could you please guys implement some anti exploitation technologies such as ASLR out of the box ? Or maybe dedicate a manpage explaining the dev team views over such matters.
I've been a long time user of FreeBSD and i can't help but to feel it keeps dragging behind in this field.
Or please someone explain me why i shouldn't be worrying about that.
could you please guys implement some anti exploitation technologies such as ASLR out of the box ? Or maybe dedicate a manpage explaining the dev team views over such matters.
I've been a long time user of FreeBSD and i can't help but to feel it keeps dragging behind in this field.
Or please someone explain me why i shouldn't be worrying about that.
Explanation: You're running BSD. What gains is ASLR supposed to provide you, the end user? Protecting you against a custom crafted process injection attack on your specific BSD distro written by someone who could have made more profit creating a bogus kickstarter campaign or by attempting to mine bitcoins?
(I kid... there's enough stuff running FreeBSD that no ASLR by default is a bit odd... but it sure makes debugging easier)
Thank you for your answer. I can't decide on which side of irony you stand. I'd prefer if your stance was the one between parenthesis.
As for the first part that was a legitimate question, i don't use FreeBSD as a desktop, i run a server which got through all the upgrades since FreeBSD 5.2, it has a few jails and paranoid setup. And most of all i use FreeBSD because i expect it to be relatively on par with OpenBSD for security.
And as an ROP mindfuck lover myself i was really disappointed when the Intel SysRE
There are diminishing returns for things like chroot, jails, and all the crap that Linux has. Most kernel exploits will bypass all of it, and of course the more complex "security" features you have, the more kernel code required and the more opportunity for exploitable bugs to creep in.
This is why OpenBSD has rejected all of these things. Existing capabilities, such as chroot, are good enough. FreeBSD is not much secure than Linux. Both platforms have many features, and continually keep piling more on top.
ASLR [wikipedia.org] has been usefully complicating enough vulnerabilities to have proven it's worthwhile. At this point it's quite near being an industry standard for any system that follows good security practices. It's really not credible to reject it anymore as too complicated to risk bothering with. Yes, some of the issues can be addressed more deeply, too, but security should be layered and redundant.
A major cause for why there are less exploits on the *BSD kernels is that the rate of innovation is so low. New an
But the Linux crowd spends a large amount of time reinventing the wheel instead of improving projects that already exist. There are few ways to do a project correctly and many ways to do it wrong. Do it right the first time, then have everyone work on it together instead of making lots of half-done projects that compete with each other, but none done well.
You see but you do not observe.
Sir Arthur Conan Doyle, in "The Memoirs of Sherlock Holmes"
Please if some FreeBSD dev sees this... (Score:0)
could you please guys implement some anti exploitation technologies such as ASLR out of the box ? Or maybe dedicate a manpage explaining the dev team views over such matters.
I've been a long time user of FreeBSD and i can't help but to feel it keeps dragging behind in this field.
Or please someone explain me why i shouldn't be worrying about that.
Re:Please if some FreeBSD dev sees this... (Score:1)
could you please guys implement some anti exploitation technologies such as ASLR out of the box ? Or maybe dedicate a manpage explaining the dev team views over such matters.
I've been a long time user of FreeBSD and i can't help but to feel it keeps dragging behind in this field.
Or please someone explain me why i shouldn't be worrying about that.
Explanation: You're running BSD. What gains is ASLR supposed to provide you, the end user? Protecting you against a custom crafted process injection attack on your specific BSD distro written by someone who could have made more profit creating a bogus kickstarter campaign or by attempting to mine bitcoins?
(I kid... there's enough stuff running FreeBSD that no ASLR by default is a bit odd... but it sure makes debugging easier)
Re: (Score:0)
Thank you for your answer. I can't decide on which side of irony you stand. I'd prefer if your stance was the one between parenthesis.
As for the first part that was a legitimate question, i don't use FreeBSD as a desktop, i run a server which got through all the upgrades since FreeBSD 5.2, it has a few jails and paranoid setup. And most of all i use FreeBSD because i expect it to be relatively on par with OpenBSD for security.
And as an ROP mindfuck lover myself i was really disappointed when the Intel SysRE
Re: (Score:0)
There are diminishing returns for things like chroot, jails, and all the crap that Linux has. Most kernel exploits will bypass all of it, and of course the more complex "security" features you have, the more kernel code required and the more opportunity for exploitable bugs to creep in.
This is why OpenBSD has rejected all of these things. Existing capabilities, such as chroot, are good enough. FreeBSD is not much secure than Linux. Both platforms have many features, and continually keep piling more on top.
Re: (Score:2)
ASLR [wikipedia.org] has been usefully complicating enough vulnerabilities to have proven it's worthwhile. At this point it's quite near being an industry standard for any system that follows good security practices. It's really not credible to reject it anymore as too complicated to risk bothering with. Yes, some of the issues can be addressed more deeply, too, but security should be layered and redundant.
A major cause for why there are less exploits on the *BSD kernels is that the rate of innovation is so low. New an
Re: (Score:0)