Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD Will Get Unique Kernels On Each Reboot (bleepingcomputer.com)

Posted by BeauHD on from the fresh-start dept.

An anonymous reader quotes a report from Bleeping Computer: A new feature added in test snapshots for the upcoming OpenBSD 6.2 release will create a unique kernel every time an OpenBSD user reboots or upgrades his computer. This feature is named KARL -- Kernel Address Randomized Link -- and works by relinking internal kernel files in a random order so that it generates a unique kernel binary blob every time. Currently, for stable releases, the OpenBSD kernel uses a predefined order to link and load internal files inside the kernel binary, resulting in the same kernel for all users. Developed by Theo de Raadt, KARL will work by generating a new kernel binary at install, upgrade, and boot time. If the user boots up, upgrades, or reboots his machine, the most recently generated kernel will replace the existing kernel binary, and the OS will generate a new kernel binary that will be used on the next boot/upgrade/reboot, constantly rotating kernels on reboots or upgrades. KARL should not be confused with ASLR -- Address Space Layout Randomization -- a technique that randomizes the memory address where application code is executed, so exploits can't target a specific area of memory where an application or the kernel is known to run. A similar technique exists for randomizing the memory location where the kernel loads -- called KASLR. The difference between the two is that KARL loads a different kernel binary in the same place, while KASLR loads the same binary in random locations. Currently Linux and Windows only support KASLR.

162 comments

  1. Effects on overall speed? by randomErr · · Score: 4, Interesting

    The rebuilding process shouldn't be that long. Especially if most of the modules are (mostly) precompiled. But with the random order that things will be re-compiled, will a bad order effect the overall performance of the system?

    --
    You say things that offend me and I can deal with it. Can you?
    1. Re:Effects on overall speed? by DaMattster · · Score: 4, Informative

      Enough regression testing has been performed on the technology and no performance loss was noticed. I run a -current snapshot on my laptop and the boot speed and overall performance is just as good as OpenBSD 6.1 without KARL.

    2. Re: Effects on overall speed? by Zero__Kelvin · · Score: 4, Informative

      They won't be recompiled, they will be relinked. Hopefully this happens in the background when the system is up, not at boot time.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    3. Re: Effects on overall speed? by Anonymous Coward · · Score: 0

      This is a good clarification. Macs already do this:
      https://developer.apple.com/library/content/documentation/Darwin/Conceptual/KernelProgramming/booting/booting.html

    4. Re:Effects on overall speed? by Z00L00K · · Score: 4, Insightful

      My concern over the technology is that it also can cause a non-deterministic behavior for the platform making it hard to capture elusive bugs. This means that you would need to have a way to be able to load a kernel that's mapped identically to the last time when you perform your test and development.

      Bugs that only appears when you have a certain constellation and load order are sometimes wasting weeks of work.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    5. Re:Effects on overall speed? by Anonymous Coward · · Score: 0

      Is there any risk of kernel corruption if the system were to crash/poweroff during this process?

    6. Re: Effects on overall speed? by Carewolf · · Score: 2

      This is a good clarification. Macs already do this:
      https://developer.apple.com/li...

      No, not as far as I can tell. There is a difference between linking and relinking like this. Technically Linux kernels are also linked with their drivers in initrd when loaded, but that is separate from this new randomized relinking.

    7. Re:Effects on overall speed? by Anonymous Coward · · Score: 0

      Yes of course, but when you turn on the system again it will create a new one that is not corrupt.

    8. Re: Effects on overall speed? by Anonymous Coward · · Score: 0

      Yeah, it's definitely not the same thing. The only way you end up with a randomized kernel in macOS would be if add or remove drivers to vary what is loaded, but the kernel itself is not being randomized through linking.

      As far as I can see, this feature is novel.

    9. Re: Effects on overall speed? by ls671 · · Score: 4, Informative

      well from TFS:

      If the user boots up, upgrades, or reboots his machine, the most recently generated kernel will replace the existing kernel binary...

      So it sounds the relinking happens when the system is running and the new kernel is used on next reboot.

      --
      Everything I write is lies, read between the lines.
    10. Re:Effects on overall speed? by Anonymous Coward · · Score: 1

      No - the actual 'kernel install' step is a simple rename (mv) which the filesystems should guarantee is atomic. (I believe OpenBSD's filesystems have harder guarantees about this than Linux, but I'm not sure.)

      Upshot, you'll either boot with the new kernel, or worst possible situation, you'll boot with the previous one again.

    11. Re:Effects on overall speed? by dunkelfalke · · Score: 1

      If the bugs are already there, they are bound to appear some day. Maybe even with the next kernel version.

      --
      "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
    12. Re:Effects on overall speed? by Anonymous Coward · · Score: 0

      I do wonder what this is attempting to protect against?

      1. User space programs leveraging to root won't be stopped.
      2. User programs with bugs that allow arbitrary code execution? Nope, they'll still work.
      3. Kernel rootkits will have to adapt to do their magic. This will be more difficult but it almost certainly won't be impossible.
      4. Debugging kernel crashes will become essentially impossible.
      5. Badly written device drivers running in kernel space might have more difficulty taking control when attacked. Again, a fix will be available soon.

      Apart from the debug issue, it seems like a net positive. I'm still skeptical that this is required and I doubt it will take very long before the attackers have exploits that work around the issues. I can envisage a couple of avenues to attach this:

      1. try to figure out the required addresses -- the .o files reference each other so these references can be located and use to explore the code space. The locations of the references out of the current .o are known relative to other addresses in the .o. Moreover, the destinations of these references are known too. A full graph of the kernel's memory layout could be determined in a straightforward manner.

      2. upload a small kernel and have it take complete control of the device. Bye bye randomised kernel, I don't need you anymore. It wouldn't be quite that simple, but it won't be very hard.

      Future extensions could include scattering the kernel's object code all over memory. Likewise, this technique could apply to user applications.
      Another possible impediment would be for the cross .o links to take place via trampoline code that uses the address the code came from and some magic values to determine the address the program wants to go to. This is possibly slightly harder to circumvent, but it will still be broken.

    13. Re: Effects on overall speed? by dougdonovan · · Score: 1

      each reboot...

    14. Re:Effects on overall speed? by BarbaraHudson · · Score: 3, Interesting

      Great way to insert a malicious blob for the normal one, and no ability o checksum the entire kernel to detect it.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    15. Re:Effects on overall speed? by windwalkr · · Score: 4, Interesting

      This is certainly true (and I'd assume that kernel devs might be running with this turned off, or some kind of historical logs kept to track what state their kernel was in during a bug) but it's equally true that exercising things in this way could reveal bugs which were otherwise exceedingly rare, leading to better overall code quality.

      In practice, I would think that read-write data structures are more likely to exhibit this kind of problem though, not the read-only code. There are certainly edge cases (timing changes, etc.) but it's not like an off-by-one error is going to affect you, like it might with data.

    16. Re:Effects on overall speed? by Anonymous Coward · · Score: 2, Interesting

      My concern over the technology is that it also can cause a non-deterministic behavior for the platform making it hard to capture elusive bugs. This means that you would need to have a way to be able to load a kernel that's mapped identically to the last time when you perform your test and development.

