OpenBSD Journal

Propolice kernel

Contributed by jose on from the thorough-security dept.

Michael Knudsen writes: "Look what tedu@ committed:

From: Ted Unangst

To: source-changes@cvs.openbsd.org
Date: Tue, 13 May 2003 00:11:11 -0600 (MDT)
Subject: CVS: cvs.openbsd.org: src
  
CVSROOT:        /cvs
Module name:    src
Changes by:     tedu@cvs.openbsd.org    2003/05/13 00:11:11
  
Modified files:
        sys/kern       : init_main.c kern_xxx.c
  
Log message:
support for propolice in the kernel.
some style input itojun@ tdeval@ toby@
tested, mostly by deraadt, on i386, macppc, vax, sparc64 
ok deraadt@ miod@

( http://marc.theaimsgroup.com/?l=openbsd-cvs&m=105280618319807&w=2)

In another commit ( http://marc.theaimsgroup.com/?l=openbsd-cvs&m=105280627319896&w=2) -fno-stack-protector is being removed from the compile flags.

Nice." Way to go, Ted!

(Comments are closed)


Comments
  1. By Jedi/Sector One () j@pureftpd.org on http://www.pureftpd.org/

    Has anyone benchmarked OpenBSD with and without propolice ?
    For general usage, OpenBSD has never been very fast compared to Linux or FreeBSD, and I'm a bit frightened about the addition of something that can only make the kernel go slower :(

    Comments
    1. By janus () janus...errornet...de on mailto:janus...errornet...de

      If you compare the (eventual) slowdown to the improved security, i think you _want_ it.
      Sure, a fast system is nice, but only if that doesn't means that it's fast to exploit ;)

      Comments
      1. By KryptoBSD () kryptobsd@uncompiled.com on http://www.uncompiled.com

        At no point should a slowdown in server speed be a good ideal of security implementation. We cannot allow ourselves to be OK with sacrificing what we pay for, for what we are SCARED of. If you NEED propolice, then you NEED to learn about security. Cryptography is not the cure all for security, and neither is propolice. To believe either is will lead you to believe that when your box is exploited in such a way to circumvent both that it must of been an act of God.

        I too have noticed a slow system compared to FreeBSD (I ran Open from 3.0-3.2 on it ; I ran Free from 4.6-4.8).

        I have no issues with my server security. Not because I am using 'ProPolice' to insure my safety, but because I am confident in dilligance with my updates and I believe if I am exploited, it will be because of dilligance and not reliance on one magic shield of security.

        Comments
        1. By Anonymous Coward () on

          Different administrators have different priorities. No need to preach.

          Comments
          1. By KryptoBSD () kryptobsd@uncompiled.com on http://www.uncompiled.com

            Well I appreciate your short and vauge response 'Anonymous Coward', but what you don't realize is that if the administrator is to take a performance drop for less work on his part to do his job, that is an unexceptable action.

            Maybe YOU don't wish to do true administration instead of letting your slowed system work and work to do what would not be needed if you were to handle your business.

            This does not hold true for sysadmins who know their craft and wish to use tools at their hand which are proactive and helpful, not destructive and talentless.

            Comments
            1. By Anonymous Coward () on

              That's horribly inaccurate. It's always acceptable for a computer to work harder so that a person has less work to do - that's what they're here for! "True administration" is not masochistically doing useless work; the ideal state of a true sysadmin is drinking pop and playing atc while his computers take care of themselves. Anything that takes us closer to that state is an improvement.

              In a real production environment, you test before you deploy. For a long, long time. If you can test and deploy a new kernel once, and the result is six new vulnerabilities marked "OpenBSD is not vulnerable" that you can take your time patching - or even a handful of boxes that don't get nailed by the latest 0day and have to be reinstalled - you're clearly ahead.

              I'll think of you doing your "true administration" next time I spend an extra half hour coding, helping a user, or spinning in my chair because propolice bought me a little slack.

              Comments
              1. By zil0g () on

                Let's not bitch about this until we've seen the numbers.

                In any case, good job Ted!

              2. By KryptoBSD () kryptobsd@uncompiled.com on http://www.uncompiled.com

                Yes, once again thank you Anonymous Coward. Anyways, I am sure at your job where you think you are administrating systems by running an OS that claims to be secure by default that makes you intelligent. You and your silly comments about chair spinning and drinking pop only reitterates my assumption that you are probably nothing more then a 15 year old child who was told his network wouldn't be able to get hacked.

                If you don't have anything constructive to say to my responses, please, do not bother responding and making me read your dribble of insight to administration of 3 computers. With those opinions, you do not work for any companies, nor probably have. If you do, I feel sorry for your employers. Maybe next time you will listen rather then pass along inane comments. It would be nice if these story comments stayed alittle more like NANOG and alittle less Slashdot.

                Comments
                1. By Anonymous Coward () on

                  laugh.

                2. By Anonymous Coward () on

                  It's a bit of a cheap argument, but surprise surprise... uncompiled.com is a site full of Linux stuff. You know what that usually means.

