Contributed by jose on from the where-did-that-page-go? dept.
Date: Wed, 8 Oct 2003 16:23:56 -0600 (MDT) From: Ted UnangstThe net effect of this is to make it harder for attackers to get the alignments of their exploits right, helping to increase the resilience of OpenBSD to common attacks.CVSROOT: /cvs Module name: src Changes by: tedu@cvs.openbsd.org 2003/10/08 16:23:56 Modified files: sys/uvm : uvm_map.c Log message: randomize return from uvm_map_hint. the random increment is limited to prevent fragmentation. this has the effect of randomizing unhinted mmap()s, sysV mem, and position of ld.so. tested on many archs by many developers for quite some time. use of MIN to allow m68k to play from miod@. vax is not included. ok deraadt@ miod@
(Comments are closed)
By aisa () aisa@cybermesa.com on mailto:aisa@cybermesa.com
the allocation gets mapped into?
It seems the code, instead of providing the "next" block of allocation, now gives any suitable block "near" the optimal allocation.
My guess is that the space that is skipped by the randomizer remains unmapped by the process.
Given that most programs don't come anywhere near using the entire address space, this seems like a super-keen thing to do, but I imagine it would reduce the useable address space for programs that might, like mmap'ing many large files.
Please enlighten me...
Comments
By chuck () chuck@lemure.net on www.lemure.net
If your reading in a huge file thats going to use that much memory, your progam has bigger problems to worry about (IMHO). Thats what buffered readers in java are for, and similar mechnanisms in C.
Normally also, using your example, I would guess that only the start and end of the block of memory would be randomized. So the entire block would still be contiguous.
Comments
By Anonymous Coward () on
By tedu () on
Comments
By Anonymous Coward () on
By asdfsfsdfsdfsdfsdfsdfsdfsdfsdfsdfsdfsdfsdfsdfsfsdf () on
if "it" means copying yet another feature of PaX.
way to go!
Comments
By Anonymous Coward () on
By tedu () on
nevermind that it's a _one_ line change. clearing something that required changing a whole one line of code is so complex that only the super geniuses at pax could have developed it.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
now go away, troll.
By tedu () on
By Anonymous Coward () on
By tedu () on
By Xcom () on
Comments
By Fábio Olivé Leite () on
By Anonymous Coward () on
"except pax doesn't do anonymous mmaps, which are kinda important."
Maybe you missed this part, when you were reading the PaX documentation to see what you could copy next and gain some fame for:
http://pageexec.virtualave.net/docs/randmmap.txt
The goal of RANDMMAP is to introduce randomness into memory regions handled
by the do_mmap() kernel interface. This includes all file and anonymous
mappings, such as the main executable, libraries, the brk() and mmap()
managed heaps.
please apologize for your malicious lie. thank you.
Comments
By Anonymous Coward () on
By gwyllion () on
Have a nice day.
Comments
By Anonymous Coward () on
Comments
By Michael () on
If you are correct, I'd like to know about it.
By tedu () on
calling people liars when they haven't told a lie isn't very nice.
By gwyllion () on
Comments
By gwyllion () on
By gwyllion () on
Perhaps because never in the history of OpenBSD have they ever developed anything that was not done before?
Oh, yes of course. Since OpenBSD was started, they never developed anything new, they never found a single bug in the audit process, they never wrote any new code, ... Yes, of course.
Maybe because features in PaX show up weeks later in OpenBSD? Maybe because I've heard first-hand reports of people who have discussed PaX with OpenBSD developers 2 years ago, when Theo still claims he had never heard of PaX?
Sorry, you've claimed this numerous times. Please name these OpenBSD developers. In the past (in other discussions) you never succeeded it given proof of this claim. See href=http://marc.theaimsgroup.com/?l=bugtraq&m=106124438821224&w=2 and href=http://marc.theaimsgroup.com/?l=bugtraq&m=106132585529503&w=2 A great quote by miod "more exactly, we heard of pax when they started bitching".
Maybe because I've seen access logs from OpenBSD developers to the PaX documentation?
Do you authentic logs of OpenBSD developers reading the PaX documentation before they implemented W^X and you started bitching on misc@? Please show them.
I know you are liars. It's incredible that you people have no integrity.
And posting messages as an Anonymous Coward proves your integrity? Smells like pure troll to me.
Comments
By Anonymous Coward () on
A 12 year old can find bugs in code. This is nothing *new*. They're just repackagers of others' ideas and code. I've not yet seen any valid refutation of this.
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By gwyllion () on
did you see tedu admit that he has read the PaX documentation?
Yes.
I guess you were wrong.
Yes.
Now please shut up you ignorant OpenBSD asshole.
No, thank you.
By Stripes () dsbnepo.20.stripes@antichef.com on mailto:dsbnepo.20.stripes@antichef.com
Well that seems kind of silly. If PaX has had good ideas in the past (like this one) then it is dumb not to pick it over to see if there is anything else good to borrow.
After all, which is the better open source motto: "If I have seen farther then others it is because I have stood on the shoulders of giants", or "If I have seen no farther then others it is because I have stood in the footsteps of giants"??
There is no shame in recognizing the good ideas of others. There is some in ignoring them.
Comments
By Anonymous Coward () on
OPENBSD IS LYING TO ITS COMMUNITY ABOUT THIS. STOP MAKING EXCUSES. THEO IS A FRAUD.
Comments
By Ulysses () on
By tedu () on
MAP_FIXED but still expect that behaviour so the hint cannot be overriden for anonymous mappings)".
sorry, it's been a while since i read that page and i misinterpreted it. now instead of being such an ass, why couldn't you have just said "hey, that only applies to mappings with a hint"?
for the record, openbsd doesn't tinker with mmaps that have a hint provided, only NULL hints.
Comments
By Anonymous Coward () on
Comments
By tedu () on
Comments
By tedu () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Learn how to spell.
You know, the funny thing about your comment is that I don't give a fuck about what some idiot who doesn't know how to spell has to say about me.
By krh () on
When I read this, I can't help but think you're a jerk. Sorry, that's just how I feel.
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Do you know how infoleak bugs are exploited?
Do you know your between-mapping randomization is a waste of code?
Do you realize that by modifying the mmap base, all subsequent mappings are randomized (yes, including anonymous mappings tedu, you retard)?
Why do you make a big deal out of your between-mapping randomization when it serves no purpose? Is it simply to make yourself look like less of a rip-off from PaX by copying the features that actually do things (I noticed you used the same 16-bit mmap base randomization PaX uses) and then adding useless bloat?
Very interested in your response, geniuses!
Comments
By ulysses () on
By gwyllion () on
By Iain K. () on mailto:ikyte(at)yahoo(dot)com
I think just locking the memory according to type is the key.
Kernel code - read only unmodifiable but executable
Kernel scrach pad -- Read/Write non-executable
Kernel Stack -- Read/Write non-executable
Procees Code -- Read Only executable
Process Heap -- Read/Write non-executable
Process Stack -- Read/Write non-executalbe
Best for Applications code is to put some padding to the page boundry so it can not be used as part of the Heap or Stack.
Next process is to have applications with out terminals. In particular remote terminals. If the application fails the connection is broken and request for authentication will be required to re-establish connection.
Other area is in setting up quick privalege upgrading algorithums and analysis of the the procedures to death. Idea is that you should have the preperation stage, change to the higher level, execute the privaleged task, drop back to the lower level. Area to examine is to have a timed privalege window. This is the area to do a good amount of research on.
For this random allocation idea, it does not make sense. If I am going to put my egg into the system I do not care where it happens to fall but that I can point to it. It does make it so I can not use hard links but relative links. Since the idea of hard coded moves, jumbs and subroutines have left with moddern compilers and linkers, I do not see this being used.
Please could you in favour for Random Memory Allocation Protection Method show some research papers on this sumbject for the community?
Iain
By tedu () on
what the hell does "between-mapping randomization" mean? each mapping has a random start? yes, that's approximately what we are doing. are you only creating one gap and then mapping linearly after that? that sucks.
it happens to be 16 bits on i386. 256MB is a reasonable amount of VM space to burn on fragmentation, while avoiding frequent collisions. i mean really, there's only so many values that make sense. maybe we should have picked 24 bits and completely burned out the VM? is that your suggestion? maybe you'd care to explain what scientific principles you used to determine that 16 bits is the perfect amount?
what "useless bloat" are you talking about? it's one line of code. i suppose i could have rolled it into the return, making it half a line, but expending a whole line was considered acceptable bloat in this case.
finally, who the hell is making a "big deal" about this? i made a commit, it got mentioned on deadly. did you see me running around shouting "openbsd roxors"? does the commit message exagerate the facts?
