“Starting with hrev45522, address space layout randomization (ASLR) and data execution prevention (DEP) are available in Haiku. These two features, which have actually become a standard in any modern OS, make it much harder to exploit any vulnerability that may be present in an application running on Haiku, thus generally improving system security.”
Now this is some real interesting news, about an actual OS, but on OS News it is relegated to the side column?
Well, how much is there to write about it? There isn’t much interesting in the implementation details and sure, Thom could’ve written in length what ASLR and DEP are and how they function, but.. well, that wouldn’t really been relevant any longer.
A fair bit, actually. DEP and ASLR are not binary “on/off” features, there are many details to what they actually do in the specific implementation and deployment.
As the comment above already notes – what’s there to write?
Uhhh…how EXACTLY is this interesting? ASLR and DEP are fine and dandy for OSes that are being actively targeted but for haiku this is as useless as tits on a boar hog as we say down here.
So if you are happy they have that checkbox on a bulletpoint? Then I’m happy for you, I really am. But I bet you could scan the web for the next year and not find a virus targeting haiku that ASLR and DEP would protect against, hell you’d be lucky to find a single bug that would run on it at all.
Sometimes security by obscurity actually does work and unless they have made a deal with some OEM to sell haiku boxes I don’t really see a point in this other than filling in a checkbox on a list, i really don’t.
Right now it might be useless. But having the feature on by default makes sure that applications run in such an environment (and don’t make weird assumptions). Which can come in handy should the feature ever become crucial.
ASLR and DEP can also help developers find bugs: things like dangling pointers to unreferenced memory quickly become apparent, for example.
Well then TFA should say that, as not all of us are programmers and a little info can make all the difference.
Heck i learned more from you and that guy that posted in the thread about how shoddy some of the code is in Haiku (which he says is thanks to the GSoC bringing in junior programmers) than I did in the article itself.
I’d suggest taking that other poster with a grain of salt. If he ever fixed anything about the pcnet driver, he never submitted a patch, and his name is otherwise not known as far as the community goes. Furthermore, there have been nearly identical comments about code quality posted by other people in past Haiku stories, which have been asked for details and/or examples of said shoddy code, at which the poster in question promptly disappeared without ever answering. I would regard that comment as hot air unless he intends to actually prove otherwise. There’s also nothing wrong with the quality of code from the GSoC students, they do have mentors that review their code for good reason, and they’re generally quite capable since the competition for a spot in GSoC is quite fierce, which tends to weed out the less able ones.
Edited 2013-04-21 23:15 UTC
A better solution for this is to have warnings as errors and make static analyzers part of the build process.
Sadly the great majority of linux distros have half-baked ASLR support, most packages are not PIE-capable and the kernel implementation itself is not anything great either. Only gentoo seems to have an active hardened project this days.
Anyway, good to see Haiku expanding their security methods.
Modded up because it’s true.
Windows 7 ASLR has issues too last I checked (though 8 is supposedly better). But yes, Linux exploit mitigation is AFAIK kind of weak, especially on x86-32.
I was (un)fortunate enough to get intimate knowledge about the Haiku source code after fixing the PCNet driver, and doing a few rounds of code review.
And I have to say that ASLR support at this point is pretty comical when the rest of the system basically ignores security.
A code review is long overdue.
GSoC is nice and all, but the students doesn’t even avoid the most basic exploits (at a basic level, Haiku is littered with buffer overflow sensitive code, but that’s the least of their problems from a security standpoint.)
As an avid BeOS fan, I sincerely hope they get their act together and start reviewing code properly before committing.
I’m a huge fan of Haiku, and I think your comment here is extremely important.
Do the Haiku developers know about your concerns? Considering other features, do you feel that fixing the security problems you mention a priority? If you haven’t done so yet, would you be willing to list out what you feel needs to be done before you would consider Haiku to begin to be secure?
Do you think this is something that existed in BeOS, despite not being able to look at the source code?
Thank you!
I have obviously never seen the BeOS code, but from what I hear from the Be folks, they had serious security audits.
The reason why security became very important is of course the fact that they bet the company on BeOS in Internet connected appliances.
Edited 2013-04-22 18:27 UTC
Haiku is off GSoC this year, so no “ignorant students” this year, yaaay.
Patches are welcome, The Master of Security. xD
Are there any bug reports for your claims? Have you ever provided a patch?