      Bugs that only appears when you have a certain constellation and load order are sometimes wasting weeks of work.

      This kind of thing might also expose bugs that were not exposed before, and that, in itself is a good thing. Of course they would likely be very hard to find bugs...

    17. Re:Effects on overall speed? by Sique · · Score: 1

      It helps against bugs which write into kernel memory and overwrite kernel code. As the memory mapping is different every time, the chance that the bug will force the kernel to execute arbitrary code is close to nil, as the chance that the bug overwrites just exactly the right part of the kernel is nil.

      --
      .sig: Sique *sigh*
    18. Re:Effects on overall speed? by jellomizer · · Score: 2

      I would say the extra time used for this process is an acceptable trade-off for enhanced security. Uniformity is the biggest security risk that these systems face. If the bad guys knows where all the pieces are on a lot of systems, then they know how to successfully target their attacks.

      That being said, there is a lot of effort in protecting the core system, but protecting your home directory, is where the valuable data normally is. I would like to see Operating systems setup with Application level security with User level security. Right now the main workaround is having the particular application run logged in as a user. I would like to see the applications have their own security permissions outside of the user account.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    19. Re:Effects on overall speed? by Zontar_Thing_From_Ve · · Score: 2, Interesting

      My concern over the technology is that it also can cause a non-deterministic behavior for the platform making it hard to capture elusive bugs. .

      Or they could just simply not fix the bugs to take care of that. True story here. I work for a Fortune 500 company in their IT department and I joined them when my previously employer, a startup, was bought out by my current employer. A guy in my management chain was a huge OpenBSD fan, so he made us run some servers using it. Nothing in production used it, but we had some test systems that did. I know I know. Running something in test that isn't like production.... So anyway, he loved OpenBSD with a passion and we couldn't get rid of it while he was there, even though it wasn't used in production at all. We ended up finding a gigantic bug that made OpenBSD's kernel panic and we could make it panic at will. It was caused by a specific piece of hardware in our servers that ran OpenBSD. We and others told Theo and he admitted it was a real problem, but he said he wasn't going to fix it because too few people had this specific hardware. So manager dude finally admitted we couldn't go on like this because not only could we crash the servers at will, they crashed a lot on their own if we did nothing because of the bug. So we replaced all our OpenBSD installations with RedHat and never went back to OpenBSD.

    20. Re:Effects on overall speed? by Anonymous Coward · · Score: 0

      3. Kernel rootkits will have to adapt to do their magic. This will be more difficult but it almost certainly won't be impossible.

      Whoa, whoa. Wait there a minute. This is very important right there. HOW difficult?

      Moving the Earth to a wider orbit to compensate for global warming kind of difficult? It's not impossible, it's just very very very very very difficult.

    21. Re:Effects on overall speed? by jellomizer · · Score: 1

      You can say that about nearly every feature put into an Operating System. Changes to Memory Management, Changes to the multi-processing algorithm. Every time you add a level of complexity there is a chance you could create a problem, that is more difficult to fix.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    22. Re:Effects on overall speed? by KiloByte · · Score: 1

      I'd make the order depend on a hash(filename+seed). Thus, kernel #13 will be always the same, and patched versions of kernel #13 will be similar. On regular builds, the seed will be a long (non-bruteforcable) random string, that's still saved with debug info so you can reproduce the kernel you are running.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    23. Re: Effects on overall speed? by Anonymous Coward · · Score: 0

      I'm not excited about this change, but I would imagine that the core dumps would correlate to map files from the linker. As such from this perspective, I would imagine that it would improve the probability of exposing OpenBSD kernel bugs sooner than later as this would have a similar effect to fuzzing the kernel.

      Of course, it is very likely that this solution doesn't go far enough. Consider that when a compiler optimizes that individual file so that many functions (especially easily inlined ones) will be compiled into fixed positions. Non-exported functions and functions that are dependencies to other code within the same file can't be relocated during link time as they will have relative address dependencies for intra-file jumps and calls.

      If the same code were generated as intermediary formats (not ELF or COFF but intermediate language) then full function position randomization should be possible. As BSDs tend to favor LLVM as their toolchain, this could be very profitable and possibly easy to accomplish. LLVM compilation to IL often performs inline optimizations as well, so short functions can still be an issue.

      Overall, increasing randomization of the object code can only be a good thing for finding kernel bugs if for no other reason than the order which the code appears can catch oddities that would otherwise be overlooked. This is especially true when call and jump optimization goes weird (and it does). If code stays in fixed positions, a creative hacker might be able to exploit compiler and linker optimizations that exist for pipelining purposes.

      Consider the current trend towards lockless-interthread communication. A notable (though non-kernel) example of this would be Lars T. Hansen's work for Mozilla regarding interprocess lock-less shared memory which exploits known to be predictable behavior of Intel processors to perform shared memory operations which also considering inter-tier cache coherence. If I understand the technology, this is accomplished by the compiler performing the equivalent of counting CPU cycles. While I believe this type of behavior is only achievable in cases where the CPU state has is known and the compiler can make adjustments related to processor affinity (though he'll probably tell me I'm wrong when I ask him) and therefore limited to JIT compilers, if an AOT compiler has a predictable pipeline optimization, malicious code may be able to alter the pipeline state from another thread. While I'm brainstorming, this could provide a meaningful attack vector against virtual machine managers.

      Of course, most of this would be entirely meaningless if a new generation of micro kernels existed that implemented AOT for IL and a non-trivial dynamic link loader for improved CPU targetability and improved randomization upon loading. These days, except when focusing on platforms like tiny Atmel platforms, there is no advantage left to compile towards a specific CPU generation when even minor microcode patches can alter how code performs on that platform.

      But to get back to your concern, core dumps are fine as long as map files are retained during link time. Then a call stack and memory dump can still be produced. For additional security, the map files can be encrypted and when sending a core dump, the map files can be decrypted and combined when needed.

    24. Re:Effects on overall speed? by Anonymous Coward · · Score: 0

      Yup Yup. Time to write some malicous openBSD kernel code. Mu ha ha

    25. Re:Effects on overall speed? by Anonymous Coward · · Score: 0

      probably the only issues are to do with caching, and that different address combinations will lead to different cache ejections. but the original order of linking is unlikely to be done with a view to optimising in this regard anyhow. shift key not working on this laptop, before anybody complains about the lack of capitalisation.

    26. Re:Effects on overall speed? by Anonymous Coward · · Score: 0

      Actually.. With a finite kernel size there is a limited number of ways to combine the kernel code.
      Since the number of combinations never approaches infinity the chance to execute arbitrary code is not approaching nil.

    27. Re:Effects on overall speed? by K.+S.+Kyosuke · · Score: 1

      My concern over the technology is that it also can cause a non-deterministic behavior for the platform making it hard to capture elusive bugs.

      Actually, one might argue that non-deterministic execution makes elusive bugs manifest.