Comments
By Anonymous Coward () on
You completely sidestepped the issue that I presented in my comment. I questioned the usefulness of your procedure of putting a random gap between each mapping (randomizing their order, which went in a while ago, also falls into this). These "ideas" smell like you have no idea what you're doing or what you're even trying to protect against. It is clear to me that these features are useless when you already randomize the mmap base. My post was intended to have you tell me why you have implemented these features. Surely you should have some legitimate reason.
Comments
By tedu () on
|--random gap--||-- mapping A --||--mapping B--|
what happens when an attacker overflows A? he hits B. so if you know that writing 172 bytes past A will corrupt B in such a way as to lead to an exploit, no amount of adjusting the base helps.
openbsd random mmap:
|-- mapping A --||-- some random space --||-- mapping B --|
or
|-- mapping B --||-- random gap --||--mapping A --|
now, if you overwrite A, you hit unmapped space and die. in fact, B may even come before A. given the hypothetical attack above, this is precisely what i'm trying to prevent.
it's possible for mapping B to come precisely after mapping A, but unlikely. just in case, it would be better to see guard pages, guaranteeing empty VM between mappings.
you can get a patch for this from
http://www.zeitbombe.org/openbsd.html
does that adequately not sidestep the issue? how does PaX prevent overflowing A from overwriting data in mapping B?
Comments
By Anonymous Coward () on
Comments
By tedu () on
Comments
By Anonymous Coward () on
You can't guarantee anything.
Comments
By tedu () on
Comments
By Anonymous Coward () on
By tedu () on
Comments
By Anonymous Coward () on
Comments
By tedu () on
Comments
By Anonymous Coward () on
How does this have any application to 95% of OpenBSD users either? It's just a silly, useless feature.
By tedu () on
in short:
attack type: return to libc.
solution: move libc.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
If you can see the adresses via an infoleak bug, it doesn't matter if you randomized the load order of the libraries.
Sorry, OpenBSD doesn't provide proc/pid/maps and /proc/pid/stat like PaX.
Comments
By Anonymous Coward () on
Comments
By tedu () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Now piss off, troll.
By gwyllion () on
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By tedu () on
By atone () repent@the.net.nz on mailto:repent@the.net.nz
Comments
By Anonymous Coward () on
By Sam () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By gwyllion () on
Future work
Randomized mapping for shared objects
Try to find a way to map the main program randomly (ELF does not do so)
Randomized mmap
malloc & mmap that fragment slightly -> insert guard pages
guard pages in the data segment?
link all non-buffer objects near start of data segment, BEFORE buffers?
The malloc guard pages (implemented by tedu) are still in testing I've heard. By the way can you point me to the relevant PaX documentation on this future feature (malloc guard pages)?
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By gwyllion () on
Comments
By gwyllion () on
By gwyllion () on
Do you actually believe they will every give any credit to PaX after being called retards, liars, ..., after being harassed on mailing list and website, ...? Some PaX fanatic even threatened to release a local root exploit for systrace, in his cry for attention. If this happened to me, I would personally never provide credit, ever.
Comments
By Anonymous Coward () on
By Anonymous Coward () on
b80d342b4f2e241d5a495e77360194ee
I suppose in a few years (if the bug is ever found and fixed) we'll find out if it's true, and if it is, won't you feel stupid knowing you've been owned for that long?
Comments
By Anonymous Coward () on
73a5d5ea1c309a41d3f1b23ee78cd01
By gwyllion () on
How can he claim ignorant independent development of these features now? Why is he and the rest of the OpenBSD developers exempt from doing the right thing and giving credit where credit is due?
Why do you keep begging for credit? Isn't it time to start harassing someone else? Perhaps Ingo Molnar. In the description of Exec Shield he doesn't give credit to PaX (nor to OpenBSD)
By the way can you explain the difference between Exec Shield, OpenBSD and Windows non-exec pages implementations? The PaX website describes them as:
the first independent Windows NT/2000/XP implementation by SecureWave
the second independent Windows NT/2000/XP implementation by Data Security Software
PaX features are part of OpenBSD
non-executable stack and heap pages based on the segmentation logic implemented in Exec Shield (this description is hopelessly out-dated as it implements complete randomization of the whole address space as well)
So of all these projects only OpenBSD blindly copied PaX and the others didn't? These Windows implementations of the PaX ideas are independent and when OpenBSD claims they developed this independantly, you keep bitching on mailing lists and websites. Grow up!
Comments
By Anonymous Coward () on
BTW, you're reading that page wrong. It means that PaX uses the segmentation feature of the intel architecture to implement non-executable pages, and notes that the same thing is done in other projects (though their implementations are less effective to varying degress).
By Anonymous Coward () on
As for the difference between the various implementations:
Exec shield is even worse than W|X. It doesn't even guarantee that when a process is loaded, unless it specified to map something writable and executable, that no page will be both writable and executable. The randomization features are similar to PaX's (since it was taken from PaX)
It is also i386 only.
W|X is inferior to PaX because it cannot guarantee the inability to execute arbitrary code. PaX can do this. PaX supports more architectures than W|X: i386 (a per-page implementation, which Theo claimed to be impossible), alpha, parisc, ppc (with a per-page implementation, which Theo also claimed to be impossible), sparc, sparc64, amd64, and ia-64.
PaX has larger randomization than W|X as well. PaX has non-executable and read-only kernel pages, W|X does not (though they are going to copy this too eventually).
The windows non-exec implementation was developed by one of the original PaX developers, so it used the old PAGEEXEC method. I don't know much about it other than that.
Also, this comment:
"(this description is hopelessly out-dated as it implements complete randomization of the whole address space as well)"
is completely irrelevant to what you were referring to and shows your complete lack of knowledge on the subject.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By gwyllion () on
PaX supports more architectures than W|X
Wow, I didn't know Linux supported more architectures than OpenBSD. Do you expect W^X to work on amd64 and ia-64, two platform which OpenBSD isn't ported to yet? These architecture have hardware support for non-executable pages, so adding support isn't that difficult.
i386 (a per-page implementation, which Theo claimed to be impossible), alpha, parisc, ppc (with a per-page implementation, which Theo also claimed to be impossible), sparc, sparc64, amd64, and ia-64.
Sorry, but where did Theo claim this was impossible. I can only find emails in which he says they thought it was impossible. Read this email on bugtraq ; "If we had been aware of PAX as you claim, why would we have thought that i386 solutions were impossible?"
Also, this comment: "(this description is hopelessly out-dated as it implements complete randomization of the whole address space as well)" is completely irrelevant to what you were referring to and shows your complete lack of knowledge on the subject.
Sorry, but I thought PaX people were making a distinction between non-exec stack+heap and PaX features (non-exec pages + address space layout randomization). I think Exec Shield and OpenBSD fall under the same category.
BTW Theo invites PaX people at his talk at pacsec.jp :-)
Comments
By Anonymous Coward () on
Theo is of course welcome. Other talks will include how to bypass W^X, and how non-executable pages are possible on MIPS (contrary to what Theo claims).
Some arms race Theo: you can't have an arms race with stolen goods.
Comments
By Anonymous Coward () on
> holes in OpenBSD at G-Con.
Oooohh I sooo scaaared. Mommy, mommy where are you?!?
Release the ooohh sooo evil OpenBSD exploit. Show it, c'mon, let's see it.
Mmmm hmm, it either it does exist and you'll actually be right about something for once in your life (and we'll gladly fix it) or it doesn't exist.
But it doesn't exist, does it. No. No one will ever see it. Oh they'll talk about it. Just like people talk about PaX exploits all the time. But you never see them.
> Some arms race Theo: you can't have an arms
> race with stolen goods.
Yet you still try.
Comments
By Anonymous Coward () on
By Anonymous Coward () on
I'm sorry Theo, I think you have that backwards. Did you forget you're just copying work that has been available for years? How's it feel to not be "#1 in the industry for security"?