                  Comments
                  1. By KryptoBSD () kryptobsd@uncompiled.com on http://www.uncompiled.com

                    OK, this is just stupid. Would you and anyone else who think im PRO LINUX or PRO ANYTHING, please, please... LOOK AT MY NAME.. krypto BSD

                    Also, take a look at the security sites on DEADLY.ORG, the website you are talking through. I AM THERE.

                    I am not PRO LINUX or PRO BSD, I have the name KryptoBSD for fact that I have ran BSD for many many years, and it sounds alot better then KryptoOPENSOURCE or KryptoLINUX -- take your stupid comments to another thread, I'd actually like involved comments from people who dont use 'Anonymous Coward' and say nothing constructive.

                    Comments
                    1. By Bill () thatsallyouneedtoknow@sincetherewillbeanIPaddyatta on mailto:thatsallyouneedtoknow@sincetherewillbeanIPaddyatta

                      Since ProPolice adds another layer of security it is up to the site admin and management to determine if the benefits outweigh the performance costs. If management decides it's worth it and wants it, ProPolice goes in. Period.

                      To outright dismiss this feature is arrogant.*Your* job as an admin is to advise management and let them make decisions on where they wish to stand on security just as much as it is your job to maintain the systems. You are more than welcome to not recommend using this feature.

                      To claim that people will use this feature and give up on doing "real" admining to maintain a server is also arrogant. You make too many assumptions about the possibility of how a vulnerability is going to manifest. A company's systems may be attacked before a patch is available or before an advisory has been issued. If adding ProPolice defends against such an attack then it has already "paid" for itself. An ounce of prevention is worth a pound of cure. It's your job to determine if the cost of implementing ProPolice in this fashion is really costing you an ounce.

                      You have a fine site and I have to defer that you have more knowledge on some things than I do. But you are simply wrong in your assertion that taking *any* performance hit to implement ProPolice is unreasonable and/or implies a lack of due care on the part of the admin who implements it.

                      Comments
                      1. By KryptoBSD () KryptoBSD@uncompiled.com on http://www.uncompiled.com

                        First off, I appreciate your constructive comments about this subject, the first one I've had yet.

                        "An ounce of prevention is worth a pound of cure", that is a great quote and I agree with it.

                        My point is that administration should not take the degradation of a system. Too many people take for granted tools to prevent seamlessly, but that require effort, insight, and reading the manual. ProPolice ideals aren't bad, and why would they be. They should however be ran in such a way to not hinder the system. We cannot allow mainstream systems to become slower, its counterproductive. We need to strive for software, kernel patches, and the alike to improve speed and improve security.

                        Maybe some people, including you, believe that it is fine to do that, it's your choice. But why accept it? Why not try for better?

                        This wasen't a full comment ONLY about propolice, this was a perspective comment about security in general. I don't think that data even has shown propolice hinders, I was making the statement with the idea that it did as the base for topic, otherwise I would be offtopic.

                        Anyone can defend a tool that talks a good game, it's alot harder to defend reasons why you shouldn't take it for the talk, make it prove that it's worthy on a plethora of levels. Administration shouldn't be about security BY ANY MEANS NECESSARY. It should include the idea the constructive security coupled with constructive and productive administration will lead in a manner more beneficial.

                        Best Regards,

                        Mark


                        Comments
                        1. By Anonymous Coward () on

                          Administration shouldn't be about security BY ANY MEANS NECESSARY.

                          I've taken care of military, stock exchange systems and other financial sector systems. The administrative focus depends on the role and importance of the systems.

                          Will you just stop now?

                          Sometimes security matters above all else.

                          Comments
                          1. By Anonymous Coward () on

                            Amen.

                          2. By KryptoBSD () KryptoBSD@uncompiled.com on http://www.uncompiled.com

                            I'm sorry, I didn't know you thought you were the only person who ever worked for the military or with key aspects of the economy.

                            Creatvity is what keeps the security industry, an industry. You can be as tired and lifeless as you want with your jobs, thats fine. Not everyone is a drone with prepackaged security and cut throat, thoughtless security. I could firewall all the networks I admin from everything, but I don't.

                            Please, don't bother asking me to 'stop', thats horribly disrespectful and I would support you in believing you aren't the almighty poster ;)

                            This is a public forum for comments about the topic, you and your other friend up there seem to forget what this thread is about, and would rather try to make rude comments. Don't bother, people like Bill (the non-anonymous coward) still have things that are important to say.

                            I bet Jose is getting a kick out of this flaming you and your one word comment friend enjoy. Go back to trolling on slashdot.

                            Comments
                            1. By Anonymous Coward () on

                              Mark,

                              If systems are not pegged at 100% CPU occupancy, then adding some extra instructions which do consistency checking for the good of current and future security can only be a good thing.

                              ProPolice will help coders find and fix current and future problems and also help admins with future unknown problems (they might just get a warning message pointing to something that needs to be fixed, as opposed to getting rooted).

                              It is merely an added layer of security and please consider, as far as CPU's go, you can buy some pretty massive firepower nowdays for next to nothing.

