
OpenBSD Recent Security Innovations - elchief
https://undeadly.org/cgi?action=article;sid=20190605110020
======
anaphor
[https://man.openbsd.org/pledge.2](https://man.openbsd.org/pledge.2) is also
pretty damn cool. It effectively lets you make your program use a least
authority model of execution, and then you can grant it the capabilities it
actually needs to run. I would love to see something similar on Linux (there
is capsicum-linux, but it seems like it's abandoned).

~~~
rurban
Totally uncool and a dead end. Nobody else will do it that way. "The promises
argument is specified as a string, with space separated keywords". caps as
strings to be tokenized at runtime are slow, insecure and not validated at
compile-time. Never trust a parser in core. This needs to be a bitmask of
course. Don't let ruby programmers add OS API's.

~~~
gpvos
The intended ad hominem in the last sentence does very much not apply.

~~~
unixhero
Nah no ad hominem taken! I thought it was funny. I write Ruby, and love it,
and wouldn't go near OS API design with a tenth foot pole.

~~~
jabot
That's about 3cm. Pretty close ;-)

~~~
gpvos
I wouldn't touch it, but watching it up close is quite interesting.

------
cperciva
Wait, OpenBSD didn't have MAP_NOCORE? FreeBSD added that in February 2000... I
always assumed that the other BSDs had long since picked it up.

Huh.

~~~
tedunangst
Do you know of anything using it? I haven't seen it come up before.

~~~
cperciva
There's a few utilities in the FreeBSD base system which use MAP_NOCORE -- I
think mostly as a "this isn't useful so don't waste time dumping it" flag:
mkimg, sort, grep. The libsodium we have imported into sys/contrib also
mention it, but I don't know if those parts of libsodium are ever used by the
FreeBSD userland.

Grepping the ports distfiles on my laptop, I see MAP_NOCORE mentioned in
Cython, rust, qemu, firefox, and thunderbird; again, no idea _how_ it's being
used in those.

In the interest of compatibility, can I suggest

    
    
        #define MAP_NOCORE MAP_CONCEAL
    

for now, and in the future if MAP_CONCEAL adds new functionality define it as
MAP_NOCORE|MAP_CONCEAL_EXTRA? Since you have the capability to exclude regions
from core dumps, you might as well expose it to programs which are aware of
MAP_NOCORE.

PS. Linux has MADV_DONTDUMP and FreeBSD has MADV_NOCORE; I'd suggest handling
those as well if you don't already do so.

~~~
tedunangst
I don't think the intention was to be incompatible. I'll see about adding
aliases.

~~~
hedora
Clarification in the documentation about what happens with swap files would be
nice, especially as aliases are added.

“Conceal” (but not the manpage) suggests it won’t ever be written to swap, but
“nocore” as a performance optimization suggests paging to swap is fine.

If dirty concealed pages can’t be swapped, then it starts to look like
mlock(), which requires escalated privileges on linux, at least...

(Though, paging dirty mmapped pages to swap is kind of confusing in the first
place.)

~~~
tedunangst
So the name conceal was chosen to allow some flexibility, like prohibiting
ptrace. The idea is to keep secrets from escaping into other programs. Other
programs generally can't read swap, so that's not a concern.

------
aomix
The PROT_WRITE tweak is interesting. Being able to enforce a bit of Write XOR
Execute behavior in Write OR Execute arenas is nifty. It took this change for
me to read into W^X and exactly what it entailed because my naive
understanding was that the new no-syscall-from-writeable-page behavior would
be almost identical in effect to the strict W^X behavior.

------
Lt_Riza_Hawkeye
If you have data you don't want written to a core dump, then MAP_CONCEAL will
literally only help you if that memory is in an mmap'd region. If it's in
regular old virtual memory, you're fucked.

So if you're going to add a flag to something to let users conceal a region of
memory from a core dump, add it to madvise, adding it to mmap is just adding
arbitrary restrictions on the programmer.

Linux got it right with MADV_DONTDUMP

~~~
quotemstr
All memory is mmaped, especially on OpenBSD, which deprecated basically-mmap-
with-a-mustache brk. There's no such thing as "regular old virtual memory".

------
cmurf
Anyone know why this link works in Chrome but not in Firefox? I get _Peer
could not decode an SSL handshake message. Error code:
SSL_ERROR_DECODE_ERROR_ALERT_

~~~
sam_bristow
Are you on running on Fedora by any chance? You might've hit this issue:

[https://www.mail-
archive.com/misc@openbsd.org/msg167825.html](https://www.mail-
archive.com/misc@openbsd.org/msg167825.html)

~~~
cmurf
Yep, thanks.

------
joosters
Why don’t they just default to not writing core dumps, and forcing the
sysadmin to explicitly enable them when debugging an app?

This setup seems like the worst of both worlds. Core dumps get written but now
probably lack the information critical to debugging, making them worthless.