      --
      Ezekiel 23:20
    28. Re:Effects on overall speed? by TheRaven64 · · Score: 2, Informative

      This is a concern. The work appears to be based on work from UPenn, which compiled everything with -ffunction-sections and -fdata-sections (if you don't do this, it turns out that you leak enough information to find gadgets quite easily) and re-linked programs in a random order on each run (there's a lot of subsequent work on doing it more often, such as the ReRANZ paper at VEE this year). It's not too difficult to debug, because you record the random number seed with the binary and include it in core dumps, which lets someone else reconstruct the exact implementation. The other concern is that randomising the link order has been shown (ASPLOS 2015) to have around a plus or minus 20% impact on performance. Having that variation across reboots for the kernel could be quite frustrating.

      --
      I am TheRaven on Soylent News
    29. Re:Effects on overall speed? by Anonymous Coward · · Score: 0

      Spot on.

      I never really got the obsession with protecting the operating system. If it crashes or I suspect that it is compromised I'd rather just reinstall.
      Anything that I can just download from somewhere is unimportant to protect.

      It's the private stuff. Projects that I spent time on that I want to protect. I don't want my web browser that probably have plenty of security issues to have access to the same files my compiler uses.

      Sure I have backup on everything I consider important, but on most home computers it isn't particular users that are or aren't trusted. It specific programs that can be trusted or not.

    30. Re:Effects on overall speed? by gmack · · Score: 1

      That is a known trade off and was also noted by some of the kernel devs when Linux started adding randomization but in the end, in Linux case, the extra security was considered more important.

    31. Re:Effects on overall speed? by unixisc · · Score: 1

      The rebuilding process shouldn't be that long. Especially if most of the modules are (mostly) precompiled. But with the random order that things will be re-compiled, will a bad order effect the overall performance of the system?

      Wouldn't the 'performance' just be an issue during boot time, or upgrade time? In other words, I'd expect slower reboots. Which then brings to question the usage. If it's being used in an always-on router, doesn't sound like a big deal. If it's on a laptop that one reboots frequently, I'd think it would

    32. Re:Effects on overall speed? by Anonymous Coward · · Score: 0

      Cool story bro.

    33. Re:Effects on overall speed? by AmiMoJo · · Score: 1

      It seems like the scope for non-deterministic behaviour should be very, very small. All it is really doing is re-linking the kernel in a random order, so basically running the last stage of the build process (linking) again but with an additional RNG thrown in.

      In practice this will mean slightly different behaviour due to the way CPU caches work, but beyond that I can't really see much scope for variation. The caching will have a very small effect, so I suppose it is possible that some race condition or similar might only affect certain builds, but it's a fairly remote possibility.

      In any case, something similar happens when applications are loaded anyway with ASLR, and presumably debug dumps involving the kernel will save a copy anyway.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    34. Re:Effects on overall speed? by AmiMoJo · · Score: 2

      Surely if you have the capability to insert such a blob into the kernel, you can easily defeat any attempt to checksum it. Just intercept attempts to read the kernel binary and return an unmodified one.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    35. Re:Effects on overall speed? by Anonymous Coward · · Score: 0

      That's not being argued, but the ability to test and reproduce such bugs goes out the window if the kernel is different every time you boot.

    36. Re:Effects on overall speed? by angel'o'sphere · · Score: 1

      On the other hand it makes it more likely that such kinds of bugs manifest themseves.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    37. Re:Effects on overall speed? by unrtst · · Score: 2

      You filed a bug report, right? Where is that? (you didn't really provide enough info so that it could be found, even if it existed - like what hardware caused the bug?)

    38. Re:Effects on overall speed? by angel'o'sphere · · Score: 1

      Code pages are usually read only.
      Only data pages can be overwritten.
      So modifying code is most likely impossible or needs an attack vector where the access bits of a memory page can be changed.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    39. Re:Effects on overall speed? by tlhIngan · · Score: 1

      The rebuilding process shouldn't be that long. Especially if most of the modules are (mostly) precompiled. But with the random order that things will be re-compiled, will a bad order effect the overall performance of the system?

      It's not recompiling, it's re-linking. The code's already compiled and unchanging. Just instead of linking a.o, b.o, c.o and d.o in that order, you link a.o, c.o, d.o, b.o.

      The result may not LOOK too different, but most linkers work linearly - so all the sections in the second binary will have a.o at the beginning, followed by c.o, d.o and b.o, while the first binary will have a.o, b.o, c.o and d.o in that order. The symbol addresses WILL be different even though in general the code is the same (after all, the only real thing that's changed is the jump addresses).

      About the biggest issue would be things that use linker magic to produce arrays of pointers to symbols. For example, the order of the list of initialization functions to call will be different, and if there is a subtle dependency that is not captured properly, a submodule may initialize before its parent module. (This is how you can write a driver with proper flagging and have the kernel auto-initialize it even though you didn't put in an explicit call to the init function).

    40. Re:Effects on overall speed? by 101percent · · Score: 2

      I don't see the issue. Some guy was playing around with an isolated OpenBSD machine and found a bug that results in a DoS, and you go directly to Theo rather than filing a bug report (on the project that founded transparent development decades ago). I'm sorry but shit story.

    41. Re:Effects on overall speed? by Anonymous Coward · · Score: 0

      Oh fuck, I found some unique OpenBSD DoS bug on some random ass hardware! Better pgp mail Theo directly with "zero day found" header! This gonna be big time!

    42. Re:Effects on overall speed? by rthille · · Score: 1

      If you install a kernel manually, it'll be used until you re-activate the random-kernel setup.

      --
      Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
    43. Re:Effects on overall speed? by BarbaraHudson · · Score: 1

      You won't be inserting it - the existing kernel would be inserting it into the next bootable kernel. Make a blob that has the same checksum (the checksum routine is in the source, meh) and you're all set. So all you have to do is have access to just the portion of the file system that contains that one blob. No need to hack the existing running kernel.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    44. Re: Effects on overall speed? by fisted · · Score: 1

      but then an attacker has all the time in the world to manipulate that next kernel

      --
      CLI paste? paste.pr0.tips!
    45. Re: Effects on overall speed? by Nocturna81 · · Score: 1

      But if there is a way to get back to the "kernel" plan you'd defeat the purpose of this...

    46. Re: Effects on overall speed? by Anonymous Coward · · Score: 0

      Perhaps Qubes OS is for you.

    47. Re: Effects on overall speed? by KiloByte · · Score: 2

      If the attacker can read root-only files, you've already lost. And you can opt to have no debug info.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    48. Re:Effects on overall speed? by antdude · · Score: 1

      And Theo still cared not after that. :P

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    49. Re:Effects on overall speed? by Anonymous Coward · · Score: 0

      I guess the closest you could get to a checksum is to checksum each module and a manifest of which modules to include.

    50. Re:Effects on overall speed? by F.Ultra · · Score: 1

      But with a random kernel that "some day" can be a very long wait.

    51. Re:Effects on overall speed? by F.Ultra · · Score: 1

      Not if the kernel is signed and booted over secure boot, protecting against a possible exploited and hostile kernel is one of the things that secure boot was meant to stop.

    52. Re:Effects on overall speed? by Anonymous Coward · · Score: 0

      You are such an idiot. If you have ability to insert blob into the kernel, you already own the system. Duh

    53. Re: Effects on overall speed? by Anonymous Coward · · Score: 0

      If he's got the privileges to do that then you, for one, have already welcomed him as your new overlord, no?