                              What's more, the usage of ProPolice does not imply that people should suddenly just stop doing their jobs!

                              It is an impressive new security tool.

                              Comments
                              1. By KryptoBSD () kryptobsd@uncompiled.com on http://www.uncompiled.com

                                Anonymous,

                                "What's more, the usage of ProPolice does not imply that people should suddenly just stop doing their jobs!"

                                Problem is, people do think that. I have met shell company admin, web hosting admin, ISP admin -- on and on, who say 'well with OpenBSD, I can't get rooted, just look at their website, one remote root exploit -- and look, ProPolice, I have no worries'

                                I don't mind advances in kernel security, I do however mind wasteful excess.

                                You do not need ProPolice to have a secure system, therefore using it to protect is merely waste on a system (if it does indeed run heavy). It doesn't mean it shouldn't be implemented on systems to secure them, I am just not a fan of hyped magic security bullets to bring down the risks of the world in one swoop.

                                I would use ProPolice, or whatever new implementation of security there is, if first, it is proven that the system won't start degrading.

                                As for running CPUs at 100%, I won't even start why that is a bad ideal, maybe I should use all of my memory and 200mb of swap while I'm at it. I should just go get windows.

                                -Mark

                                Comments
                                1. By Anonymous Coward () on

                                  Problem is, people do think that.

                                  And that problems sits completely and absolutely... between the ears of those admins. That is a problem thats between the chair and the keyboard and has absolutely nothing at all to do with OpenBSD or the people who continue to steer OpenBSD into logical directions in the pursuit of higher excellence in security.

                                  There have always been morons who deploy OpenBSD and then ignore it, coming to the lists days, weeks or months after a known exploit and say something to the effect of "I'm running 3.1 and I'm getting this... error, have I been hacked?! PS please mail me direct as I'm not subscribed". There's not much Theo can do about these lame arse morons, but one thing is for certain, the people who use OpenBSD wisely should not be punished because of them.

                                  It's a tool, it's a tool, it's a tool. Use it how you will and reap what you sow. But OpenBSD certainly should not be moulded or stunted in any way by stupid or lazy people. It's made by smart, proactive people, for smart, proactive people. To hell with the morons who are doing quite well being morons on their own.

                                  I do however mind wasteful excess.

                                  So don't use ProPolice or don't use OpenBSD at all for that matter. Whether it is "wasteful excess" is most likely going to be a subjective matter. My guess is that the slow down would probably be negligible anyway. Plenty of OS catch processes which die, including the kernel and manage to dump an error report or the process memory, so why wouldn't ProPolice be able to do it's job with minimal impact on system performance? I bet this is all going to be largely hype.

                                  I fail to see how this is anything but a major positive turning point in OpenBSD (and even open source) security, since people will come to the lists with error reports which almost pinpoint holes which can quickly be elliminated.

                                  I view the changes to OpenBSD lately, as something people will look back on in computing history as a major milestone in UNIX security.

                                  People will use OpenBSD "the wrong way" with or without ProPolice, they do the same with firearms, vehicles and drugs. The failings there, are uninspirational individual humans and not those who design effective systems.

                                  As for running CPUs at 100%, I won't even start why that is a bad ideal

                                  What is it with you and ideals? I never said that having a CPU run at 100% was a good ideal. It's neither good or bad in a generic sense, since different tasks should warrant different ideals. If you do 3D modelling and rendering, then chances are that you are a victim of your CPU being pegged at either 100% or very low % at various times throughout your sessions depending on what you're doing at any given time, no matter how fast a CPU you purchase. Buy a CPU that is twice as fast and you'll soon be turning up the polygon count, resolution, recursion depth, etc because you can. Run a database and you might be pouring more money into memory, fast disk systems and perhaps half decent CPU too. Run a server and you might prefer fast disks, gigabit ethernet and a gigabit port at the least on your fast ethernet switch, yet be happy with a P3-500. Your firewall might be just a Pentium 100 with 32MB RAM since your WAN interface bottlenecks at 10Mbit/S, yet it barely peaks 30% when the WAN interface is fully saturated with small packets.

                                  ProPolice is an option. Please try not to be offended by that.

                                  Comments
                                  1. By KryptoBSD () KryptoBSD@uncompiled.com on http://www.uncompiled.com

                                    "I view the changes to OpenBSD lately, as something people will look back on in computing history as a major milestone in UNIX security."

                                    Not in this world, maybe on your OpenBSD advocacy planet. Be realistic, ProPolice isn't exactly that revolutionary, its evolutionary.... protecting the system better. I would say 'about time'. GRsecurity on Linux, I would say 'about time'.

                                    "If you do 3D modelling and rendering..."
                                    As irrelevant as this example is... ProPolice and rendering.

                                    "So don't use ProPolice or don't use OpenBSD at all for that matter"

                                    I don't. I left OpenBSD a while ago after bad performance, Theos neverending moaning against America, and the constant flames of users on the mailing lists. Professionalism is something I wish to see when it comes to security, and I don't.