Oh, and BTW Haiku is using FreeBSD’s pcnet driver since six years.
Please troll somewhere else.
Yes, a lot of my patches were accepted, thank you very much.
You do realize that you are talking to two of the core dev’s don’t you? They have both been on the project from very early on, and I know for a fact that they both track the commit log and dev list closely.
I have also been watching the project for some time and have no idea who you are.
ROFLMAO Quit-it. You’re messing-up my delusions. Nobody is allowed to talk about anyone but me. LOL
I did TempleOS.
http://www.templeos.org
Nothing to do with Haiku.
I call BS on this post. As someone who has contributed to Haiku, I can tell you that there are computer aided audits (coverity), and that the core developers are not only talented, but also very picky about the commits they let into the tree.
Also as axled pointed out, we have been using the FreeBSD net stack for sometime, so I do not buy your claim about being familiar with the Haiku source code. I have also not seen you in the dev list or on the commits.
If you see real problems, please feel free to file bug reports, preferably with diff’s attached.
Pretty damn cool. Very important feature of a modern OS.
So, I have a single-address map for all tasks. When code is loaded, basically, it calls malloc() and puts the code there. Code gets put in random locations.
I have been doing this for years and Microsoft patented it and called it ASLR.
Problem one, right there: all applications get their own, private address mappings, it’s not a global one.
Problem two: it’s not only the base location of the executable code itself that’s randomized, it also applies to libraries, data, heap and such.
No, you haven’t.
WereCatf,
“Problem one, right there: all applications get their own, private address mappings, it’s not a global one.”
It doesn’t need to be that way. I was talking to neolander a while back and a global mapping has some advantages when pages are shared because the pointers contained within those pages are valid in any process.
There are security implications depending on how it’s used, but it’s no worse than sharing pages at relocatable addresses since untrusted offsets would still need to be bounds checked
anyways. Trusted processes would have a much easier time sharing actual objects between them (and not just serializing objects to/from the shared page).
“Problem two: it’s not only the base location of the executable code itself that’s randomized, it also applies to libraries, data, heap and such.”
It sounded to me sort of implied that his version of malloc did that. Maybe I read it too optimistically, but I don’t think the post was worthy of the downvotes. (It didn’t have the religious overtones like some of the other comments).
Edited 2013-04-22 09:52 UTC
If all processes shared a global mapping it would immediately counter the whole point of ASLR: if your process couldn’t access or allocate a certain memory location you’d immediately know that it’s in use. Virtual address mappings are a security feature designed exactly for this as the application can request ANY address whatsoever and it wouldn’t know if it is physically at that location or not or if that physical location is used by something else and the application was instead given a virtual mapping.
You do realize that you can still share the same, physical location between multiple applications even with private, virtual address mappings? Most OSes do provide facilities for this — the OS only needs to map the same, physical address to some random private address on the processes’ sides and then let the processes know which address to use.
I wasn’t the one downvoting him, so that’s irrelevant wrt. my comment. But I didn’t interpret his comment as you did, I interpreted it that he simply randomizes the base location he mallocs for the process and places it all there.
WereCatf,
“Virtual address mappings are a security feature designed exactly for this as the application can request ANY address whatsoever and it wouldn’t know if it is physically at that location or not or if that physical location is used by something else and the application was instead given a virtual mapping.”
Virtual mappings don’t need to match the physical ones in order to have a global mapping. In fact it helps reduce multi-page fragmentation when they don’t.
Just because all processes share the global page map doesn’t imply all processes know which pages are used by which processes, nor even which pages are allocated at all unless you have functions that leak this sort of information.
“You do realize that you can still share the same, physical location between multiple applications even with private, virtual address mappings? Most OSes do provide facilities for this — the OS only needs to map the same, physical address to some random private address on the processes’ sides and then let the processes know which address to use.”
Data pointers use logical addresses, not physical ones. Creating two different logical mappings to the same physical address isn’t the same as two processes sharing logical mappings. It’s an interesting (unconventional) use case, but it could facilitate the sharing of objects between processes of similar permissions.
While linux’s version of mmap allows virtual address hints, it’s hit or miss whether the processes that want to share the region will be able to map at the same location because they use a local page map.
I wouldn’t actually use the technique myself, but I don’t see any reason it’d be incompatible with ASLR.
