We are pleased to interview Oliver Pinter and Shawn Webb, the core developers of the HardenedBSD project.
Founded in 2014, the project aims to be a security enhanced FreeBSD, with modern technologies like exploit mitigation known as PAX and ASLR but also introduces a bunch of new sysctls to the system.
Fleximus: Before we go into any details, please introduce yourself and then give us please a brief introduction of your project.
Fleximus: When did you come to FreeBSD and why did you decide to start this sub-project?
Shawn: I first learned about FreeBSD as a teenager. I was introduced to it from a group of old-school hackers. I've fallen in love with it ever since. Oliver and I founded HardenedBSD in April of 2014. Both of us were interested in implementing ASLR for FreeBSD and Oliver already had an existing patch. We created HardenedBSD to coordinate our work on ASLR along with other exploit mitigations. We've been working on providing more exploit mitigation technologies ever since starting HardenedBSD.
Oliver: First time I tried FreeBSD at 6.1-STABLE version, but compiling the whole system takes too much time (KDE3 and OpenOffice), so I suspended the FreeBSD till 2008, when I got a new PC. This new PC was enough powerful to compile the whole system in finite time, the other part of the change from Debian to FreeBSD was an infinite number of XFS file system corruptions. I tried a lot of version from Linux - from 2.6.17 - 2.6.32 - but neither works, so I switched finally to FreeBSD.
The HardenedBSD project was started based on my University thesis, which primarily focused the Intel S.M.A.P. implementation to FreeBSD, and secondly on ASLR. One day I got an e-mail from pipacs (one member of the PaXTeam), that someone else started working on FreeBSD hardening, and he gives me a link to Shawn's blog entry. At the first times we worked on different repos, until I bored about the lot of merge / cherry-pick conflict, and I created the HardenedBSD repo on github, this was at 2014 spring.
Fleximus: What is the longterm goal of HardenedBSD? Upstreaming the patches becoming an integral part of the FreeBSD system seems to be a big one. We heard this could happen with FreeBSD 11.
Shawn: We want to provide the world with better security. FreeBSD is used quite heavily by some rather large companies and communities. FreeBSD lags behind the rest of the world in exploit mitigation technologies. We want to fill that gap.
When FreeBSD releases 11.0, we'll follow within a reasonable amount of time (we get to define "reasonable" as "when it's ready") with our first official release.
Eventually, we want to start selling our own security appliances. We've started researching that already and have deliciousness cooking in the oven.
We're adding more system-level hardening bits. I'm hardening syscalls and sysctls. Oliver's continuing work on Intel SMAP and finishing up PaX NOEXEC. My next large task is revamping how our SEGVGUARD works, following grsec's model more closely. Oliver will also start on PaX UDEREF.
We added a new member to our team. He goes by the handle "CTurt". He's focusing on finding vulnerabilities and exploiting them in FreeBSD along with providing patches to secure those vulnerabilities.
Fleximus: Are there any key differences in the ASLR or PAX implementation compared to Linux or anything else worth noting?
Shawn: We took PaX's implementation as our inspiration, even working with the PaX Team in ensuring ours is implemented properly.
Oliver: We followed mostly the PaX documentation, but currently we lack a little of them.
Fleximus: OpenBSD implemented ASLR in 2003 and finished it's implementation in 2008. Did you look at their source code to evaluate a migration of their work to FreeBSD?
Shawn: Even though OpenBSD is BSD-licensed, I've avoided looking at other implementations to prevent licensing concerns. That way, my code is my code. I don't have to worry about adding others to the copyright statement and/or using their copyright altogether.
Fleximus: We read that you wrote patches for FreeBSD-11 and already backported those patches back to FreeBSD 10-STABLE. What is the current status of the project?
Shawn: All work we deem stable we backport to 10-STABLE. We maintain package repos for both 11-CURRENT/amd64 and 10-STABLE/amd64.
Oliver: At the project's beginning the code was developed on 10-STABLE and forwardported to 11-CURRENT. Shawn used 11-CURRENT and I used 10-STABLE, this is why we have so many merge conflicts. Primarily we focus with new developments on 11-CURRENT, and if the given feature is enough stable, we cherry-pick them to 10-STABLE too.
Fleximus: Actually there's an ongoing poll if the linuxulator (Linux compat layer) shall be removed from the sources or not. As we are aware the more features and the more compatibility code exists, the more attack surface is also present.
Shawn: I will be doing a bit more research into this area. It's still undecided whether we'll remove the linux compat layer. We need to wait till the linuxulator commits settle down and then do some additional work. As it stands right now, COMPAT_FREEBSD32 has been removed from our custom kernel (the HARDENEDBSD amd64 kernel config). COMPAT_FREEBSD32 is required for the linuxulator to work. You'd have to compile your own kernel with that option added in to get the linuxulator to work.
Fleximus: We are thanking you, Oliver and Shawn, for this interview. We got more insights and a better understanding of the HardenedBSD project and are even more excited to see and test the results.
We encourage anyone who is interested in the project to help with contributions, your ideas and thoughts. The project also accepts the usual donations, even bitcoins.
Shawn: Thank you for this great opportunity. We're having fun doing what we love. We hope to someday make this passion sustainable as a full-time employ. It's because of the community that we're at where we are now. We look forward to giving back.