    54. Re:Effects on overall speed? by Anonymous Coward · · Score: 0

      Actually.. With a finite kernel size there is a limited number of ways to combine the kernel code. Since the number of combinations never approaches infinity the chance to execute arbitrary code is not approaching nil.

      You meant "as the number of combinations never is infinity, the chance is never nil, *but* the closer to infinity the number of combinations is, the closer the chance to execute arbitrary code is to zero".

    55. Re:Effects on overall speed? by dunkelfalke · · Score: 1

      Actually, with a random kernel that kind of bug will occur much faster than previously so it will get fixed sooner and not after several years of lying dormant somewhere, probably used by some black hat hackers.

      --
      "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
    56. Re:Effects on overall speed? by F.Ultra · · Score: 1

      No, if the bug requires a specific linking order then this kind of bug will appear much less frequent.

    57. Re:Effects on overall speed? by Anonymous Coward · · Score: 0

      If you record the random function seed of each boot, you would know how to rebuild the exact same kernel

    58. Re: Effects on overall speed? by Anonymous Coward · · Score: 0

      If they can manipulate the 'next' kernel, they could also manipulate the current kernel.

      The point of this is to make exploitation more difficult in the first place.

    59. Re: Effects on overall speed? by KGIII · · Score: 1

      As it is different with each boot, can it still be validly signed?

      --
      "So long and thanks for all the fish."
    60. Re:Effects on overall speed? by aiht · · Score: 1

      The other concern is that randomising the link order has been shown (ASPLOS 2015) to have around a plus or minus 20% impact on performance. Having that variation across reboots for the kernel could be quite frustrating.

      That variation is already present in every linked program anyway. This just changes the dice-roll from only once at build time to each and every boot time. Surely it would suck more to get a randomly slow link at build time and then be stuck with it?

    61. Re:Effects on overall speed? by TheRaven64 · · Score: 2

      That variation is already present in every linked program anyway.

      To a degree, yes, though in practice it's fairly deterministic and so you tend to only explore a smallish part of the overall space by accident.

      This just changes the dice-roll from only once at build time to each and every boot time. Surely it would suck more to get a randomly slow link at build time and then be stuck with it?

      Not really - predictable slowness is a lot easier to reason about and work around than unpredictable slowness. On a single machine, knowing that something will take 12 minutes is a lot easier to deal with than finding that yesterday it took 8 but today will take 12. Trying to debug a performance problem in userspace code can be very painful if the OS is unpredictable. In a networked system, if every node takes 100ms to respond, that's annoying, but if they all take 80-120ms to respond then your overall performance is typically limited by the 120ms (Twitter is a good example of this: their response time was limited by the fact that, on average, at least one of the machines that needed to respond to create a page for the user would be in the middle of a GC cycle and so respond a lot more slowly than the rest. They fixed it by forcing GC on a fixed interval so that all machines were slow for a few ms, then fast again for a while until the next GC tick).

      --
      I am TheRaven on Soylent News
    62. Re: Effects on overall speed? by fisted · · Score: 1

      Manipulating the next kernel requires root, while manipulating the current kernel requires ring 0.

      --
      CLI paste? paste.pr0.tips!
    63. Re:Effects on overall speed? by paulatz · · Score: 1

      But this would kill the purpose of having a random order

      --
      this post contain no useful information, no need to mod it down
    64. Re:Effects on overall speed? by BarbaraHudson · · Score: 1

      Problem with that is that you can create modules with the same checksum. If you don't care that the original functionality remains (hey, it's malware), it's not that hard. Or more simply, just change the entry for the checksum for that module. Not a peep on reboot,or the next one, or the one after ...

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    65. Re:Effects on overall speed? by BarbaraHudson · · Score: 1

      You're the idiot. You're not inserting a blob into the kernel. The reboot process is. Did you even read the summary? You just need to change one file.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    66. Re: Effects on overall speed? by Anonymous Coward · · Score: 0

      The individual parts could be. I admit that I haven't read up on OpenBSD's exact implementation here, just thinking out loud in response to your question. I've built systems where lots and lots of small chunks (thousands) were individually signed. -PCP

    67. Re: Effects on overall speed? by F.Ultra · · Score: 1

      For your own systems yes, but we are talking about the UEFI Secure Boot which sends a single signed digest for the whole boot loader to UEFI. Of course you can create a shim in between which you boot into and which UEFI validates the digest for while your shim does this part-by-part validation of the kernel. So it should be possible to do.

    68. Re: Effects on overall speed? by Anonymous Coward · · Score: 0

      GCC has had a RTL ability for years. Linux has had the ability to BSOD (Fatal Kernel Error) for as long, you just get a popup asking you to report the Bug and the offender (Program causing the Kernel Fault) is uneventfully terminated, you simply return to where you were before the error).

      The Snapshot would simply save the Object File order in a file and when you reboot you could restore the prior loading order.

      I had it happen (a Fatal Error) on a different Linux and it was less than 10 minutes before some kind sole debugged it and submitted the Update.

      I recompiled the Module, Relinked and tested; all good.

      Whether OpenBSD is up for that I could not say as it's been years since I used it.

      Linux is not Windows. Your not deadbeaf for ages when there's a problem.

      If it's not working that good just write the Code and submit it, someone will take a look and if it's to Standards and works then in it goes.

      Linux = "It just works, or we simply fix it".

    69. Re: Effects on overall speed? by Anonymous Coward · · Score: 0

      Yes, RTL (or Boot Time Linking), not prelinked.

      You want to give the Attacker (human or program) the boot when you reboot, otherwise your simply denying the two of you the use of the Computer for a minute.

      Trusted Boot and Epyc's Secure Root of Trust, SME, SEV and Secure Move.

      Google 451 Research's Report: Trusting in the CPU: Getting to the Roots of Security.

      The Admin, with physical access, can not hack the Code; there's no access. Set it up and ship it, if it runs (is properly written and compiled) it runs, end of story. They can pull the plug, that's all.

  2. Some more detail over at undeadly.org by badger.foo · · Score: 5, Informative
    You will find more details over at the OpenBSD Journal site (undeadly.org), specifically the stories KARL - kernel address randomized link and the followup Kernel relinking status from Theo de Raadt. These and other items will also turn up on the project's Innovations page.

    And for that whirlwind tour of what's good in that system, take a peek at my OpenBSD and you slides.

    --
    -- That grumpy BSD guy - http://bsdly.blogspot.com/
  3. HOT KARL? by Anonymous Coward · · Score: 0

    Suprised they scrapped the original full name, Heuristic Output Timing Kernel Address Randomized Link

    1. Re:HOT KARL? by Anonymous Coward · · Score: 0

      It's Hot Carla when you leave the saran wrap off.

  4. What are the (dis)advantages? by houghi · · Score: 1

    So you get a new kernel each time. I got that from the 78 times they said it. What are the advantages and what are the disadvantages?

    --
    Don't fight for your country, if your country does not fight for you.
    1. Re:What are the (dis)advantages? by richy+freeway · · Score: 5, Funny

      New is always better.

    2. Re:What are the (dis)advantages? by Anonymous Coward · · Score: 0

      It's a security feature. Mitigates kernel exploits.