PaX can stand on its technical merit.
You have to rely on your immature personal attacks that in the end make you look like an asshole.
How does making false, ignorant statements about another project change the effectiveness of its code?
You've already lost, Theo. Give up.
It's clear that you never have anything of technical importance to contribute, and when you try, you're wrong, so please, just stop.
By tedu () on
you can only do this if you disable mprotect. that's not an option.
the per-page ness was a lot more complicated than W^X. you can get pretty close using just the hardware without having to reimplement stuff in software.
Comments
By Anonymous Coward () on
Comments
By tedu () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Non-exec stack is the perfect example for that. And I also have hard time believing none of the OpenBSD developers ever heard of PaX, considering it was pretty known to anyone who was following main stream security mailing lists... (such as Bugtraq)
As for TedU... That's one person who's doing lots of porting of code from NetBSD folks. He's lurking (at least) on NetBSD's kernel mailing lists, and whenever anything that's posted gets enough comments or gets commited, he ports it to OpenBSD. Subscribe to tech-kern@netbsd.org and see for yourself how lots of "cool patches from tedu" make it there a week or so before. ;)
That's why I believe he copied the PaX code without crediting them.
So, dear OpenBSD team, please bare us all of your crap about not hearing of PaX before they started bitching (or should I say - request honest credit for their work?) and start being full-disclosure about anything that's going on OpenBSD, like you say in your security page. Maybe most of the OpenBSD user base is compiled of idiots who'll buy anything Theo or anyone else says, but for those who know their shit you look pretty pathetic. :)
And I'm an OpenBSD user.
Comments
By djm () on
Why do PaX think that they are the only ones to have good ideas?
Comments
By Anonymous Coward () on
Not to mention that PaX gives credit and reference to those who deserve it on their website. OpenBSD not only lied about not knowing about PaX (and you can keep your claims and justifications to yourself, we both know you knew about it the same way I did) but it obviously copied -- even if you only depend on time frames, previous work patterns, release dates, and depth of documentation -- features from PaX.
By Anonymous Coward () on
Also, you don't remember correctly. The PaX team has never claimed W^X is worthless.
vma mirroring in PaX is not a logical extension from a non-exec stack.
the only thing in common between PaX and Openwall's non-exec stack is that they use the segmentation logic of the processor. Intel developed it for this reason, so no one "invented" it.
By Anonymous Coward () on
Did PaX not develop the same features for more architectures than you support?
Did PaX not develop the first implementation of proper kernel page permissions?
Did PaX not develop the first implementation of FULL address space layout randomization?
As far as I can tell, they're the only ones that have any good ideas.
By PaX Team () pageexec at freemail.hu on http://pageexec.virtualave.net/docs/
indeed, since PaX has never been a mere non-exec stack implementation. if you had cared to read the docs, you would know better. also i don't quite get what 'monopoly' has to do here, care to explain?
2. "many of the other protections have been implemented before on non-Unix platforms"
can you provide me with more details? i assume you're talking about full randomization and the non-exec page implementation and the rest - in my search on the net i could not find a single system that implemented them at once in a consistent, well-designed manner as PaX does it (if you read PaX docs, you'd know why a systematic approach in deploying the PaX defense mechanisms matters so much).
3. "By the PaX team's own admission..."
where is that admission? i'd really like to see it. if i admitted anything so far it was that W^X is the same *idea* as what i call NOEXEC in PaX (again, i'll refer to the docs to understand what that covers). as for my claim that the OpenBSD *implementation* is worthless, i don't think i ever stated that, but i will say now that it's less than ideal (read: subset of what PaX implements) for no good reason. it's your choice to not fix your code and make it better, not mine, don't blame me.
4. "the idea of randomly mapping shared libraries was implemented by Solar too"
i don't know where you got that from, but his linux patch has never had randomization in it, he remaps libraries so that the MSB of the addresses is 0 (Exec Shield does the same), but they all end up at the same place in repeated runs.
5. "Why do PaX think that they are the only ones to have good ideas?"
i don't, but you keep trying to put words into my mouth, you could really stop that now and invest your time in studying the topic you make claims about, the PaX docs would be a good start.
By James A. Peltier () james@site-fx.net on http://www.site-fx.net
By Elvis () on
Besides I really dont care about PaX after all, probally when they get their crap in main linux kernel BRANCH we can talk again.
Btw please save the whales
Comments
By Anonymous Coward () on
Comments
By Elvis () on
Wow Im amazed!
By PaX Team () pageexec at freemail.hu on http://pageexec.virtualave.net
1. "OpenBSD developers don't give a fuck what features PaX provides! They just don't look at PaX (not at their source, nor at their documentation)! They come up with these features themselves. Why do you trolls keep having a hard time believing this?!"
let me begin with this one, as it probably highlights the core of the problem. contrary to what the claim would have you believe, said developers do care about PaX but not for the reason you think - i'll spell it out now because it seems to have been lurking in the background all this time but noone voiced it. consider why OpenBSD exists and why it is being used: mostly it's because of their various security related claims. i won't go into the validity of those claims, but i'll point out that apparently whatever they had achieved by mid-2002 (the time when certain 'high-profile' bugs surfaced) made them look for more security, stuff that's called intrusion prevention techniques in the commercial world (Entercept and others). whatever the origin of their techniques, they had clearly realized since that theirs was not the only one, and not even the best one for that matter - this means that their main claim to existence was in danger, OpenBSD is (and was) not the 'best' (security-wise, here it means 'resistance to exploits' which they care about the most, at least the infamous claim on their homepage makes one believe so). in my opinion it is for this reason that they chose to avoid any mention (let alone comparison) of PaX ever since, OpenBSD would simply not stand up, and coming from the developers' mouth would make them look bad (or so they seem to think).
you also make a claim about the origin of their features without showing any proof - the few links you provided are just the same tiring rehash of the question i had asked (and never got a response to) since the beginning: where's your development process documented? apparently you don't know any better, why don't you just quit this silly war of the words until you do?
2. "Please could you in favour for Random Memory Allocation Protection Method show some research papers on this sumbject for the community?"
http://seclab.cs.sunysb.edu/addr_obfs/docs/ao.pdf
http://www.crhc.uiuc.edu/~junxu/Papers/TechReport_TRR_UILU-ENG-03-2207.pdf
http://www.usenix.org/events/sec03/tech/cowan.html
not sure if you have access to USENIX, but you can try google/the authors' homepages.
3. "256MB is a reasonable amount of VM space to burn on fragmentation"
if your sshd maps 8 libraries, that's a 1GB (on average) of reduction in the largest mapping possible, if it's of any indication of a typical app, some of them might not be happy about it (the same apps you were referring to when you pointed out the halved address space under SEGMEXEC and Theo did the same a while ago in private mail - one wonders how/why he let this change fly now...). the very first version of ASLR in PaX did the same (per mapping randomization) by the way but it was found to be not worth it. if you think about it, there are two enemies of randomization: information leaking and attacks where absolute addresses don't have to be known. for the former, per library randomization is pointless because you never know (cannot guarantee) what parts of the address space can leak, so why bother? for the latter, it is pointless again for libraries because you cannot have overflows that cross ELF file mappings (there will be a non-mapped region or a r-x mapping between two rw-, unless you expect overflows from static data to .bss in a given library, but then you cannot randomize the gaps between such). it may matter for anonymous mappings provided they are used for all malloc() requests, something that's rarely the case (i don't know about OpenBSD, but on linux/glibc by default only requests above 128k are satisfied via mmap()). you said you were going to use mmap() for malloc() requests, i assume you meant those only that are above the page size, otherwise you'd be wasting lots of memory (something like ElectricFence does). in this case putting a random gap between them is pointless again, just have a non-mapped page and your overflows are stopped cold. in short, i see no reason for per mapping randomization.
4. "calling people liars when they haven't told a lie isn't very nice."
let's hope you keep reminding Theo about it as well.