                                    "People will use OpenBSD "the wrong way" with or without ProPolice"

                                    True. My issue is the more you hype a product, the more the unknowing will leech to it for a false hope. Does that mean the OS teams shouldn't speak about their products based on facts, no. But I do think that means that everyone should stay more technical and less blunt 'No remote holes in default...' -- the users who know, will understand -- the users who don't, will just move on cause nothing is doing the work for them, so they want a different OS.

                                    Thanks for your comments, they were well put.

                                    -Mark

                                    Comments
                                    1. By Anonymous Coward () on

                                      Be realistic, ProPolice isn't exactly that revolutionary, its evolutionary

                                      I wasn't just talking about ProPolice. I've been following OpenBSD for exactly 4 years today (2.5) and the most recent things done, seem to be the most proactive and with potentially the most long-term improvements. I imagine as more and more people start using it, more holes will be discovered and fixed and new holes will not last very long at all.

                                      So is there a KryptoBSD with something as-good or better that we should be using? Why are you trying to piss on their parade?

                                      As irrelevant as this example is... ProPolice and rendering.

                                      I'm merely trying to show that different tasks require different system design considerations. With rendering, 100% CPU usage is expected for efficient operation, yet with servers it could be an indication that packets could potentially be timing out because the CPU cannot keep up.

                                      So, a server should be designed with CPU power to spare in what would be forcasted under peak traffic. If ProPolice put a large enough burden on CPU power, then this could be taken into account. I'm guessing it will hardly be noticed.

                                      I don't. I left OpenBSD a while ago after bad performance

                                      So why are you here, claiming that the ideal of ProPolice is reduced performance (with the added security).

                                      My issue is the more you hype a product, the more the unknowing will leech to it for a false hope.

                                      The unknowing should do a bit of reading to become knowing. Don't blame OpenBSD for newbie mistakes. "1 remote hole in the past 7 years in the default install" is not a fact? I view it as a testiment to the quality that has been achieved. I also see that there was a hole and therefore OpenBSD is not infallible.

                                      I don't blame Microsoft for stupid admins that put great trust into the "trusted computing" shite that they crap on about.

                                      OpenBSD didn't get to the incredible level of security by having poor ideals.

                                      You seem to keep side stepping the sentence that moved me to reply: " At no point should a slowdown in server speed be a good ideal of security implementation. "

                                      That says, that a security implementation should not include impacted performance as an ideal . As if ProPolice does. Who on Earth would actively strive to hurt performance (making that a feature) while also striving to increase security? Nobody, except perhaps in research. But you make it sound in that one sentence, that ProPolice wants to hurt performance in the pursuit of higher security. This is ridiculous. Any impact to performance would either be an acceptable or unacceptable impact and a decent proactive admin (like yourself) would go about either enabling or disabling it, depending on their stance.

                                      Comments
                                      1. By KryptoBSD () KryptoBSD@uncompiled.com on http://www.uncompiled.com

                                        "So is there a KryptoBSD with something as-good or better that we should be using? Why are you trying to piss on their parade?"

                                        You seem to have a heartache over me giving my opinion about OpenBSD. I think we all know that an Operating System is only as useful as you make it for your individual situation.

                                        "So why are you here, claiming that the ideal of ProPolice is reduced performance (with the added security)"

                                        Do you know what the top of this post is?

                                        "Has anyone benchmarked OpenBSD with and without propolice ? For general usage, OpenBSD has never been very fast compared to Linux or FreeBSD, and I'm a bit frightened about the addition of something that can only make the kernel go slower :( "

                                        If you actually read what I say in all of my posts it basically goes like this:

                                        ProPolice nor any security feature should be allowed to abuse system resources to complete tasks that can be defended against through other forms of administration then letting the kernel do all of your work for you.

                                        My comments are about the general and specific example (of ProPolice) taking up resources when we could implement security features which don't.

                                        "But you make it sound in that one sentence, that ProPolice wants to hurt performance in the pursuit of higher security. This is ridiculous."

                                        That is ridiculous, and I'm sure glad thats not what I said. I am speaking on behalf of myself -- I do not believe performance should be stunted for security features that are in excess. ProPolice, I feel, if the above persons quote is justified by results, would be something I would not want implemented.

                                        "1 remote hole in the past 7 years in the default install" is not a fact? I view it as a testiment to the quality that has been achieved"

                                        From released exploits and alerted vulnerabilities... but thats a whole thread on its own ;)

                                        While not to give the wrong impression, I don't think this lengthy thread is moving along the way I wanted. I wanted people to see that we shouldn't involve software, kernel patchs, or anything else to take a toll on system processes that need the speed/memory/etc (databases, web servers, on and on). I do not find a problem with what ProPolice does, as much as I worry that we will just see more and more lazy admins that don't care to learn. I appreciate knowledge of senior administrators whom I talk to. If your reliance on ProPolice is paramount, well, I would rather not hear your views on security (that isn't a personal shot, I don't know you, just a general thing).