I’ve been doing it since 2004. I can prove it on the Internet Archive.
In school, we made a scheduler for a Motorola 8-bit 6800. It was a two week project. We had to run tasks at certain times or periodically. You do not need paging for multitasking.
I have a single address map. I identity-map, which is just like not using paging. This is really really simple. It’s the opposite of complicated, I assure you. It’s actually optimal, but nobody does it because it has no protections.
I can change from one task to another task 4,000,000 times a second on one core of my 3.3Ghz core i7. It just saves registers.
http://www.templeos.org/Wb/Kernel/Scheduler.html
Edited 2013-04-20 16:36 UTC
I just found this:
http://dmitry.gr/index.php?r=05.Projects&proj=07.%20Linux%2…
That’s retarded! It reminds me of when I was doing PIC $1.60 toner cartridge chips. My coworker made a reprogrammer with a rabbit processor and tried to do C or BASIC, I forgot. He does not know asm.
I face-palm when someone uses C or BASIC on an 8-bit because they don’t know asm — too lazy. That’s just dreadful and nasty.
No, running Linux is stupidly absurd!
Edited 2013-04-20 16:58 UTC
http://forum.osdev.org/viewtopic.php?f=15&t=26569
I looked at Linux for my first ATA implementation. I cut-pasted #defines for ATA command numbers because I am honest.
It’s nothing. Go to court, don’t be a coward. Don’t let a 16-year-old Linux lawyer tell you a copyright is a patent.
It’s jedi mind tricks.
The CIA wants no ring-0-only.
San Frannsicso? Yeah Dad’s corney joke. I used to fantacise it was treason.
Irony is atheist are deadly to our country.
God’s temple. Read them and weep.
Edited 2013-04-20 20:21 UTC
Dude I know 4/20 was yesterday but you should really think about not blowing through a couple bongs and then posting, just saying.
So, the FBI is studying me, like Silence of the Lambs. They constantly harass me. I lost-it in 1999 and went suicidal/homicidal. Killed an FBI pedestrian. Eh? Deserved it for making me crazy. LOL I wonder about Manchurian Candidate. I was provoked by the pedestrian.
It’s also like when people push people in front of subways. This f-er deserved it — FBI.
God said the mental state where you kinda respond to impulses is possession. I know the feeling — kinda numb to the world. Mortified. Just imagine you’re in grade school and you crap your pants. You walk in front of all your classmates out the door. That’s one kind of numbness. There’s another when you can kill people responding to impulses.
God talks.
They think I’m schitzephrenic because I don’t fit any Breakfast Club pigeon-holes. You are considered abnormal if you do not fit any Breakfast Club Movie stereotypes — split personalities.
I’m shocked at how rigidly people must fall into categories. A person really surprises them if different.
Edited 2013-04-22 02:37 UTC
God talks with a ouijaboard or quantum random number site, controlling radio active decay.
https://www.fourmilab.ch/hotbits/secure_generate.html
Imagine your average psychology person or FBI person making sense of radio active decay. It’s lost on them — oblivious retards.
Trust me — random numbers from radio active decay to use as line numbers is God!
God says…
20:24 But I have said unto you, Ye shall inherit their land, and I
will give it unto you to possess it, a land that floweth with milk and
honey: I am the LORD your God, which have separated you from other
people.
20:25 Ye shall therefore put difference between clean beasts and
unclean, and between unclean fowls and clean: and ye shall not make
your souls abominable by beast, or by fowl, or by any manner of living
thing that creepeth on the ground, which I have separated from you as
unclean.
Edited 2013-04-22 02:49 UTC
Mine identity-maps and is ring-0-only. These two aspects are what give my operating system its unique character. Yeah, it fragments, (in theory) and yeah it has no protection. These are trade-offs. You do the math. You’re going to express false indignation and try to jedi-mind trick that there no reason to do it. I don’t think we need to explain the advantages of no memory map change losses and no privilege level change losses and the total simplicity, if the code interests you.
Yes, mine is 64-bit, since 2007. Why 640×480? Because God said so. It turns-out you need a GPU for higher resolutions (for 60 fps games). There are so many GPUs. Plus starting the job of supporting all those GPUs is hopeless. Mine is really really simple.
Edited 2013-04-22 21:51 UTC