5. "So of all these projects only OpenBSD blindly copied PaX and the others didn't? These Windows implementations of the PaX ideas are independent and when OpenBSD claims they developed this independantly, you keep bitching on mailing lists and websites."
a few words on the projects linked to on the PaX site. the windows versions have been developed based on the PaX documentation (note that contrary to a claim made here, i didn't develop either of them myself, although i did talk to the guys about various problems that popped up), they both acknowledge it on their respective sites - something you cannot really say about OpenBSD (i'd like to note that when Theo said on bugtraq the other day that he hadn't read anything where PaX was announced/talked about in the past... well, he was not saying the truth, namely he had been reading bugtraq itself where PaX showed up a few times... go figure). you guys keep saying that you had developed all this independently, yet when asked for evidence, silence is your response. will you too go silent now?
by the way, the description of Exec-Shield is there to point out its non-executable page features, not the randomization ones (otherwise i should have put up many more links to other randomization projects that popped up over time, they'll be mentioned/analyzed in a future document though).
6. "what happens when an attacker overflows A? he hits B. so if you know that writing 172 bytes past A will corrupt B in such a way as to lead to an exploit, no amount of adjusting the base helps."
i think what you're getting at is a dead-end, it has been done in the past and is called ElectricFence and it's unusable in production (although really great for debugging).
7. "how does PaX prevent overflowing A from overwriting data in mapping B?"
PaX doesn't prevent any kind of overflow, it is simply not the goal (or hasn't been so far, this may very well change in the future). the goal is to prevent exploit techniques from working, read the documentation for details. your particular attack scenario allows for what i called the 3rd type of exploit technique (data modification) for which PaX explicitly provides no protection yet (again, it's clearly spelled out in the docs).
8. "you can only do this if you disable mprotect. that's not an option."
not sure where you got this from, but PaX does not disable mprotect(), what it does is that it prevents certain page protection combinations which is perfectly valid according to POSIX.
9. "the per-page ness was a lot more complicated than W^X. you can get pretty close using just the hardware without having to reimplement stuff in software."
i assume here you're talking about i386 and vma mirroring, as on the other archs it takes next to no code to get per page non-exec protection. have you got some comparison as to how much effort/code it took in OpenBSD to accomodate userland to your solution (ld.so i think)? also, i don't understand what you were referring to by 'reimplement stuff in software'.
10. "Sorry, OpenBSD doesn't provide proc/pid/maps and /proc/pid/stat like PaX."
actually, PaX doesn't provide them either as it is the /proc filesystem in linux itself that does and if you care to read the docs, you will find out why i didn't touch this code (hint: PaX is part of bigger systems that may and do want to do it their way, so why interfere).
11. "have you considered that we might be trying to switch to mmap-based malloc?"
this is an interesting statement, earlier this year Theo told me the following in private mail:
---------------------------------------------
> how is the brk() managed heap mapped/handled/used in OpenBSD? would
> malloc() not use it for 'small' allocations (like it does in linux)?
brk is not used.
---------------------------------------------
so what gives?
12. "maybe the application your attacking doesn't have any bad format strings?"
this maybe of some interest: http://marc.theaimsgroup.com/?l=bugtraq&m=105941103709264&w=2
Comments
By djm () on
Comments
By Pax Team () pageexec at freemail.hu on mailto:pageexec at freemail.hu
Comments
By djm () on
By gwyllion () on
as for the flaming, i have nothing to do with it, i don't get why you guys keep attributing it to me (or assume i have any control over it).
It's confusing to distinguish between PaX advocates (e.g. spender and noir) and the official PaX team if all the PaX advocacy is posted using anonymizer.com. Before you made a post with an actually name and real IP, I was under the impression all the flaming was done by actual PaX representatives. Sorry.
or are you suggesting that OpenBSD works that way? tedu/gwyllion/etc are flaming every now and then because they get theirs orders from higher up?
Tedu is an OpenBSD developer defending his work, which is being called inferior to PaX. I'm just an simple OpenBSD user, annoyed but all this PaX advocay/troll on this website; I do not receive orders from higher up (I don't know Theo personally, I never exchanged private email with him, ...).
Comments
By Anonymous Coward () on
If you read, the PaX team did not ask for credit, but for their development timeline to be properly documented. When OpenBSD's development is shrouded in secrecy with private mailing lists, why should they be believed when they claim to have *thought* about something at a certain time, when they have no proof other than their own word to back it up?
Comments
By gwyllion () on
I'm sure neither spender nor noir have the time to bother with posting on this website. They're busy enough with their own projects. Why do you accuse people of things you have no proof of? You're committing the same act you're flaming others for.
Sorry, you must have misread my post. When stating PaX advocates (e.g. spender and noir) I was merely giving examples of PaX advocates who are bitching the OpenBSD project. See noir on bugtraq , noir on bugtraq 2 and spender treatening to release a local remote exploit for systrace and bitching about an unimplemented feature (W^X on PPC) . I could have stated Peter Busser as well (as a PaX advocate), but I didn't because he's polite in comments on PaX vs OpenBSD.
Sorry, I didn't want to suggest that spender and noir are acting as trolls on this website.
Comments
By Anonymous Coward () on
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106573542723629&w=2
http://www.securityfocus.com/archive/1/333462/2003-08-15/2003-08-21/2
http://www.securityfocus.com/archive/1/333899/2003-08-15/2003-08-21/2
There are many more examples, as I'm sure you are aware, but I don't need to waste any more time on it. Why do you always exempt Theo from your criticism of people bitching and whining? Theo's post on misc makes him look silly. Is it your position that you enjoy having such an immature person as the leader of OpenBSD?
Comments
By djm () on
http://www.deadly.org/commentShow.php3?sid=20031009110855&pid=315
http://www.deadly.org/commentShow.php3?sid=20031009110855&pid=451
... and this is just a small sample from this forum. I'd say that calling people idiots is nowhere near as bad as calling them plagarists.
Comments
By Anonymous Coward () on
Comments
By djm () on
Comments
By Anonymous Coward () on
Comments
By Can Erkin Acar () on
And what does asking for proof of development time line means, really? What kind of proof do you expect?
Does PaX developers obtain signed timestamps for every idea they have thought/written/implemented from a third-party trusted source?
Every other proof you can get is exactly TRUSTING the WORDS of the DEVELOPERS. When they say: "no we did not know PaX existed at the time we thought of these things" that is enough proof. After that you start calling them liars.
This is what "The Pax Team" did. Reading his posts again, it seems to me that (s)he loves to write open statements that imply many things without saying them outright.
Comments
By Anonymous Coward () on
Comments
By Can Erkin Acar () on
For what? If you do not trust their words, why would you trust any mail/documentation they give to you. And why would they, knowing that such proof would also be debatable, bother digging up their archives/documents for some proof?
You see, I do not remember when I first heard about PaX either. Although I am absolutely sure I heard about it much earlier (possibly in bugtraq or some conference announcement etc) I did not _know_ what PaX _is_ until this whole debate started. While you might argue that I am much clueless than most of the OpenBSD developers, It is entirely possible that PaX was ignored as 'some Linux thing' even if it was noticed.
So, you have to trust the developers. They have nothing to lose by giving credit to PaX they already give alot of credit to all kinds of people, organizations and projects. The BSD license itself is only about giving credit. The fact that they do not give credit, then, is because they did not know PaX at the time W^X was designed.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By PaX Team () pageexec at freemail.hu on mailto:pageexec at freemail.hu
not merely similar problems, but exactly the same problem (prevention of certain exploit techniques). and the manners are the same too, separation of the writable/executable attributes on memory pages and a generic safety net via randomization of various pieces of the address space. the implementations are different for obvious reasons though (and sometimes for not so obvious reasons).
Comments
By Anonymous Coward () on
I was pretty amazed looking through some text books on the subject, which my professor pointed me to after seeing my work.
Harnessing a hardware feature of some lines of CPU's and then extending on it (in parallel projects), can hardly go very far without heavy overlap.
By henning () henning@ on mailto:henning@
That's simly wrong. We have nothing to loose with crediting PaX. W^X and the randomnization stuff is only a small fraction of what we do for security in OpenBSD.
It's simply that we indeed didn't know any details of PaX at the time the dieas for that came up. Personally, I heard about PaX before, without knowing or really caring for what it is.
There was no mention of PaX on our internal mailing list or the internal icb channel before some PaX advocates started bitching.
Comments
By PaX Team () pageexec at freemail.hu on mailto:pageexec at freemail.hu
By Anonymous Coward () on
Comments
By Can Erkin Acar () on
Once you start moving along a path (W^X, randomization, whatever) there are only so many things to can do to improve it. It is natural that some of the ideas are close. Furthermore, most of these 'duplicate' work are critisized by PaX team as being wrong or different - so how are they duplicates?