                                        I think it's best that I and whoever else has seen enough of this, or is still responding just stop bothering. We can take this off forum if anyone likes through private e-mail. My email address is listed above. Thanks for all of the real input into this matter. But if you want to reply to this or other posts above, please do... just a suggestion -- this has been going on a week :)

                                        Best Regards,
                                        -Mark

                                        Comments
                                        1. By Anonymous Coward () on

                                          You seem to have a heartache over me giving my opinion about OpenBSD.

                                          No, I have trouble with someone claiming that the roles or ideals of ProPolice, are to 1. increase security and 2. impact performance.

                                          You said, " At no point should a slowdown in server speed be a good ideal of security implementation. ".

                                          You think impacted performance is an ideal (desired result) of ProPolice? Honestly? Or was that just badly worded on your part?

                                          If I were to take this as, "A security implementation should never degrade performance".

                                          Then I would say that, this is a subjective matter which depends on system roles. Meaning that that opinion is narrow minded and can't be correct in the generic sense that it is made.

                                          Or, if I were to take your statement as "ProPolice should not strive to hurt performance".

                                          Then I would say it is ridiculous to think that is an actual desired result of ProPolice usage.

                                          The desired gain is greater security, and the loss may be performance. Whether this loss is acceptable or not, ultimately depends on the opinion of the admin, given the specific situation he finds himself in.

                                          Do you know what the top of this post is?

                                          Yes, I most certainly do. Do you read your own posts? You say, " At no point should a slowdown in server speed be a good ideal of security implementation. " and then expect us to take that seriously? Performance loss is not an ideal, it seems to be deemed an acceptable loss (if practically any).

                                          JSO said that he's worried about the performance loss and queried at how much it would be. He didn't say, "ProPolice SHOULD NOT BE USED because it's ideals are not just to increase security, but it also wants to hurt performance!".

                                          If you NEED propolice, then you NEED to learn about security.

                                          I tell you what. You go read through the entire OpenBSD source and audit it yourself. Find every buffer overflow in it so that ProPolice has nothing to find in the future. If after doing that, ProPolice does find a buffer overflow, I'll be back here wanting to know how this happened. The fact is Mark, humans are human, they make mistakes and they also miss mistakes. If ProPolice can both improve the short and long term security, with acceptable performance loss, then fantastic! Are you offended by the thought that OpenBSD is putting mechanisms in place that may prevent current and future buffer overflow bugs from being exploited?

                                          ProPolice nor any security feature should be allowed to abuse system resources to complete tasks that can be defended against through other forms of administration then letting the kernel do all of your work for you.

                                          "Other forms of administration" here, is basically "audit the code yourself". There are times that exploits become available and used before patches are made available. That is a window of opportunity which ProPolice may well close. That window could be small or large and of wildly varying danger, depending on who finds the bug first, how quickly they write the exploit, how quickly they disseminate the exploit and to how many bad vs good people, how quickly the patch is written, tested and made available and then most importantly, how quickly you manage to find out about it and patch it on your systems. If the notice goes out as your stepping into the lift to go home for the night, you might be in for a bad surprise in the morning. With ProPolice, you might just have to block a port on your firewall, restart the process and submit a bug report.

                                          You are not being realistic. Just because ProPolice automatically prevents a buffer overflow exploit from being carried out, does not make that administrator lazy by default.

                                          I would rather have the ProPolice clean up job than the non-ProPolice clean up job. This does not make me lazy. It makes me responsible. As far as I am concerned, if an admin has the opportunity to make his companies business systems a lot harder to harm or steal from, with acceptable loss, then he should take that route after testing it.

                                          The fact is, YOU have not elliminated all the bugs from the OpenBSD source and you cannot guarantee that good admin skills can stop all attacks under all circumstances, so don't say that we're trying to get the kernel to do all the work for us.

                                          My comments are about the general and specific example (of ProPolice) taking up resources

                                          My major problem is with your claim that a ProPolice ideal is to hurt performance.

                                          when we could implement security features which don't.

                                          Please enlighten and empower us.

                                          That is ridiculous, and I'm sure glad thats not what I said.

                                          " At no point should a slowdown in server speed be a good ideal of security implementation. "

                                          http://dictionary.reference.com/search?q=ideal

                                          Are you, or are you not refering to the usage of the security measure which this whole story is about, when you stated the above. This reads like you are saying that "slowdown in server speed" is a ProPolice "ideal". If that is not what you meant, then who on Earth would strive to hurt performance in the pursuit of higher security?

                                          How could anyone take your opening statement, in a forum about ProPolice, as not being directed at ProPolice?

                                          If you were just stating the obvious, not directed at any mechanism in particular, then thanks for your valuable insight!

                                          I feel, if the above persons quote is justified by results, would be something I would not want implemented.

                                          I respect that as your decision! Maybe you could accept that some people would like to use ProPolice, in the pursuit of finding buffer overflows and preventing their exploitation? And not come here and boldly state that something should not be used and that the usage of that device is an indication of lazy, ignorant admins!

                                          My references for this are, " reliance on one magic shield of security " and " If you NEED propolice, then you NEED to learn about security. " respectively.

                                          I worry that we will just see more and more lazy admins that don't care to learn.