    3. Re: What are the (dis)advantages? by Anonymous Coward · · Score: 0

      Less gadgets for ROP code

    4. Re: What are the (dis)advantages? by Anonymous Coward · · Score: 0

      One advantage is your kernel differs from all the others out there. An exploit that compromises one machine won't be able to compromise others, assuming the randomizing process will create many different kernels from the same snapshot.

    5. Re: What are the (dis)advantages? by zwarte+piet · · Score: 4, Interesting

      I wouldn't see how if they only change the order in which object files are linked, the routines themselves should be the same and have the same exploit working for them unless the exploit relies on changing code in a fixed position of ram, but then a simple search function to locate the routine to be exploited can be added.

    6. Re:What are the (dis)advantages? by lpq · · Score: 4, Informative

      Similar to the pluses and minuses of Address Space Randomization. Right now, in the static part of the kernel, different subsystems are linked together into 1 binary that is loaded into memory at boot. Along with the assumption that the different subsystems could be linked together in many valid orders, that link could be done when the kernel boots so the different sections of the kernel would load in different places relative to each other. in memory.

      The problem would be when 1 compilation or binary kernel becomes widely distributed such that malware could rely on the relative positions of different subsystems in memory. Using that knowledge might make it easier for malware to make use of different subsystems at run time -- on the premise if you know where 1 is, you know where all the rest are. If you can load subsystems, unpredictably at boot, it would be harder for today's malware to make use of. Instead, the malware would have to replicated the loading algorithm and try to reproduce the load order by calculation to make the same use of those subsystems -- another level of difficulty for malware wanting to use existing subsystems.

      Static load order would be most problematic for embedded binaries that come off a ROM and less so for binaries distributed by a large distro. It's also more problematic if the subsystems are linked together in the same order at compile time (which, AFAIK, they are for the linux kernel).

      That link order could potentially be randomized at link time which would have a large amount of the same benefit as the boot-time randomization for end-user-systems that are locally compiled (with some pluses & minuses).

      I don't know that the benefit of this feature has been quantified or is easily quantifiable. The deficits of this feature I would think minimal in a production (non-development/non-debuggable) product.

    7. Re: What are the (dis)advantages? by bill_mcgonigle · · Score: 1

      but then a simple search function to locate the routine to be exploited can be added

      Which is what return-oriented exploits do.

      https://en.wikipedia.org/wiki/...

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    8. Re:What are the (dis)advantages? by Anonymous Coward · · Score: 0

      does it though? Or is this some kind of security by obscurity take to the extreme...

    9. Re: What are the (dis)advantages? by LordWabbit2 · · Score: 1

      Thanks for the info and link, did not know about this.
      Will definitely be reading more about it at home.

      --
      There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
    10. Re:What are the (dis)advantages? by Anonymous Coward · · Score: 0

      New is always better.

      I raise you a toast with my Jumbo Jim's Grape Scotch!

    11. Re:What are the (dis)advantages? by squiggleslash · · Score: 1

      If there's a bug in the kernel that allows arbitrary code injection (say, a buffer overflow), it'll be harder for that code to operate because it'll have no idea where anything is.

      Depending on the exploit, this may make it practically impossible to use the exploit in the real world.

      --
      You are not alone. This is not normal. None of this is normal.
    12. Re: What are the (dis)advantages? by quintus_horatius · · Score: 1

      I believe that recent versions of GCC (4.9+) provide options that protect against stack smashing, and they're enabled by default in OpenBSD, FreeBSD, and some Linux distros. Not sure about other compilers, but on such environments a return-oriented exploit would be much harder.

    13. Re: What are the (dis)advantages? by CODiNE · · Score: 1

      May help prevent row hammer attacks.

      --
      Cwm, fjord-bank glyphs vext quiz
    14. Re:What are the (dis)advantages? by Wolfrider · · Score: 1

      --Further along this line, how does this affect UEFI/Secure Boot, if at all?

      --
      .
      == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
  5. Correct links by Anonymous Coward · · Score: 1

    Those are not the real sources, just selected quotes. The Bleeping article links to the real sources which are de Raadt's announcements. Here and here.

    1. Re:Correct links by 101percent · · Score: 1

      He didn't say they were "real sources."

  6. Just one missing component by Anonymous Coward · · Score: 2, Funny

    All OpenBSD needs now is to adopt systemd. Then it wil be totally secure. And more cromulent.

    1. Re:Just one missing component by Anonymous Coward · · Score: 0

      kek

    2. Re: Just one missing component by Anonymous Coward · · Score: 0

      already being worked on see here

    3. Re:Just one missing component by Anonymous Coward · · Score: 0

      Exactly my thoughts.

      Once systemd is adopted the OpenBSD developers can focus of making the OS more usable rather than wasting time with all this pseudo security nonsense. Just imagine what a systemd-linuxd, or even better a systemd-win32d, could do for OpenBSD in terms of boosting market share. It will be an overnight hit. Indeed Linux is becoming more and more popular thanks to the fact that that systemd is powering essentially all Linux distributions.

      I want OpenBSD to be as successful as Linux or Windows. I, for one, would install a systemd powered OpenBDS right away on my laptop. I reckon millions would follow once they know OpenBSD is running under the supervision on systemd.

  7. What are the (dis)advantages?-Making hash. by Anonymous Coward · · Score: 0

    Any kind of security scheme that depends upon the kernel hash not changing will be broken.

  8. You can be even more fine grained by Anonymous Coward · · Score: 0

    ASLR randomizes the general offset.

    This randomizes the object file order.

    Selfrando randomizes every single function.

    https://github.com/immunant/se...

    https://www.ics.uci.edu/~perl/...

  9. "should not be confused" with the same thing by LoneTech · · Score: 1

    The difference is merely in granularity; one is performed in the build time linker (aka static, ld), the other in the run time linker (aka dynamic loader, ld.so). The latter can be done in advance (prelinking), the former has to. The run time linker doesn't have information on all the intra-object links, so cannot operate at the level the build time linker does. That granularity might make a difference; it moves from up to about three (code, data, rodata) randomized pointers per program file to the same per object file (or possibly function, if the compiler splits them). The sort of exploit code this is supposed to mitigate doesn't need to hunt for all of those but typically a specific one, though, and the mitigation has been found to be fairly weak.

  10. So what does this do by zwarte+piet · · Score: 1, Flamebait

    ....apart from wearing ssds and make the authors look interesting?

  11. Trust bleepingcomputer... by Anonymous Coward · · Score: 0

    ... to hopelessly scramble the message with gratuitous and wrong use of terms of art.

  12. Reproducible builds? by Anonymous Coward · · Score: 0

    How does that relate to the efforts (e.g. by Debian devs and maintainers) to provide reproducible builds, to verify and authenticate not only sources, but output binaries which are publicly distributed?

  13. You mean systemd must assimilate OpenBSD? by Anonymous Coward · · Score: 1

    systemd is RedHat's attempt to fracture Linux. Divide and conquer.

    Because systemd is a solution in search of a problem. Something inspired by Microsoft's "registry" is nothing but thoroughly evil.