You seem to think OpenBSD is implementing PaX without telling the world about it. Has it ever occured to any you that OpenBSD may NOT be implementing PaX at all?
By PaX Team () pageexec at freemail.hu on mailto:pageexec at freemail.hu
1. "What kind of proof do you expect?"
emails? irc/icb/etc logs? are you telling me that the OpenBSD development process is not documented? or if it is, it's kept secret? how come none of you guys addressed these questions?
2. trusting the words of the developers is a good point to raise given how many times said developers were shown to have made false claims, and i'm quite sure it's just the tip of the iceberg. forgive me if based on such background i won't give these guys the benefit of doubt.
By PaX Team () pageexec at freemail.hu on mailto:pageexec at freemail.hu
By Anonymous Coward () on
By Can Erkin Acar () on http://www.openbsd.org/goals.html
By Can Erkin Acar () on http://www.openbsd.org/goals.html
Responses in the same order.
1. OpenBSD uses many technologies, and gives credit where it is due, but you can not find mention and comparison of similiar technologies in OpenBSD pages. There is NO mention or discussion of UBC, vinum, StackGuard, IIS, tinydns, postfix, FreeSwan or other technologies for which OpenBSD has provided a similiar functionality. Why would there be one for PaX?
If you want comparison of PaX and OpenBSD features do it and publish it. It is very likely that a fair comparison, whatever the conclusions may be, will be linked from the press.html pages.
Most of your postings in this forum goes on and on about _differences_ and discussions of how PaX features are superior to OpenBSD implementation. Since there are so many differences how can you still believe, and make others believe, that OpenBSD implementation is based on PaX?
Why is it so important to you that OpenBSD makes such a statement, even when it is not true?
2. Thanks for the links.
3. Nice discussion, not my area of expertise though, so I prefer to trust OpenBSD developers to make the right decisions. See, this is after release hacking time where many large changes enter the tree to be tested and tuned by the users and developers. I believe that things will work fine by the release time.
4. You are asking Theo to lie by forcing him to tell OpenBSD W^X is based on PaX.
5. See reply 1. above. We do not - can not - comment on every possible similiar technology out there. Simply not possible: OpenBSD is an OS not a W^X project with a limited scope.
6. Then let it be used for debugging only. This is part of the job too, we are talking about a complete OS here.
7. Yep, different goals, different needs, different implementations.
8. Cannot comment, not my area, but from the discussion it seems that there are many ways to read POSIX.
9. No idea, sorry.
10. Again the same point: you have no control over the OS and you make your decisions based on that. OpenBSD W^X is part of the OS and both are developed together. There are lots of different design decisions between W^X and PaX so why not just leave it alone.
11. What tedu was talking about is obviously a different implementation, and Theo was also correct since: malloc.c rev 1.4 (7 years 2 months ago): "malloc(3) implementation from FreeBSD; uses mmap(2) to get memory." and it takes less than a minute to get this information from cvsweb.
12. Nice, new attacks, new things to audit and fix. You will find that most off-by-one problems are already fixed in the OpenBSD tree. See for instance the recent and extensive str* and realloc cleanups.
Summary: Both projects have the same aim, make exploitation bugs difficult (PaX claims to stop them all, OpenBSD claims no such thing).
Underlying principles are simple: prevent misuse of memory protections as much as possible, and randomize to make it difficult to use existing code and structures. There were, is and will be papers/publications/discussions and implementations on these subjects and you can not claim to have invented the concept. Or do you?
OpenBSD is the OS so it can protect in layers by fixing and redesigning applications, and even introducing binary incompatibility when necessary. PaX have minimal control over the OS so it has different priorities and design decisions.
Comments
By Anonymous Coward () on
And if you grab the newest version of the source of malloc.c, you can see several uses of sbrk and brk. This also takes less than a minute, less than it took for you to falsely back up Theo and tedu. Theo is wrong. He says brk is not used, and it is clear that it is being used.
pf->end = (char *)pf->page + malloc_cache;
pf->size = malloc_cache;
brk(pf->end);
malloc_brk = pf->end;
index = ptr2index(pf->end);
result = (caddr_t)pageround((u_long)sbrk(0));
pages SIZE_T_MAX - (size_t)result) {
#ifdef MALLOC_EXTRA_SANITY
wrtwarning("(ES): overflow in map_pages failsn");
#endif /* MALLOC_EXTRA_SANITY */
errno = ENOMEM;
return (NULL);
}
tail = result + pages;
if (brk(tail) == (char *)-1) {
#ifdef MALLOC_EXTRA_SANITY
wrtwarning("(ES): map_pages failsn");
#endif /* MALLOC_EXTRA_SANITY */
return (NULL);
}
Comments
By Can Erkin Acar () on
uh! sorry, i was wrong. That is what you get for a minute of research. I have no other data to support or falsify Theo. You will have to ask him instead what he meant.
Comments
By PaX Team () pageexec at freemail.hu on mailto:pageexec at freemail.hu
-------------------------------------------------
> > our trick which we are experimenting with is to put a 1GB gap between
> > text & data into each elf executable and .so
> >
> > this results in greater fragmentation
>
> what would be the new segment layout? something like: CS: 0-1 GB,
> DS/SS: 0-2 GB (or whatever the upper limit of userland is)?
CS: 0 -> wherever the line needs to be
DS/SS: 0 -> 3.25GB
The line floats. Our pmap keeps track of the highest page that has
PROT_EXEC permission, and puts the line just above it.
Since we will have a 1GB gap, the code segments of each .so will be
placed down below. The data will be offset 1GB higher.
Memory fragments, but our malloc uses mmap, and therefore will use
the gaps.
-------------------------------------------------
and the last sentence is what piqued my interest, so i asked and got this (you saw the latter part of it already):
-------------------------------------------------
> > Memory fragments, but our malloc uses mmap, and therefore will use
> > the gaps.
>
> how is the brk() managed heap mapped/handled/used in OpenBSD? would
> malloc() not use it for 'small' allocations (like it does in linux)?
brk is not used.
-------------------------------------------------
Comments
By Can Erkin Acar () on
Comments
By Anonymous Coward () on
By PaX Team () pageexec at freemail.hu on mailto:pageexec at freemail.hu
Comments
By Can Erkin Acar () on
The problem with malloc, as described in the discussion with theo you have posted, is that it is using brk, thus wasting space with W^X. Solution is to make it use mmap which is what tedu is working on right now. Yes, they would probably have made this change regardless of your comments on brk, but thanks anyway.
Comments
By PaX Team () pageexec at freemail.hu on mailto:pageexec at freemail.hu
http://marc.theaimsgroup.com/?l=openbsd-misc&m=105060862625412&w=2
the other issue i had raised in passing is a true violation in OpenBSD (and as you will see, in the other BSDs as well). first, the relevant info from POSIX/SUSv3:
http://marc.theaimsgroup.com/?l=openbsd-misc&m=105060560321916&w=2
if you compare it to the code i pasted earlier in the thread, it's obvious that OpenBSD does NOT follow this part because it checks for PROT_READ only but not PROT_EXEC:
--------------------------------------------------
EACCES
- fd was not open for read and PROT_READ or PROT_EXEC were specified.
--------------------------------------------------
again, it's not only me saying it (beyond being obvious to any programmer who understands C), but miod agreed as well (quote from a private mail i sent to him afterwards as i saw no point in beating this drum on misc@):
--------------------------------------------------
> > EACCES
> > - fd was not open for read and PROT_READ or PROT_EXEC were specified.
> > - fd was not open for write and PROT_WRITE was specified for a
> > MAP_SHARED type mapping.
> >
> > This is what SunOS
> No, OpenBSD does not, you don't check for PROT_EXEC, see my code
> snippet i posted on your list.
Indeed. None of the *BSD systems currently checks for PROT_EXEC in this
case.
Miod
--------------------------------------------------
as for the malloc()/brk() vs. W^X problem, i don't see why the need for the mmap() based approach. back in the first version it was indeed the only way because the highest executable mappings were those of the libraries so the brk() region would necessarily fall below that, but in the current version (as far as i checked, feel free to correct me if i'm missing something) the executable is mapped highest up in the address space, that is, libraries are all below it and after the r-x segment of the executable all you have is non-executable data mappings (file or anon), so you could simply set the CS limit just after the main executable's r-x segment and still keep using a now non-executable brk().
