epitome protocol and its application.  The code is generic enough that it can address all 3 major (buzzword compliant) technologies known as: CAS, DEDUP & SIS.

Looking over his online man pages, the epitome suite specializes in data deduplication.  This certainly has some practical uses, in spite of the ubiquity of multi-terabyte disk arrays.

Have you already registered?  Don’t wait!  It looks like we’re going to push forward the deadline for registration to January 31, in order to give us more lead time heading into the conference.  We’ll broadcast this change soon, but don’t wait until it’s too late.  Get your barcode today!

News data deduplication, FreeBSD, Marco Peereboom, monitoring, OpenBSD, Richard Bejtlich

The next talk to be announced is of particularly interest to me.  I remember when I first heard about sysjail a couple years ago, and enjoyed Kristaps Džonsons’ talk about it at NYCBSDCon 2006.  Unfortunately for fans of sysjail, systrace (the mechanism it is based on) was found to have vulnerabilities that neutralized much of its usefulness.

Kristaps is obviously a dedicated individual that doesn’t give up easy.  He’s been busy working on a new process isolation mechanism called mult.

In NetBSD and OpenBSD, user-land process and process-context isolation is limited to credential cross-checks, file-system chroot and explicit systrace/kauth applications.  I’ll demonstrate a working mechanism of isolated process trees in branched OpenBSD-4.4 and NetBSD-5.0-beta kernels where an isolated process is started by a system call similar to fork; following that, the child process and its descendants execute in a context isolated from the caller.  This system is the continued work of “mult” — first prototyped in a branched NetBSD-3.1 kernel and isolating all system resources — pared down to a lightweight, auditable patch of process-only separation for both OpenBSD and NetBSD.  I specifically address solutions to performance issues and mechanism design with an eye toward more resources being isolated in the future.

This sounds pretty cool, but most of it went over my head.  I went back to Kristaps, asking him to pretend I’m a Linux user.

mult allows the creation of isolated instances, similar to jails on FreeBSD, but considerably more robust, feature-rich, safe and scalable.

An instance contains a process and all of its descendant processes.  Once started, an instance’s processes are invisible to the caller; similarly, the caller is invisible to the instance.

Ok, that makes more sense.  How far along are you with mult?  Is it usable today for the average BSD administrator?

In the current version of mult, which is a lightweight re-write of the NetBSD-3.1 prototype, only pids, pgids and file descriptors are isolated.  Thus, a process can’t stat other instances’ processes, even if of the same pid.  However, users are still unisolated, so using setpriority on a user will affect all instances.  New stuff can be easily appropriated, but my intent is to (re-)start small and clean.

% instproc — /usr/sbin/sshd -df /var/jail/etc/ssh/sshd_config

This starts a process, sshd, where a connecting user will only “see” (e.g., via ps ax) the sshd process and its descendants.  Similarly, the caller will not see the started sshd.

Good stuff.  I’m really anxious to hear Kristaps talk about this project and how useful it will be in the near future.  If I had a crystal ball, I bet I’d see quite a few ShmooCon attendees sneaking into this talk.  Don’t let them steal your seat… register now and get your barcode!

News kernel, Kristaps Džonsons, mult, NetBSD, OpenBSD, process, security, sysjail, systrace

I first met Ted Unangst at the c2k7 hackathon in Calgary.  He immediately struck me as your atypical OpenBSD developer.  While he’s obviously a very smart cookie with an interest in crypto and code security, he looks like someone who just traded in his skateboard for a keyboard.  Fortunately for the BSD community, Ted has an active interest in SMP and kernel threading.  His work on rthreads is ongoing within OpenBSD and should result in solid improvements in future releases.

I will discuss the current status of kernel SMP support, the rthreads thread library, and relevant future developments.  Over the years, we have accumulated several concurrency primitives in the kernel, causing some confusion amongst developers, so I will lay out the origin and correct usage for each.  The talk is primarily targeted at the budding OpenBSD kernel developer, but I will also describe the end-user effects of each topic.

This should be a very interesting discussion, particularly for users who are starting to dabble in kernel hacking.  Ted is an approachable guy who understands how to translate advanced topics for average Joes like myself.

If you haven’t already noticed, registration is open.  Tickets are selling at a brisk pace, so don’t get caught empty-handed by waiting until the last day!

News BSD, hacking, kernel, OpenBSD, registration, SMP, Ted Unangst, threads