    1. Re:You mean systemd must assimilate OpenBSD? by Anonymous Coward · · Score: 0

      But, systemd isn't dividing linux. It won the init wars. No major distro is left. Only really terrible ones not fit for production without a large dev staff.

    2. Re:You mean systemd must assimilate OpenBSD? by Barsteward · · Score: 1

      its standardised the distros not fracture it

      --
      "The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
    3. Re:You mean systemd must assimilate OpenBSD? by spire3661 · · Score: 1

      Wasnt the point of linux to have choice? Systemd was straight up forced on us.

      --
      Good-bye
    4. Re:You mean systemd must assimilate OpenBSD? by Anonymous Coward · · Score: 0

      Gentoo and Slackware. terrible? I don't think so

    5. Re: You mean systemd must assimilate OpenBSD? by Ash-Fox · · Score: 1

      Gentoo is pretty terrible... Just look at the quality of packages in Portage for one. Slackware does a better job despite being vanilla tarballs which says something.

      --
      Change is certain; progress is not obligatory.
    6. Re:You mean systemd must assimilate OpenBSD? by EndlessNameless · · Score: 1

      Wasnt the point of linux to have choice? Systemd was straight up forced on us.

      You have to earn your options.

      You can build an OS based on the Linux kernel. Linux itself doesn't require systemd; only the pre-built distros do.

      Now, all of their experts have decided that systemd should a required component of their operating systems. You are free to disagree.

      Complain to them if need be, but otherwise just shut up already. No one is going to change anything based on some random whine on Slashdot.

      To paraphrase for this situation: "You're not making Linux better. You're just making Slashdot worse."

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  14. why do we need this? by Anonymous Coward · · Score: 0

    This is being done because people are assholes, right?

    1. Re:why do we need this? by Anonymous Coward · · Score: 0

      Yup, absolutely! People like you.

  15. The advantages by guruevi · · Score: 5, Informative

    Lots of people here asking about the advantages - here is the laymans explanation.

    So typically with ASLR you load a kernel blob into a randomized space and then it just sits there. An attacker (e.g. an evil hypervisor) could search the entire address space for the kernel or in some other way hook into the kernel binary and then simply count up or down address spaces or more likely pass an evil payload to load exploits against specific parts of the kernel from there. Since you always know which parts come first, you can craft payloads so that it gets passed or overflows until it reaches the vulnerable piece of code.

    What this is doing, it randomized the kernel and subsequently the entire kernel even though it sits in the same spot and you could still find or hook into it, you can't simply count up and down anymore to find the bad piece of code nor can you be guaranteed that weak boundary checks will pass your payload, because even though the system has hooked your vulnerable piece of code somewhere, it's not going to be in the same spot.

    It's basically more fine grained ASLR where you break the program (the kernel) down further in smaller pieces to be randomized.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
    1. Re:The advantages by lowen · · Score: 1

      Instead of 'evil hypervisor' think 'Intel Management Engine.'

    2. Re:The advantages by Anonymous Coward · · Score: 0

      Intel Management Empire

  16. KARL by Anonymous Coward · · Score: 0

    KAAAARRRL, That kills people!

  17. Doesn't uptime defeat this? by jfdavis668 · · Score: 5, Interesting

    Since a lot of servers are up and running for seriously long times, the kernel won't change often. Also, since there are a finite number of permutations, it wouldn't be that hard to find the memory location you are looking for.

    1. Re:Doesn't uptime defeat this? by guruevi · · Score: 5, Informative

      The idea is that when you have hundreds of machines, even though their uptime is high, they'll still all be running 'different' kernels.

      To be able to find a memory location, you have to pretty much already run as root. This is to prevent exploits before they get to that point. Eg. if you have a weak TCP/IP stack and you send an 'evil bit' that overflows the buffer, you're no longer guaranteed that by filling the next n buffers you will be able to execute shell code.

      Once you can search through the memory, you've gotten to a much farther point.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    2. Re:Doesn't uptime defeat this? by Anonymous Coward · · Score: 1

      How many modules are there? If, say, 20 then 20! is about 2x10e18, and 30! is about 2.6x10e32

      Yes that's a finite number. So is a cryptography key.

    3. Re:Doesn't uptime defeat this? by edtice1559 · · Score: 1

      Yes but then there is also the kernel base address randomization mentioned in the summary. Put the two together and you get a number that is larger than the total address space of the machine. So essentially all you know is that the problem space is 2^64 for each function whose address you'd like to determine.

    4. Re:Doesn't uptime defeat this? by ponraul · · Score: 1

      As long as there's enough entropy in the state space, it will not be feasible to search it every time an exploit is tried. Since it's random knowing, the parameters of one system, won't give you any information about a different host since it was randomized at boot as well.

  18. So much for mocking Windows reboots by Anonymous Coward · · Score: 1

    Interesting that nix advocates were always mocking Windows for not being able to hot patch without needing a reboot and yet here we are, a nix based OS that needs reboots to stay patched, fwiw this is why updates get disabled (and people get pwned), we are not running silly games or wordy processors in BSD but usually devices that need uptimes of months, preferably years, i don't want to intentionally reboot at all.

    are there any stable and secure nix distros left ?

    1. Re:So much for mocking Windows reboots by radish · · Score: 1

      If your system relies on a specific machine being up at any given time it will fail. You say you don't want to intentionally reboot, but since you're guaranteed to unintentionally reboot it's better to design things so that doesn't matter. In which case, intentional ones don't matter either.

      --

      ---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"

    2. Re:So much for mocking Windows reboots by iggymanz · · Score: 1

      you are running you virtual mouth in ignorance. Updates in OpenBSD are not automatic, and the last version 6.0 had all of 28 patches of which 12 were for kernel. Whether or not those particular kernel patches would be needed (e.g. one was for a display driver) would depend on application.

      Uptime in years on a *node* means you are running an unpatched insecure application stack with a bad architecture. Uptime in years can be had with proper clustering, load balancing, etc.

  19. Secure Boot ? by Anonymous Coward · · Score: 0

    So how do you go about signing a kernel for 'secure boot' purposes, when the kernel changes all the time ?

    1. Re:Secure Boot ? by guruevi · · Score: 1

      Secure Boot is not about security, it's about control. It only verifies the signature of the kernel loader against a list of 'approved vendors', once the kernel is loaded, you can do pretty much anything you want with the computer.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    2. Re:Secure Boot ? by bws111 · · Score: 1

      Nonsense. It does not verify the signature agains a list of 'approved vendors'. It verifies the signature against a list of approved signers. While some crappy consumer brands may have built-in keys that can't be changed, real computers (servers) allow you, the machine owner, to install your own keys.

      As to what happens once booted, that depends on what you booted. GRUB will verify the signature of the kernel and initrd before it loads them. If Linux is configured for IMA (Integrity Management Architecture) it will verify the signature of files upon an 'open', including the kernel modules. And it you use remote attestation you can verify that you are not running previously signed but vulnerable code.

      The amount of FUD surrounding secure boot is astounding.

    3. Re:Secure Boot ? by ledow · · Score: 2

      Not that I know a lot about it but...

      You sign the new kernel with the same signing key as the previous one.