By Anonymous Coward () on
By gwyllion () on
Thanks for you long argumented comments.
As for 3+6+12 (tedu's malloc guard pages imitating Electric Fence), have you read http://www.zeitbombe.org/openbsd.html ? It clearly states that this feature is similar to Electric Fence and very usefull as a debugging mechanism (recently a number of bugs were discovered with it):
Guard pages and free page protection in malloc(). Again, add an unmapped page (technically, mapped with protection PROT_NONE) after each page size or greater allocation (including after each page of chunks). Also includes an option to mprotect all free pages, so that use after free results in a crash. Basically, attempts to provide some features of electric fence in the system malloc without impacting performance too badly. Running with this patch has allowed developers to catch numerous bugs that went undetected before.
If I look at the implementation ( http://www.zeitbombe.org/malloc_guard.diff ), it's implemented as an extra malloc option (like "Junk", etc.). So I guess it will not be used by default and mostly used as a debugging tool.
Comments
By Brad () brad at comstyle dot com on mailto:brad at comstyle dot com
By tedu () on
the malloc guard stuff only works for after each page. smaller allocations are not as protected.
why still random with guard pages? why not? also, attacks are becoming more sophisticated. we are trying to reduce the amount of information an attacker knows. if you don't know where the library is, if you don't know where the buffer is, if you don't know where your target to overwrite is, things become more difficult. with only the ASLR you have (and not the X bit stuff) the sshd exploit from last summer would still have been effective i believe. more tries likely, but not impossible for a dedicated attacker. with guard pages, it would be impossible. with randomized allocations, it would have been much harder than simply with random base. name of the game is defence in depth.
at the moment, the heap is not randomized. we will not simply push it around, as PaX has done. 1. that would be copying. :) 2. we think we have a better, more complete solution.
"PaX provides no protection against data modification" or so.
we are trying to do this. the idea is similar to electric fence, but with a different target (security vs debugging), and additionally designed so that it can be run all the time with minimal impact. can it be done, and at what cost? wait and see.
cost of vma doubling vs. ld.so.
i don't have a good way of estimating how much effort went into developing each approach. once you get past the initial recompile though, imo ld.so is less intrusive. it certainly permits more complete utilization of the address space.
at this time malloc uses brk for most memory. more than one mmap implementation already exists, but not comitted.
Comments
By Anonymous Coward () on
I'm sure you don't go around telling everyone that simply pointing their exploit into the binary image instead of the things you have randomized will bypass all the work you've done. In fact, I know you don't, and I know it will never be mentioned on the openbsd mailing list or anywhere else by openbsd developers. I don't see how you can even make a comparison between your randomization and full ASLR.
How about solving real problems instead of adding more useless randomization features?
By PaX Team () pageexec at freemail.hu on mailto:pageexec at freemail.hu
some of them yes, but in general you need much more than that. since you have never stated your threat model, i'll assume here what i used in PaX: bugs that give arbitrary read/write access to the address space (everything else is a subset of this). let's concentrate on the write part here only, such an ability means that guard pages, your non-linear mappings mean nothing, they will be bypassed. where your proposed methods are effective is when you have a so-called linear buffer overrun error (the classical strcpy() and others), there are other classes of bugs that need not care about buffer boundaries.
Comments
By tedu () on
certainly.
i didn't say it was effective against all errors. guard pages are a defense against one particular attack type. they are also really handy for debugging. we can protect against an overrun, therefore we will. you appear to have simply chosen to disregard this form of attack (for now).
i don't think your argument is "you can't protect against everything, so don't bother with anything" but that's what it sounds like. if this isn't effective against one form of attack, then we develop something else. but "it's not 100%" is no reason not to develop such solutions as we can.
"bugs that give arbitrary read/write access to the address space"
nothing i see in PaX definitely prevents exploitation either. you prevent arbitrary code execution, but not read/write.
Comments
By Anonymous Coward () on
By PaX Team () pageexec at freemail.hu on mailto:pageexec at freemail.hu
it's not the correct way to put it. what i decided to do in PaX (does anyone read the docs...?) was to prevent *exploit techniques* from working (this is what i normally refer to by 'attack'), not *triggering the bug in the first place*. your guard pages (as a subset of runtime bounds checking) belong to the latter category, W^X and randomization to the former. in any case, if you read the future plans for PaX, you'll realize that there will be attempts at solving the more fundamental problem.
2. "i don't think your argument is "you can't protect against everything, so don't bother with anything" but that's what it sounds like."
better put, my argument is that why waste resources on solving a subset of the bigger problem when you can solve the bigger problem itself with the same/better efficiency? in this case (preventing a bug from getting triggered) the bigger problem can be solved by doing full runtime bounds checking - question is how you can do it (much) more efficiently than existing solutions. we'll see if i manage to do it ;-).
another way to put my argument is that why solve the problem up to 90% instead of 100% and not be able to give guarantees about the protection? you'll probably ask why guarantees matter so much: whenever a new bug gets discovered, i will still sleep better because i will know it won't be exploitable whereas in your approach you may or may not be exploitable, but you don't *know* until you actually look at the bug, analyze it and decide whether it's exploitable under the given circumstances or not. sure, it may very well be possible that 99% of these bugs turn out to be non-exploitable in your system as well, but it's the 1% that gets you owned and i'd rather not let that slip by, especially since it is possible to prevent it.
3. "nothing i see in PaX definitely prevents exploitation either. you prevent arbitrary code execution, but not read/write."
correct, that's why the project is not over yet ;-), but nevertheless, this is the goal (it's nice to have one, isn't it). interestingly enough, combining the current techniques with a simple ACL system does already provide a certain level of protection in the face of arbitrary read/write access as well, something you cannot claim for OpenBSD (for now at least).
By Anonymous Coward () on
Exactly when did the game become defence in depth for OpenBSD?
Do I really need to refer you to OpenBSD developers making comments against such work? Preaching on the auditing of code?
"False sense of security" (Marc Espie)
"but it's just not a priority for any of the developers." (Dug Song)
When did features like non-exec stack become real security features, and a priority for the developers? After all of you got owned. Dug Song got owned, OpenBSD got owned, and your pro-active auditing did exactly 0. These features being added now are pure retro-active actions taken to protect yourself from further embarrassments from mistakes you have in your code, so it's not exactly your code auditing process, that uncovered "thousands of bugs" that's making your OS pseudo-secure, but the features you add now, all the randomization hype and the stuff you copy from PaX, that you rely upon for security.
OpenBSD may look a secure OS alternative for a new user, but for a bystander who's been with OpenBSD for years (since 1997-8?) you just look sad. Provide your userbase with information as to why now non-exec stack, W^X, and all the other "cool stuff" you add every once in a while is important and in 1999-2001 it wasn't. It's those half words and almost "e-stuttering" that Theo does that makes -- at least me -- look less and less of OpenBSD with time.
By Anonymous Coward () on
More proof that these recently added security features to OpenBSD are just to save your own ass from losing your so-called reputation. Code auditing isn't very useful when you have no clue what you're looking for huh? :)
Go back to lurking on NetBSD mailing lists, Ted. I hear David Laight has some new shit running. ;)
Comments
By djm () on
Comments
By Anonymous Coward () on
Even though the message is from four years ago, the reason it was posted was that the OpenBSD policy, back then, was that code auditing is the solution to all problems. Do you mind telling us what changed your mind, especially during 2002-2003, that these band-aid solutions are necessary in an pro-actively secure OS like OpenBSD?
My guess: Your auditing process proved useful, but not useful enough, and all the solutions that you used to call workarounds protected against stuff your code auditing process never could.
If that's not the reason, please tell us otherwise. And if that's the reason, how can you explain all the bad things you've said about what goes into your kernel these days? :)
Comments
By djm () on
Personally, I have always liked the idea of kernel-side protection systems so there was no changing of my mind involved. I'm sure the other developers have other stories. Why don't you ask the ones who committed the changes?