                                          Why the hell, should this be YOUR concern or the concern of OpenBSD?!?!?!?

                                          As I have already stated, OpenBSD should not be defined or steered in any way, by ignorant and/or lazy outsiders.

                                          If your reliance on ProPolice is paramount, well, I would rather not hear your views on security

                                          I'm not reliant on ProPolice. I view ProPolice as something that will ferret out many unfound buffer overflow bugs which may have been in source for a long time and new bugs that crop up in testing new code, leading to an overall increase in security.

                                          I've been working in various discrete and computerised digital systems for 15 years, including military (requiring 2nd highest available NATO security clearance) and stock exchange big iron on live trading networks. I couldn't give a fuck whether you respect my opinion or not.

                                          I can tell you that I don't disrespect you on the whole. I do however not respect your defence of loud arrogant statements which were not well thought out.

                                          Comments
                                          1. By KryptoBSD () KryptoBSD@uncompiled.com on http://www.uncompiled.com

                                            "I couldn't give a fuck whether you respect my opinion or not."

                                            I really wasen't going to post again, but this is beyond immature. You seem to want to make this a matter of 'I am right because what you say doesn't make sense to me'. I respect everyones opinion who gives clam and collected comments that aren't based around a flame or rudeness. Please try to be a bit more professional.

                                            I have ended each post thanking the poster for their comments, and I have ended stating my name as a sign of respect. Common courtesy warrents that, and I do inherently respect people who are willing to state what they think.

                                            I have read the above, in good humor. Your attitude in the above posts shows a lot of hostility (probably because your thinking 'dear god this guy is dumb'), which is fine. I have read what you had to say, again... as with everyone, and the above statements. I finish, with respect quoting:

                                            "And not come here and boldly state that something should not be used and that the usage of that device is an indication of lazy, ignorant admins!"

                                            and responding:

                                            If you don't like me being bold, and if you don't like that I believe security can be done without ProPolice, and if you don't like that I think I can do my job fine without security features that hinder the system and slow other processes...

                                            Too bad.

                                            (I would of responded off list, as I said I wouldn't post this thread -- but you still, as with the others, don't seem to think giving an e-mail address or name is warrented, which is fine, if you have something to hide...)

                                            -Mark

                                            Comments
                                            1. By Anonymous Coward () on

                                              this is beyond immature

                                              Immature because I used the "F" word?

                                              Wanna talk about immature? Statements like " If you NEED propolice, then you NEED to learn about security ?

                                              There are times when exploits live for a short while before a notice of their existence is made and subsequently a patch. Before you patch your vulnerable system, there is a window of oportunity for the script kiddies. I would not hold it against you if you were hacked during this time.

                                              Fact is, you are human and have to sleep (normally 33% of your life), people who code your systems are human too. But, you believe that if you are " exploited, it will be because of dilligance ".

                                              This just is not always the case. ProPolice may well help out there. But according to you, anyone who feels they need it, doesn't know security. Some people need all the security they can get and even employ (shock horror!) security through obscurity as an added layer. Go ask Theo about that, if you're one of these types who always talk about how bad it is, but don't think much about it.

                                              your thinking 'dear god this guy is dumb'

                                              No, I don't think you are dumb. Honestly. You're just defending what appears to be a badly worded rant.

                                              Funnily enough, I do actually agree with, " Cryptography is not the cure all for security, and neither is propolice ", mostly because there is no such thing as a cure all for security.

                                              If you don't like me being bold, and if you don't like that I believe security can be done without ProPolice, and if you don't like that I think I can do my job fine without security features that hinder the system and slow other processes...

                                              I don't mind you being bold, and don't mind if you think security can be done without ProPolice.

                                              What I mind, is that you come here and state:

                                              1. Server slowdown is a ProPolice ideal.
                                              2. Start sentences with "We cannot allow ourselves".
                                              3. People who feel a need to use ProPolice don't know security.
                                              4. Compare Open to Free and focus away from Open's forte.
                                              5. People only get exploited because they were not dilligent.

                                              The goals of OpenBSD I like most are security, true freedom and technical correctness.

                                              ProPolice is a tool, now employed by OpenBSD to improve the most important goal (for me).

                                              Let's wrap up, with some very mature comments you've made under this story:

                                              If you NEED propolice, then you NEED to learn about security.

                                              if the administrator is to take a performance drop for less work on his part to do his job, that is an unexceptable action

                                              Maybe YOU don't wish to do true administration instead of letting your slowed system work and work to do what would not be needed if you were to handle your business.

                                              This does not hold true for sysadmins who know their craft and wish to use tools at their hand which are proactive and helpful, not destructive and talentless.

                                              I am sure at your job where you think you are administrating systems

                                              You and your silly comments...are probably nothing more then a 15 year old child who was told his network wouldn't be able to get hacked.

                                              do not bother responding and making me read your dribble of insight to administration of 3 computers.

                                              With those opinions, you do not work for any companies, nor probably have. If you do, I feel sorry for your employers. Maybe next time you will listen rather then pass along inane comments.

