Today’s entry comes a bit late in the day.  I’ll continue to blame it on holiday festivities until someone calls my bluff.  Speaking of holidays (and eating), our next speaker really likes PIE.  This isn’t your typical pie though;  Position Independent Executables (PIE) are executable binaries made entirely from position-independent code.  Kurt Miller will discuss his work on adding this functionality to OpenBSD.

OpenBSD has randomized the load addresses of shared libraries for many years.  This helps prevent attacks that are described as return-to-libc attacks.  However, programs are linked at fixed addresses which provides some optimizations for executables over shared libs.  When a program is complied and linked to be position independent (e.g. Position Independent Executable/PIE) some of those optimizations are waived for the ability to load the program at a random address.  In this session, I will discuss OpenBSD’s PIE implementation, its impact on existing security mechanisms such as W^X on i386, and the various enhancements needed to the runtime linker, kernel and other system libs.

Kurt presented this talk at NYCBSDCon last year and it was very well received.  Many of us get to take for granted much of his work on features like PIE and as maintainer of the OpenBSD JDK ports.  Come join us for DCBSDCon and buy Kurt a pint in appreciation.  See you there!

News Kurt Miller, OpenBSD, PIE, security

The next talk to be announced is of particularly interest to me.  I remember when I first heard about sysjail a couple years ago, and enjoyed Kristaps Džonsons’ talk about it at NYCBSDCon 2006.  Unfortunately for fans of sysjail, systrace (the mechanism it is based on) was found to have vulnerabilities that neutralized much of its usefulness.

Kristaps is obviously a dedicated individual that doesn’t give up easy.  He’s been busy working on a new process isolation mechanism called mult.

In NetBSD and OpenBSD, user-land process and process-context isolation is limited to credential cross-checks, file-system chroot and explicit systrace/kauth applications.  I’ll demonstrate a working mechanism of isolated process trees in branched OpenBSD-4.4 and NetBSD-5.0-beta kernels where an isolated process is started by a system call similar to fork; following that, the child process and its descendants execute in a context isolated from the caller.  This system is the continued work of “mult” — first prototyped in a branched NetBSD-3.1 kernel and isolating all system resources — pared down to a lightweight, auditable patch of process-only separation for both OpenBSD and NetBSD.  I specifically address solutions to performance issues and mechanism design with an eye toward more resources being isolated in the future.

This sounds pretty cool, but most of it went over my head.  I went back to Kristaps, asking him to pretend I’m a Linux user.

mult allows the creation of isolated instances, similar to jails on FreeBSD, but considerably more robust, feature-rich, safe and scalable.

An instance contains a process and all of its descendant processes.  Once started, an instance’s processes are invisible to the caller; similarly, the caller is invisible to the instance.

Ok, that makes more sense.  How far along are you with mult?  Is it usable today for the average BSD administrator?

In the current version of mult, which is a lightweight re-write of the NetBSD-3.1 prototype, only pids, pgids and file descriptors are isolated.  Thus, a process can’t stat other instances’ processes, even if of the same pid.  However, users are still unisolated, so using setpriority on a user will affect all instances.  New stuff can be easily appropriated, but my intent is to (re-)start small and clean.

% instproc — /usr/sbin/sshd -df /var/jail/etc/ssh/sshd_config

This starts a process, sshd, where a connecting user will only “see” (e.g., via ps ax) the sshd process and its descendants.  Similarly, the caller will not see the started sshd.

Good stuff.  I’m really anxious to hear Kristaps talk about this project and how useful it will be in the near future.  If I had a crystal ball, I bet I’d see quite a few ShmooCon attendees sneaking into this talk.  Don’t let them steal your seat… register now and get your barcode!