I don't think that these techniques diminish the importance of auditing. Not every bug is a stack overflow - many are simple logic errors or inappropriate trust placed on attacker supplied data. Fancy memory protection mechanisms do little to prevent these classes of bug. (I know from recent, bitter experience)
Also, what to what do you refer when you say "the bad things you've said about what goes into your kernel these days"? I don't recall saying anything either way.
Comments
By Anonymous Hero () on
A further topic is, naturally, security. Theo points out that an absolutely secure system would imply a bugfree system and thus is not possible, and briefly explains ProPolice and W^X. A small followup article focusses on the basics of ProPolice and W^X.
http://www.openbsd.org/press.html june 2003
me looking forward to the real openness of projects like OpenBSD. How are things decided? Consensus?
Comments
By Anonymous Hero () on
By Michael () on
Thanks for your contribution. Sorry that a flamefest ensued.
--Michael
By scbontra () on
I don't care if PaX had idea(x) 3.74 seconds before OpenBSD did. The fact remains that OpenBSD did independant development, unless PaX has a patent on the process or there is copyright violation going on, I don't care who thought the thought first. As pretty much everyone agrees (except maybe SCO's lawyers) the developement was seperate and there isn't a copyright violation.
Neither the GNU or BSD license requires you to give credit for the IDEA, only the implementation. If the implementation was done seperately there is no legal basis to demand anyone give anyone else credit.
Personally, I tend to buy the disperate-origions/ same-conclusion argument. Smart people (which most of us here are, save a few of the obvious trolls) tend to have good ideas. Good ideas all tend to be in the same direction. It's quite possible that all these good ideas happened around the same time. Maybe it's something in the water.
But, in the end, it's all about me. I decide what I want to use and why. OpenBSD or PaX can both have great ideas and great implementations but if neither meet my needs I won't use it. If I --NEED-- a feature in PaX I'll go build myself a Linux system and load PaX up. If OpenBSD continues to provide a consistantly good security record (a few misses here and there is still far better than anything else out there) then I'm going to continue using it and GNU/Linux/PaX won't get my $$$.
The unstated goal of the BSD camp is to make all software BETTER. The clearly stated goal of the GNU camp is to make all software FREE. I for one see these two goals pretty much in line with each other. Asking for credit for an IDEA is pretty anti-GNU from my vantage, it smells an awfully lot like a patent. If OpenBSD wants to take an IDEA like DNS or SSH or W^X and write a BETTER implementation of it (without violating copyright law/licenses) then why are you complaining? If PaX likes an IDEA in OpenBSD's setup they can take it too.
It's purely academic if PaX or OpenBSD's approaches are technically better. I'd love to read a full breakdown of the two. I'd like it even more, for my own selfish reasons as a user, if the best bits of both were integrated together--which is the general direction of OpenBSD anyways.
Comments
By Anonymous Coward () on
By PaX Team () on mailto:it's all over the place now ;-)
you brought up a lot stuff that's irrelevant in this case, there has never been an issue of GNU vs. BSD, copyright violations, trademarks, patents, what have you, it's merely the lack of information on the OpenBSD development process (it's somewhat ironic how closed it appears to be).
Comments
By djm () on
You ask the OpenBSD team to "open up", but you are asking us to prove a negative - obviously impossible.
If developer conversations were made public, you could always accuse us of hiding things (which can't be provably denied) or doing it by private email. Would you then demand the our private mailboxes too?
There is really no way to exonerate oneself from such an accusation. I'm sure you know this.
Comments
By PaX Team () pageexec at freemail.hu on mailto:pageexec at freemail.hu
what are you talking about?
2. "You ask the OpenBSD team to "open up", but you are asking us to prove a negative - obviously impossible."
wrong, it'd be something like 'grep -ir pax secret_openbsd_developer_archives/'. you said 'us', does it mean you are an OpenBSD developer? if so, can you answer the following questions:
- have you got developer discussions and logs that are not available to the public?
- can you make them public, if not, why not?
3. "If developer conversations were made public, you could always accuse us of hiding things (which can't be provably denied) or doing it by private email. Would you then demand the our private mailboxes too?"
are you looking for excuses? please answer the question of why said development process is not public at all, it's NOT normal that i have to ask for them to begin with (and i'm sure many others would be interested in them too, for different purposes). if you had kept your development all open over the years, there could be no doubt as to their authenticity, but if you are willing to finally make this public (especially if it came from reasonable and honest developers, that doesn't include you or theo), i am willing to give you (the developers) the benefit of doubt - deal?
Comments
By djm () on
I'm quoting you: what you missed in your post is that the core of the problem is not whether OpenBSD invented stuff independently or not, but that we (and you) simply don't know.
See http://www.deadly.org/commentShow.php3?sid=20031009110855&pid=1588
Comments
By Anonymous Coward () on
You are a joke, Damien Miller.
By Anonymous Coward () on
You are a joke, Damien Miller.
By PaX Team () pageexec at freemail.hu on mailto:pageexec at freemail.hu
By djm () on
You ignore what I said: if any of us were to make our communications public (and I don't have the right to release any but my own) - we could easily be accused of hiding things. There is no way to refute this, so why even start down that road?
Anyway, what right do you have to demand access to private conversations? I demand that you post your inbox to the web first. (See how ridiculous a proposition this is?)
What, like the public CVS tree (the first among free software projects IIRC), the source-changes@ mailing list or the public bug tracker? That is a pretty public development process. Anything more is reserved for people who contribute patches rather than accusations.
I won't waste any more time arguing with you BTW. I wasn't involved with the development of any of the memory protection tricks (they were done by smarter people than I), but it frustrates me to see honest, dilligent developers, who donate their time and work under the most liberal of licenses accused of plagarism. Your carping accusations damage yourself and your project. This is a much bigger shame than you seem to realise.
Comments
By PaX Team () pageexec at freemail.hu on mailto:pageexec at freemail.hu
nice try but you failed to read when i said that i would give you the benefit of doubt were the honest among you make these public. second, you put yourself into this situation by having kept said development process private, it's *your* decision and problem. third, i was not asking for *private* emails, where did i say that? once more, don't put words into my mouth i have not said. on the other hand you *still* didn't answer the question:
are there non-public (secret) discussion lists/etc in your development or not?
since you have a tendency of misreading things, i will spell it out more clearly: i'm referring to mailing lists, newsgroups, icb/irc channels and the like which can/could be made public, i did *not* ask about private mails (although i'd certainly appreciate them as well if they contain interesting info and the parties involved agree to their publishing).
2. "What, like the public CVS tree (the first among free software projects IIRC), the source-changes@ mailing list or the public bug tracker? That is a pretty public development process."
these are the public records of the source code changes, they are *not* the public records of your development process which involves a few more steps before it gets to committing code, among others discussions about the design, cost/benefit of solutions, etc (need i really point you to the apparent differences between lkml and tech@ for example?). i thought you had known that much and had figured that's what i was interested in. and before it begins to sound too personal, it's not only me who is interested in knowing what goes on 'behind the scenes' (how can a supposedly 'open' project keep these important discussions private anyway?) but many others including your own users (i wish more of them spoke up every now and then).
3. "Anything more is reserved for people who contribute patches rather than accusations."
can i take that as the official opinion of the OpenBSD project? if so, you guys can blame only yourselves if people have to substitute hard facts with their speculation (or more, as the case may be). it's your choice to be open or not, bear with the consquences of your decision then.
4. "but it frustrates me to see honest, dilligent developers, who donate their time and work under the most liberal of licenses accused of plagarism. Your carping accusations damage yourself and your project. This is a much bigger shame than you seem to realise."
if you read just this thread (or earlier bugtraq/misc@ ones) you will see how 'honest' some of these developers are/were - were you in my position, i bet you'd be less keen on trusting such guys on their word either, i at least decided not to. it's interesting that you talk about damage but misplace it on the wrong project and people - you yourself point out that my sole 'accusation' is my desire to know what really happened, that's hardly damaging to me, but your utter silence/ignorance has already put you into a very tricky situation.
ps: public domain is more liberal but let's not digress ;-)
ps2: the number sqrt(2) can be shown to be irrational, that's a negative proof (there's no p/q that equals to it)
Comments
By djm () on
1. I speak only for myself
2. A negative proof is not the same thing as trying to prove a negative. (I prefer the negative proof that there are an infinite number of primes, myself)
Comments
By Anonymous Coward () on
Comments
By djm () on
Anyway, are you willing to open your mailbox to inspection by random people? Judging by the fact that you refuse to identify yourself when making accusations, I'd guess not.