                                              it's your choice. But why accept it?

                                              You can be as tired and lifeless as you want with your jobs, thats fine.

                                              Not everyone is a drone with prepackaged security and cut throat, thoughtless security.

                                              I left OpenBSD a while ago after...Theos neverending moaning against America



                                              Here is the most insightful thing I've heard you say, " ProPolice ideals aren't bad, and why would they be ".

                                              BTW, that is called sarcasm.

        2. By Bill () noemail@youhaveanaddy.com on mailto:noemail@youhaveanaddy.com

          I have no issues with my server security. Not because I am using 'ProPolice' to insure my safety, but because I am confident in dilligance with my updates and I believe if I am exploited, it will be because of dilligance and not reliance on one magic shield of security.

          So you never go on vacation? You don't take weekends? You are up all hours of the night checking security boards and monitoring anti-virus advisories? Your place of work has a massive insurance policy on you in case you get hit by a bus? No one but you ever touches or ever will touch a server you admin? Even after you move on?

          You have never installed a bad patch? You have always gotten a patch the moment it was issued and immediately put it on the server? You have always worked in a small environment where that is ok and you won't get fired because you didn't follow change control? You have never made a typo or accidently misconfigured a file?

          You've never taken the performance hit to monitor and block executable attachments on your email server? You've never taken the performance hit to add anti-virus software to a Windows server? You've never taken the performance hit to force users to use passwords at least 8+ characters long with caps and numbers, no repeats, etc., etc.

          1: Relying on your own diligence is just as much "a magic shield" as ProPolice. No matter how good you are, your boss won't and shouldn't consider you the only resource to keeping a server secure.

          2: Security implementations always involve trade-offs. A performance hit is not a reason to outright dismiss something like ProPolice. Have you ever assumed that part of the reason I would spec a machine was so I could run the app *and* any security measures I may want to implement. Like Propolice?

          3: You assume that anyone using ProPolice will treat it as a universal panacea instead of the additional layer of protection that it is designed to be.

          From a business and security perspective I don't agree with your assertions except the one about cryptography and Propolice not being a cure-all.

          Comments
          1. By Anonymous Coward () on

            I think a round of applause is in order.

            Mark probably wishes he could do his on-line banking transactions in plain text, so that the pages download in 4 seconds instead of 5.

            Mark, crypto can eat CPU's for breakfast, causing them to become bottlenecks (as opposed to the networking tech used), reducing available bandwidth. So does this mean that crypto should never be used?

            I just can't believe you said " At no point should a slowdown in server speed be a good ideal of security implementation. " and are still bold faced defending that stance.

            Think about this: You admin a server which stores NATO IFF codes (challenge and response codes for identifying friendly military air craft, where the lack of a correct or "I'm commercial" answer leads to the assumption of enemy), a server which is updated periodically (as a safetly measure which assumes that leaks of this info could not continuously occur without detection and if they did, impact would be minimized through code expiry) via crypto links.

            The server runs consistency checks on damn near everything it does and while getting or disseminating the latest codes (using crypto), the CPU occupancy goes up to 70%.

            If you strip all the consistency checking and crypto, the CPU occupancy goes right down to just 10%! Wow, what an incredible saving!

            However, the engineering team who designed this system (a bunch of math, CS and CE PhD's) developed a new consistency checking mechanism which detects a buffer overflow and simply kills that process with a detailed error report. This system caused peak CPU occupancy to reach 80%.

            Do you:

            A. At no point allow a slowdown in server speed be a good ideal of security implementation and thus not use it?

            B. Switch off all the consistency checking and crypto, so as to save some electricity?

            C. Test, test and then test some more, the new super-duper consistency checker, iron out it's bugs (aka -current), deploy and make the nation safer?

            Bearing in mind, that if the enemy gets their hands on our IFF codes, it means that we can't identify them as an enemy, but they can identify us and shoot us down before we're more than a glint of light off in the distance. They'll be flying over our SAM sites without a care in the World and our F-16's would have to get close enough for visual inpection to detect the enemy.

            Go look up the word 'priority'. OpenBSD's priority is security. That's why I've been using it for these years. What's the bloody point in saving a few clock ticks if some wretched little #@X0R is now buying stuff with your credit card details?

            " At no point should a slowdown in server speed be a good ideal of security implementation. "

            The slowdown of this security implementation is NOT an IDEAL!

            It is merely an acceptable loss!

            If YOU don't accept it, DON'T USE IT .

            Comments
            1. By technofiend () on

              A couple of comments: 1) thanks to the guys
              who put pro-police in! Well done.

              2) Unless you are running a Soekris box or
              similar (486) I'm thinking ProPolice isn't
              going to shift you from 'acceptable' to 'unacceptable' performance.

              In fact, it would be kinda nice to bench it on
              a Soekris.

        3. By Anonymous Coward () on

          Cryptography is not the cure all for security, and neither is propolice.

          OpenBSD gets it's "7 years, just one remote exploit" mostly via crypto? No. It gets it via auditing, strict programming protocol and proactive attitude. Crypto is a tool used to good effect too. ProPolice helps to shine a spotlight on danger areas which might require some attention. That is proactive.