      But, that's not how it works. It's the kernel loader that's signed for Secure Boot, and then the kernel loader is free to use any further verification it likes of what it loads, what it checks, and how.

      Part of why Secure Boot is "no more secure" in most configurations, because you're just certified that you're booting GRUB/whatever in most circumstances, which can be misconfigured to be quite open (which is what most people want - just a way to boot a free OS using a signed bootloader).

      But even if it was signed, it doesn't mean that it can't be unique to the machine in question, it's just a matter of using a chain of certificates, but that's out of "Secure Boot"'s hands and into the hands of the kernel loader configuration.

    4. Re:Secure Boot ? by guruevi · · Score: 1

      Yeah, but Grub or Linux using or verifying signed code has nothing to do with Secure Boot. Secure Boot ends when Grub loads.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    5. Re: Secure Boot ? by Anonymous Coward · · Score: 0

      you wouldn't. you'd sign the initial loader and the object files.

    6. Re:Secure Boot ? by bws111 · · Score: 1

      If you don't have secure boot turned on, how do you know that the GRUB you are loading is not compromised to load an unsigned kernel? In fact, if secure boot is not turned on GRUB will NOT verify the kernel.

      With secure boot turned off, the shim can't be trusted. If the shim can't be trusted then GRUB can't be trusted. If GRUB can't be trusted then the kernel can't be trusted. And if the kernel can't be trusted then any verification of signed code that it does can't be trusted.

      Saying secure boot is not about security is nuts. It IS about security. The fact that is can ALSO be used for other purposes does not diminish its security usefulness.

  20. Stable and secure nix distros by BBCWatcher · · Score: 2

    Yes, z/OS.

  21. The advantagages-the root of the problem. by Anonymous Coward · · Score: 0

    Well if you have an evil hypervisor, you have bigger problems. Also Intel's SGX is for protecting guests from bad hosts and visa-versa.

    1. Re:The advantagages-the root of the problem. by guruevi · · Score: 1

      Well, an actively evil hypervisor is indeed more problematic (where someone has full access to it), I was more thinking of an automated exploit, automated exploits will be much more difficult to execute, you will require someone with deeper understanding of the kernel to manually intervene on every exploitable machine.

      And Intel SGX has been broken and will probably be further broken in the future, it is also a double-sided sword. You can hide attack code in an enclave and nobody will ever be able to find it and from there on you can load side channel attacks.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
  22. Ooold. by SharpFang · · Score: 4, Funny

    Had it on my 486 that ran Gentoo, and not just with the kernel but most of apps. By the time Emerge World completed and I'd need to reboot for the upgraded kernel to start up, a new version was already available, and Emerge World ran right after start, on whatever updates happened during the previous run would finish about the time another kernel was available.

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    1. Re:Ooold. by Anonymous Coward · · Score: 0

      Ah the joys of gentoo. When your computer has nothing to do except compile itself constantly.

    2. Re:Ooold. by ausekilis · · Score: 2

      Who wants their processor to be idle all the time? "Couch-processors" have shorter lifespans than their well-exercised brethren and are more susceptible to diseases and viruses. Gentoo was ahead of the curve by creating an exercise program for all processors.

  23. Re: Effects on overall speed? Only on Windows... by Anonymous Coward · · Score: 0

    This idea will mainly affect Windows users who have to reboot all the time. With a BSD machine that only reboots once in 3 years, it will not be noticeable.

  24. Sometimes life surprises you by jbmartin6 · · Score: 1

    " Microsoft has used KASLR for many years." and Linux kernel just added it.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    1. Re:Sometimes life surprises you by Anonymous Coward · · Score: 1

      Microsoft's implementation was an obvious success, given how rarely malware infects Windows boxes.

    2. Re:Sometimes life surprises you by fabriciom · · Score: 1

      Because the purpose of the code was to stop malware or kernel hacks?

  25. Hmmmm.... by Anonymous Coward · · Score: 0

    randomization kindly make me nervous I reckon, uhmmhmmm...

    1. Re:Hmmmm.... by Anonymous Coward · · Score: 0

      just use this kindly donated rando algo, it's for your protection.

  26. llvm by Anonymous Coward · · Score: 0

    a related though not directly relevant thought for some time has been about llvm.

    in general, if software is distributed in the llvm bitcode, or sometimes a higher level intermediate language, with enough build work done so that, downstream of it there are no performance issues, then e.g. different processes can use different syscall numbers when accessing kernel functions, and can have a syscall api custom built for it at build time that restricts it to only those syscalls that it needs, and also limits how it can use them. the old synthesis os project by massalin comes to mind, along with various ideas from capability security and principles like least authority.

    this sort of process, naturally, is far better suited to open source software, where reverse engineering a binary to see how a program works is only necessary in the presence of either a: a compiler bug, when the binary does not do what the source code says it should; or b: there is a mental masochist of a user who wants the challenge, and for whom the source code is the answer at the back of the book.

  27. Linus put your monkeys to work! by fabriciom · · Score: 1

    Hope this gets copied over to linux ASAP...

  28. Re: Effects on overall speed? Only on Windows... by tepples · · Score: 2

    I don't see how 3-year uptime correlates with the oft-repeated "just save your session, log out, shut it down, and start it back up again" workaround for missing or broken hibernate support on particular chipsets in laptop or desktop computers.

  29. AGW by tepples · · Score: 1

    Who wants their processor to be idle all the time?

    People who understand that excessive energy use contributes to making the planet's climate less hospitable.

    1. Re:AGW by Anonymous Coward · · Score: 0

      When the Antarctic finally melts I will move there.
      We are creating a new continent to be colonized.

    2. Re:AGW by tepples · · Score: 1

      At the cost of a greater area of the planet that becomes inhospitable.

    3. Re:AGW by Anonymous Coward · · Score: 0

      Seriously, what do you have against penguins and polar bears? Why should they have to suffer in freezing temperatures just so you can comfortably wear a suit in summer?

  30. Ceterum Censeo, UEFI needs to die. by Anonymous Coward · · Score: 0

    The amount of FUD surrounding secure boot is astounding.

    Oh please, that your only argument?

    "Secure Boot" still means you need some signer's permission, and for most people by far, that's going to be redmond. Remote attestation again means someone else agreeing you're running "attested" software, which for most people by far, will again be some vendor or other, most likely redmond. Or perhaps the MAFIAA.

    That twice means the whole thing is about control, not about security.

    There's no FUD in there, just simple reality. The argument that possibly, maybe, if you work really hard at it and do deeply techical things that most geeks don't understand, nevermind the "average user", you might regain control over the hardware you thought you owned, so you might install and use something besides redmond's finest, is a hopelessly pernicious argument.

    And the time-tested way to draw attention away from your poor argument quality is of course to pre-emtively accuse the other guy of having "FUD" for arguments. It just so happens... it's already come about just as predicted in the real world. That means the objections you're trying to wave away were in fact justified.

    Thank you for playing.

    1. Re:Ceterum Censeo, UEFI needs to die. by bws111 · · Score: 1

      Do you even know what FUD means? It means Fear, Uncertainty, and Doubt.