Comments
By Anonymous Coward () on
I don't need to open my mailbox to random people, since I have nothing to prove. OpenBSD does.
Comments
By Wim Vandeputte () wim@kd85.com on http://kd85.com/
Comments
By Anonymous Coward () on
By henning () henning@ on mailto:henning@
lots of matches for the userland utility pax(1).
first match for your PaX is in 2003 with the first mails from PaX advocates to public mailing lists.
By Anonymous Coward () on
Comments
By Ulysses () on
By Can Erkin Acar () on
And apparently logic is not your gift. Here is a scenario none of the PaX team has considered:
Assume you have a finite number of documents, collected from the 'secret archives (tm)' you ran grep and weed out the false positives. To find only the discussion about the recent flamewars and such, and no previous discussion or mention of PaX.
Now what?
1. you start demending more searches for other strings such as 'random' 'no exec' 'stack' and other nonsense trying to prove your point.
2. You conclude that there must be more 'secret documents' hidden from you and demand developers inboxes, hard drives, CD-ROM archives, MP3 players, encryption keys for any encrypted content etc.
3. repeat ad infinitum ...
And we were glad we got rid of DARPA.
Please, there is a point where such demands turn into harassment. You have already judged people you barely know to be dishonest (including djm, which you proclaimed dishonest immediately after learning that he is a developer) and this is starting to turn ugly.
And by the way, please send me the contents of your harddisk. I have some strings to grep for. Yes, this is a legitimate demand, does the PaX team not have an open development process?
Comments
By Anonymous Coward () on
Also, shut the fuck up.
Thank you.
Comments
By Can Erkin Acar () on
You are not in a position to actually demand anything. OpenBSD developers are not accountable to you. You have already asked, and got your answers.
It is simply not possible to prove what you are asking, even if the privacy of the individual OpenBSD developers are violated extensively.
Accept it and go home, do something constructive for a change. Develop PaX, to make it even better. Do some research, compare PaX and W^X and publish your results so that everyone can benefit. Discuss the differences and implementations without resotring to accusations and flamewars.
And if these publications or discussions result in an improvement in W^X or PaX, be glad that the overall security of the internet is improved.
Thank you.
Comments
By Anonymous Coward () on
Apparently Theo cares about the judgements of the PaX team, otherwise he wouldn't be going to Japan to make an ass of himself in front of everyone.
Hooray for Theo! He's done more to discredit his own project than anything I could ever do.
Comments
By Can Erkin Acar () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
------------------------
if that makes you happy, I did the grep.
lots of matches for the userland utility pax(1).
first match for your PaX is in 2003 with the first mails from PaX advocates to public mailing lists.
------------------------
now, he has done what you asked, so if you continue to troll, thats your choice.
By krh () on
Well, I happen to be a mathematician, the term `negative proof' is ambiguous, and I have free time. So:
`Proving a negative' is not a very well-defined term in formal logic, because statements don't necessarily have well-defined positive or negative orientations. Nevertheless there is a method called proof by contradiction which lets you prove the irrationality of sqrt(2) and the infinitude of the primes. Proof by contradiction works like this: I am given as a true fact some true statements, called axioms, and the knowledge that some proposition P is true (P might be an axiom, but it mught also be a true statement derivable from the axioms). I would like to prove that proposition Q is true. If Q is not true, then by the law of the excluded middle, it is false. So I will assume for the moment that Q is false, and using that assumption I will show that P is also false. But I know that P is true, and by the assumption of consistency, P cannot be both true and false. So I have reached an impossibility: A system where no proposition can be both true and false, but P is both true and false. Therefore one of my assumptions is wrong. This is either one of my axioms or my assumption that Q was false. Therefore one of these is wrong. Thus if I continue to assume the same axioms I started with, Q must be true.
When most people talk about proving negatives, this is not what they mean. What they mean has to do with constructively proving statements of non-existence. `Constructively' means that you have shown the existence of the object you are considering (your object here can be geometric, arithmetic, logical, etc., just so long as you have produced an example of it). In a philosophical sense, it involves no tricks; you know that the things you have proved to exist do exist because you found them. This is where the name of this philosophy, `constructivism', comes from: You construct things.
Here you run into a very hard problem: If something doesn't exist, how do I construct its non-existence?
I don't happen to be a logician, and I'm not much interested in constructivism, so I don't happen to know how constructivists deal with non-existence, or even if they can. At the least it looks to me like a very difficult problem unless the set of all possibilities is finite (which you need to show constructively, of course). And this is why you can't prove a negative in the everyday sense: In that sense of the phrase, it means to constructively show non-existence. If the set of all possibilities is infinite, or effectively infinite, and you have to search through every single one to show that something doesn't exist, you lose.
Having said that, let me give a non-constructive proof that is not by contradiction. I will show that there is a real number r such that r^(sqrt(2)) is a rational number.
If sqrt(2)^sqrt(2) is a rational number, we're done. Otherwise (sqrt(2)^sqrt(2))^sqrt(2) = sqrt(2)^(sqrt(2)*sqrt(2)) = sqrt(2)^2 = 2 is rational.
This proof is not by contradiction, but it doesn't construct the number r that we're looking for. r is either sqrt(2) or sqrt(2)^sqrt(2), but we don't know which, so the proof is not constructive.
Comments
By Anonymous Coward () on
BTW, your proofing techniques are like that of a beginner. Are you a mathematician of high school?
Comments
By krh () on
No, I am not "a mathematician of high school". I happen to be a mathematician of graduate school, i.e., I am a graduate student, and, as anyone with any experience would have noticed, not a beginner. I suspect that your "proofing techniques" are much less advanced than mine.
May I suggest that you read Walter Rudin's _Principles of Mathematical Analysis_? It was the first advanced math book I ever read, some six years ago, and I admire it very much for its clear exposition (though it is occasionally a little unmotivated, and the differential forms chapter is no good). Also, I suggest that you find a copy of the second edition, probably in a math library somewhere, and read its first chapter before proceeding to the first chapter of the third edition. In the first chapter of the third edition he relegates the construction of the real numbers to an appendix since he found that it was too difficult for many people taking an introductory course in real analysis. I didn't have that sort of difficulty, and I think that the construction of the real numbers is so important for such a course that it should be the first topic covered, just as he has it in the second edition.
If you're not much of an analyst, you could always try Hungerford's _Algebra_, which has always been my favorite abstract algebra textbook. It is a graduate textbook, but it is self-contained, and its succint exposition let me use it very productively as an undergraduate. However I should warn you that it's a bit dense. This might make it a perfect match for you, however, so you'll have to try it yourself.
Good luck. Maybe someday, if you ever make it to graduate school, I'll be your advisor.
Comments
By Anonymous Coward () on
Maybe someday, you'll have some friends that give a fuck about everything you've just said. I got bored after reading the first few sentences and stopped.
Comments
By SH () on
By krh () on
And as long as I'm baiting you, I should mention that you're going about this in entirely the wrong way. Correct me if I'm wrong here, but you're trying to make people mad by posting anonymously in a public forum, yes? But it's not really working, you see, because there's just not enough people here to really get pissed off. You need to go for the gold: Slashdot. I'm serious. You can't claim to be a real troll until you've started a month-long, ten thousand post flamewar on Slashdot. Until you can do that, I just can't give you any respect. I mean, it used to be that you could claim to be a good troll if you could get a few groups on Usenet to broil each other--heck, that's how a lot of people got started--but Usenet's like that all the time now, so it's not like you could claim to be doing anything disruptive.
So until you can troll Slashdot and troll it well, you won't have the skillz to make me do anything but laugh.
HTH, HAND.
By Anonymous Coward () on
By Anonymous Coward () on
I hate to break it to ya, your not likely going to find one.
By Anonymous Coward () on
Read that hilarious thread and then think that Theo claims to have developed the entire idea of W^X shortly after. One day it's really really hard, and the next he's magically solved every problem by himself? That's pretty incredible stuff, folks!
Comments
By Joris () on
"We've just never written code to protect the stack, because that's really difficult"
difficult != impossible so whats wrong with finding the answer the next day or the next week? Some people learn every day so stop whining.