[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [openbsd] fwd: [deraadt@cvs.openbsd.org: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/]
- To: Sergey Prysiazhnyi <apelsin@atmnis.com>, openbsd@uaoug.org.ua
- Subject: Re: [openbsd] fwd: [deraadt@cvs.openbsd.org: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/]
- From: Pavel Labushev <p.labushev@gmail.com>
- Date: Fri, 06 Nov 2009 13:07:17 +0700
- Delivered-to: <openbsd@uaoug.org.ua>
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=ylLfAV4lu8aMRNarZRo4tlLPlhF3YRGwRG0dkVGoHHs=; b=c30Wwvs5gxMvHy39XeHgVYTtVlA/BBMDjSegFLtskejBUpIyA7xJUH2iSp1XDlvE4a PX7ddWMv/g/he8uvD4N0Y0XPxM2PGT5rNd2RcR+YSqlqIPDBkzsy7Z3Wme2Au8LtVr9/ Y4XpKxc5XD9GowI7SoQm+H3fb0T3rutccMtgM=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=f0onjlyhNyBVhQeeIAyFoNP3VdkUBB3IoGHI8RHPmZMBFt/FMQwH2jVEsWar6rMLMH X99BCzZSdsD7evbv/LnsdWO7sGmmLmAeMmEZRvSJUQtQzBjGJ1y6Br38dtqZ9yhu+14y gILNew9BA/FThl5bhx+CDMSu99NKcI2eC0mSI=
- In-reply-to: <20091104090419.GA5121@atmnis.com>
- References: <20091104090419.GA5121@atmnis.com>
- Reply-to: openbsd@uaoug.org.ua
- User-agent: Thunderbird 2.0.0.23 (X11/20090912)
Sergey Prysiazhnyi пишет:
> ----- Forwarded message from Theo de Raadt <deraadt@cvs.openbsd.org> -----
>
> Date: Tue, 03 Nov 2009 16:58:25 -0700
> From: Theo de Raadt <deraadt@cvs.openbsd.org>
> To: misc@cvs.openbsd.org
> Subject: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/
>
> [bcc'd to Dan Goodin @ theregister]
>
> If anyone wants a choice quote from me about the recent Linux holes,
> this is what I have to say:
>
> Linus is too busy thinking about masturabating monkeys, he doesn't
> have time to care about Linux security.
>
> For the record, this particular problem was resolved in OpenBSD a
> while back, in 2008. We are not super proud of the solution, but it
> is what seems best faced with a stupid Intel architectural choice.
> However, it seems that everyone else is slowly coming around to the
> same solution.
А вот комментарии Брэда Шпенглера, разработчик Grsecurity (взято из
http://www.grsecurity.net/~spender/enlightenment.tgz
enlightenment/exp_moosecox.c):
--------------------------------------------------------------------
Special PS note to Theo (I can do this here because I know he'll
never read it -- the guy is apparently oblivious to the entire world of
security around him -- the same world that invents the protections
years before him that he pats himself on the back for "innovating")
Seriously though, it's incredible to me that an entire team
of developers whose sole purpose is to develop a secure operating
system can be so oblivious to the rest of the world. They haven't
innovated since they replaced exploitable string copies with
exploitable string truncations 6 or so years ago.
The entire joke of a thread can be read here:
http://www.pubbs.net/openbsd/200911/4582/
"Our focus therefore is always on finding innovative ideas which make
bugs very hard to exploit succesfully."
"He's too busy watching monkey porn instead of
building researching last-year's security technology that will stop
an exploit technique that has been exploited multiple times."
"it seems that everyone else is slowly coming around to the
same solution."
So let's talk about this "innovation" of theirs with their
implementation of mmap_min_addr:
They implemented it in 2008, a year after Linux implemented it, a
year after the public phrack article on the bug class, more than a
year after my mail to dailydave with the first public Linux kernel
exploit for the bug class, and over two years after UDEREF was
implemented in PaX (providing complete protection against the smaller
subset of null ptr dereference bugs and the larger class of invalid
userland access in general).
OpenBSD had a public null pointer dereference exploit (agp_ioctl())
published for its OS in January of 2007. It took them over a year
and a half to implement the same feature that was implemented in
Linux a few months after my public exploit in 2007.
So how can it be that "everyone else is slowly coming around to the
same solution" when "everyone else" came to that solution over a
year before you Theo? In fact, I prediced this exact situation would
happen back in 2007 in my DD post:
http://lists.virus.org/dailydave-0703/msg00011.html
"Expect OpenBSD to independently invent a protection against null ptr
deref bugs sometime in 2009."
Let's talk about some more "innovation" -- position independent
executables. PaX implemented position independent executables on
Linux back in 2001 (ET_DYN). PIE binary support was added to GNU
binutils in 2003. Those OpenBSD innovators implemented PIE binaries
in 2008, 7 years after PaX. Innovation indeed!
How about their W^X/ASLR innovation? These plagiarists have the
audacity to announce on their press page:
http://www.openbsd.org/press.html
"Microsoft borrows one of OpenBSD's security features for Vista,
stack/library randomization, under the name Address Space Layout
Randomization (ASLR). "Until now, the feature has been most
prominently used in the OpenBSD Unix variant and the PaX and Exec
Shield security patches for Linux""
Borrowing one of your features? Where'd this ASLR acronym come from
anyway? Oh that's right, PaX again -- when they published the first
design and implementation of it, and coined the term, in July 2001.
It covered the heap, mmap, and stack areas.
OpenBSD implemented "stack-gap randomization" in 2003. Way to
innovate!
W^X, which is a horrible name as OpenBSD doesn't even enforce it with
mprotect restrictions like PaX did from the beginning or even SELinux
is doing now (from a 3rd party contribution modeled after PaX):
PaX implemented true per-page non-executable page support, protecting
binary data, the heap, and the stack, back in 2000.
OpenBSD implemented it in 2003, requiring a full userland rebuild.
The innovation is overwhelming!
They keep coming up with the same exact "innovations" others came up
with years before them. Their official explanation for where they
got the W^X/ASLR ideas was a drunk guy came into their tent at one of
their hack-a-thons and started talking about the idea. They had
never heard of PaX when we asked them in 2003. Which makes the
following involuntarily contributed private ICB logs from Phrack #66
(Internet Citizen's Band -- OpenBSD internal chat network) so intriguing:
On some sunny day in July 2002 (t: Theo de Raadt):
<cloder> why can't you just randomize the base
<cloder> that's what PaX does
<t> You've not been paying attention to what art's saying, or you don't
understand yet, either case is one of think it through yourself.
<cloder> whatever
Only to see poetic justice in August 2003 (ttt: Theo again):
<miod> more exactly, we heard of pax when they started bitching
<ttt> miod, that was very well spoken.
That wraps up our OpenBSD history lesson, in case anyone forgot it.
PS -- enjoy that null ptr deref exploit just released for OpenBSD.
--------------------------------------------------------------------
Конец цитаты.
P.S.
Об уговоре я помню, Сергей. Не нашёл пока подходящих эксплойтов и
времени, но раз такое дело, попробую привлечь более знающих людей. Ждите
новостей.
--
To unsubscribe send an e-mail to openbsd+unsubscribe@uaoug.org.ua
For retrieval in messages archive http://www.uaoug.org.ua/archive