      Now, let's look at what you call 'no FUD':

      'need someones permission...redmond' FEAR! Be very afraid!!!
      'maybe be MAFIAA' UNCERTAINTY! They could be watching!!!
      'MAYBE is your work really hard...' DOUBT! You'll never be able to run anything bu Windows!!!

      Your entire post is nothing but FUD.

    2. Re: Ceterum Censeo, UEFI needs to die. by Anonymous Coward · · Score: 0

      Fucked Up Dumb Shit /just fyi

    3. Re:Ceterum Censeo, UEFI needs to die. by Anonymous Coward · · Score: 0

      Do you even know what FUD means? It means Fear, Uncertainty, and Doubt.

      This is one of those things that mean nothing if you simply expand the acronym and look up each word in the dictionary. To make sense of the thing, you need the actual definition:

      FUD:: /fuhd/, n.
      Defined by Gene Amdahl after he left IBM to found his own company: “FUD is the fear, uncertainty, and doubt that IBM sales people instill in the minds of potential customers who might be considering [Amdahl] products.” The idea, of course, was to persuade them to go with safe IBM gear rather than with competitors' equipment. This implicit coercion was traditionally accomplished by promising that Good Things would happen to people who stuck with IBM, but Dark Shadows loomed over the future of competitors' equipment or software. See IBM. After 1990 the term FUD was associated increasingly frequently with Microsoft, and has become generalized to refer to any kind of disinformation used as a competitive weapon.

      (emphasis added)

      Now, let's look at what you call 'no FUD':

      'need someones permission...redmond' FEAR! Be very afraid!!!

      Redmond holds the keys needed to sign competitor's bootloaders lest this gums up the works for offering easy installation to "average users". Redmond has a long track record of uncompetetive practices and a conviction of same to boot.

      Note that neither is this disinformation nor am I a competitor, seeing as I offer nothing in that space. So I'm not IBM trying to keep you off of Amdahl products, nor any analogue you might try to concoct instead.

      It still stands that putting redmond in such a position of power over competitors is a clear risk, one that you have no excuse for not having seen it coming. Known and convicted violent perp with a gun type risk. It's about as clearly cut-and-dried anticompetetive-in-a-can as you can imagine, short of caught-red-handed proof they're abusing that power, too.

      'maybe be MAFIAA' UNCERTAINTY! They could be watching!!!

      We know they are. They and their members are the market for a cottage industry of commercial spy-on-consumers companies, for one. No uncertainty there.

      'MAYBE is your work really hard...' DOUBT! You'll never be able to run anything bu Windows!!!

      So show us how setting up secure boot for yourself is really really easy to do, about as easy as popping some data carrier into the machine and starting an installation of a non-redmond OS.

      Put a nice little tutorial video on your anti-FUD-channel on some video sharing site or other while at it, why don't you. Oh right, that's actual work, and you don't do that.

      Your entire post is nothing but FUD.

      BZZT, thanks for playing. Also for showing that as flimsy as it is, that's really your only argument.

  31. Don't think I like this by m.dillon · · Score: 3, Insightful

    If I understand this correctly, the kernel is being relinked and rewritten to the boot partition. That's instant fail in my book.... at least for us, the boot partition is sacrosanct. We do *NOT* write to it except when specifically upgrading a system. We do not do ad-hoc or automated writes to it because years of experience has shown that most corrupted boots (aka machine -> non-working) are due to unexpected events occurring while a filesystem is being written to.

    The rename trick is not a solution (there's the 'ideal' atomic, and then there is the reality. That storage devices can fail in many different ways even while writing a particular sector, that are unrelated to that sector).

    So, honestly, I think OpenBSD is making a huge mistake here. I can see randomization at load-time, but relinking and rewriting the kernel binary on every boot? No. Bad bad bad idea.

    ASLR or equivalent is close to useless anyway. Malware has found ways around it, it makes debugging and bug reproducability difficult (which arguably is more important... that bugs get found and fixed, not simply detected). It also tends to fragment memory which can cause serious problems for long-running systems. And the vast majority of systems will simply restart the service anyway. They might log the seg-fault from the malware, but maybe 0.001% of system owners actually look at those logs.

    -Matt

    1. Re:Don't think I like this by Anonymous Coward · · Score: 0

      Let's assume everything worked flawlessly and bug-free for this feature. How would you know if you are rooted? You kernel checksum will change with every reboot, not just every upgrade.

    2. Re:Don't think I like this by Anonymous Coward · · Score: 0

      don't spread f**king FUD. From discussion on undeadly mentions that it is very atomic operation to rename which is a single write.

  32. Welcome back Slashdot by Anonymous Coward · · Score: 0

    I've missed you!

  33. not the right solution by Anonymous Coward · · Score: 0

    This sort of "security by obscurity" isn't going to solve the malware problem. It's shutting the stable door etc.
    Seems to me that the only reliable solution is a "whitelist" approach: run ONLY approved executables. Enforced by the OS.

    The idea that any executable should be able to run was fine when computers were in the research stage. Not any more.
    The current antivirus approach of scanning everything for known threats cannot possibly keep scaling.

  34. Non-production targets are good by perpenso · · Score: 1

    Non-production targets are good, having them in the **mix** of test platforms is a good thing. They help find bugs in your code. Bugs that manifest infrequently on one platform sometimes manifest frequently on another. I've seen numerous "how the f' did this ever work" bugs discovered over the years.

    There is little cost in doing so going from one posix platform to another and targeting something from the Linux camp and something from the BSD camp can be helpful. Again, note I used "mix of test platforms". Of course the target platform should be the main test platform, but a non-target should get some attention especially for automated testing.

    Personally I take things a little farther and try to keep UI and core code separate and the core code portable. Even when targeting a Windows only environment I'll build the core code on Linux and run its regression and fuzzing tests. My supervisor and co-workers at the time thought it unnecessary, they changed their opinions over time. Occasionally asking to have their forked code tested under Linux before merging. Note this indicates nothing special about Linux. Same thing happens when port from one OS to another, say Windows to Mac, it really about a different environment than the main developers. Helps address the "works on my system" issues.

  35. Likely a hash not a checksum by perpenso · · Score: 1

    Make a blob that has the same checksum (the checksum routine is in the source, meh) and you're all set.

    Except the "checksum" is likely not a checksum because malware could add padding to create the desired checksum just as well. Its likely the "checksum" is a hash and a collision (a match) is not easily created.

    1. Re:Likely a hash not a checksum by BarbaraHudson · · Score: 1

      So replace the entry in the checksum list. Mission accomplished - and trying to use the original blob would result in it being detected as malware. That would create a LOT of head scratching ...

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  36. Linker exploit by OrangeTide · · Score: 1

    Time to inject something into the kernel linker. This random order thing should make it very easy to high all sorts of fun gadgets.

    --
    “Common sense is not so common.” — Voltaire
    1. Re:Linker exploit by Anonymous Coward · · Score: 0

      If you could do that to this new kernel, what was stopping you from altering the kernel before this feature?

  37. Rebooting OpenBSD? by troublemaker_23 · · Score: 1

    Uptime is a defining characteristic of OpenBSD - Netcraft will prove this. How often are OpenBSD machines rebooted to take advantage of this feature? It would be understandable on a Windows system.