News kernel, Kristaps Džonsons, mult, NetBSD, OpenBSD, process, security, sysjail, systrace

What do you get when you cross an enterprise-class packet filtering subsystem with a graphical front-end for easy configuration and maintenance?  A throbbing headache for commercial vendors like SonicWALL, that’s what.

pfSense is a FreeBSD-based firewall distribution that uses the excellent packet filter (PF) subsystem ported from OpenBSD.  pfSense started as a fork of the m0n0wall project but has evolved beyond their focus on embedded hardware to be well suited for a wide variety of PC systems.  One of the founders, Chris Buechler, will be coming to DCBSDCon to present a new talk entitled Network Perimeter Redundancy with pfSense.

This session will first provide an introduction and overview of pfSense and its common uses. It will then go on to cover means of providing redundancy for the critical portions of your network perimeter using pfSense, including redundancy for your Internet connections, firewalls and DNS. Live configuration examples will be shown for as many of these topics as the session’s length permits. This session will cover pfSense 1.2.1, but will also offer an overview of some of the enhanced capabilities in this area that pfSense 2.0 will provide in the future.

As a firewall nerd, I’ve been pleased to see pfSense bring the PF codebase to a wider audience.  I’m looking forward to seeing the new features they’ve released in 1.2.1 as well as the upcoming features in 2.0.  This talk should be of interest to network and systems administrators alike.

News Chris Buechler, FreeBSD, networks, OpenBSD, PF, pfSense, security

Despite my inability to form a coherent thought, Will Backman saw fit to invite me on BSDTalk to discuss DCBSDCon 2009 (mp3, ogg). We covered the usual points, but this also gave us a chance to announce two of our confirmed speakers.

Dr. Marshall Kirk McKusick is a pioneer in the BSD movement. He designed the original Fast File System (and UFS2… and softupdates… you get the point) and is one of the authors of the Design and Implementation series of books.

Henning Brauer is an OpenBSD developer and one of the major forces behind PF, OpenBSD’s packet filter subsystem. He is also the creator of OpenNTPD and OpenBGPD.

We also touched on the SysAdmin Challenge. I think that participants will really have a fun time with this event. If you have suggestions for any of the challenge goals, please add them as a comment below.

Oh yeah, and registration will be open very soon. Don’t blink or you might miss it.

News BSD, bsdtalk, DragonFlyBSD, FreeBSD, Henning Brauer, Kirk McKusick, NetBSD, OpenBSD, security

Welcome to the official blog for DCBSDCon, the shiniest BSD conference in North America. We’re looking forward to our inaugural event and hope you can attend. We’ve got an incredible lineup of speakers for a first-year conference. Details about the speakers and their talks will be revealed in the coming weeks. Consider this blog your bendie-straw for slurping in the BSD conference goodness.

Besides all the brilliant talks you’ll find at DCBSDCon 2009, the BSD Certification Group will be in attendance to hold a pair of exams. The BSDA has made tremendous strides in putting together a professional certification that covers all of the major BSD projects. You can find more details at their FAQ or brush up on the exam criteria on the study page.

The 2009 Call for Papers ended this week with a flurry of last-minute submissions. We’ve already started stirring them up to see which topics rise to the top. Many of these are brand new talks from established developers, but we should have some fresh BSD talent to showcase as well. Keep an eye on this blog as we unveil the speakers and their topics.

If you’ve been to Washington D.C. before, you know what an exciting place it is. If you haven’t been, this is your chance to experience our nation’s capital city and BSD at the same time! On top of everything else, we’re kicking off a fun week that culminates in the annual ShmooCon hacker convention. Bruce Potter, founder of the Shmoo Group, is a big BSD fan and has offered up one of his own ShmooLabs team for sacrifice at the DCBSDCon altar! Attendees will be treated to an overview of the ShmooCon architecture and how BSD plays a critical role in their network infrastructure.

Oops, guess I just announced our first speaker!

Registration for DCBSDCon will open up very soon. We’re announcing it in a few very public places. If you’re a BSD fan it should be very hard to miss. But rest assured we’ll mention it here too. Mark it on your schedule now, see you all in February 2009!

News BSD, BSDA, FreeBSD, NetBSD, networks, OpenBSD, security, ShmooCon, sysadmin, unix