          You can use diligence with OpenBSD too.

          You assume you are safe because you update what is known? The OpenBSD crew are actively seeking out holes with ProPolice to make sure they are uncovered, so that people like yourself can go about patching their systems. If they didn't uncover these holes, you'd most likely be in the dark, until such time that you're left scratching your head wondering how someone hacked into your "diligently kept" FreeBSD machine. No offense to FreeBSD, BTW, this is directed squarely at your attitude.

          OpenBSD can be a major layer in a securely administered system. ProPolice will help to remove some holes that remain and new holes that pop up.

          If you want to get nothing but the highest performance out of your hardware, Gentoo. If you're looking for security, OpenBSD. Horses for courses. Anyway, CPU's and memory are damn cheap.

    2. By CHris () on

      For general usage openbsd has been plenty fast enough. The only time I notice the speed difference is when I'm compiling, but that doesn't fall under "general usage". KDE loads faster on my Gentoo box, but gentoo is a special case. :)

      Comments
      1. By Jedi/Sector One () j@pureftpd.org on http://www.pureftpd.org/

        Yes, security is good, and we have to make tradoffs between performance and security. After all, I run OpenBSD for a reason.

        But the impact of the slowdown depends on your hardware. On high end hardware, the speed penalty of OpenBSD doesn't matter.

        With old hardware, it matters a lot. My gateway is a Celeron 500. That's not so old hardware, but well...
        when I run "cvs" to sync the OpenBSD source tree, everything is extremely long, even opening my mailbox with mutt takes ages.

        On that box, it also takes me 12 minutes to extract ports.tar.gz . During the extraction, the hard disk is spinning like hell and the system responds very slowly. Access to the internet from computers behind the gateway also becomes immediately very slow, although ppp and pppoe are negatively nice'd.

        So yes, most of the time, OpenBSD is fast enough, but sometimes it really, really, really feels slow.

        Comments
        1. By Motley Fool () motleyfool@dieselrepower.org on mailto:motleyfool@dieselrepower.org

          Is the file mounted with softupdates when you're un-tarring the ports source tree? That made a tremendous difference on my system.

          Comments
          1. By Matt () on

            I was thinking the same thing. Untarring ports.tar.gz on my ppro 180 with 64mb ram takes 15 minutes without softupdates, 5 minutes with softupdates.

            methinks you're not using softupdates or have the slowest celly ever :)

            Comments
            1. By Jedi/Sector One () j@pureftpd.org on http://www.pureftpd.org/

              I'm using softupdates, noatime, the hdd writecache is enabled and there is 30% or 384Mb available for the disk cache. Other suggestion?

              Comments
              1. By Anonymous Coward () on

                upgrade :-)

              2. Comments
                1. By Jedi/Sector One () j@pureftpd.org on http://www.pureftpd.org/

                  Memory: Real: 62M/220M act/tot Free: 217M Swap: 0K/640M used/tot

              3. By mirabile () mirabile@bsdcow.net on http://MirBSD.BSDadvocacy.org/

                Yes. Disable the hardware write cache for allharddiscs with at least one softdep filesystem
                on it.

                By the way, when you edit code again, especially
                if you intend to publish diffs, please READ
                style(9).

                Your diffs (humantime ulimit, jumbo, ...) I inte-
                grated were full of trailing whitespace, spaces
                instead of tabs and other non-KNF things.
                It's really annoying.

                Comments
                1. By Jedi/Sector One () j@pureftpd.org on http://www.pureftpd.org/

                  Unfortunately disabling the hardware write cache makes only things worse, I'm looking for ways to increase performance, even through losing reliability.
                  And mounting the partitions with the async flag causes kernel panics...
                  Maybe the hardware is not very well supported (standard Abit BH6 motherboard, first revision) .
                  But well, as it mainly works as a router this is not a showstopper anyway, PF performs really well and I really enjoy it.

                  For the diffs, you're definitely right. I know about style(9), but it really doesn't like the Jed's "bsd" mode. I'll try to write an "openbsd" mode that conforms to style(9) for this editor (no, no, I won't switch to any Vi-variant, the only thing I've always been able to produce with Vi is "beeeeeeeeep" and flashing screens).

                  Comments
                  1. By Jedi/Sector One () j@pureftpd.org on http://www.pureftpd.org/

                    Done.

                    A more knf-friendly mode is now available for Jed, and I've updated the port to version 0.99.16 while I was at it :

                    ftp://00f.net/ftp/misc/openbsd-port-jed.tar.gz

                  2. By anil () avsm@ on mailto:avsm@

                    Ive noticed that mounting with both the softdep and async flag causes panics, but a XOR of either is fine; have you tried async without softdep?

                    Comments
                    1. By Jedi/Sector One () j@pureftpd.org on http://www.pureftpd.org/

                      Indeed, I've tried softdep + async, it may explain the panic.

                      However, I've just found a small workaround for the slow disk I/O. By telling the disk elevator to sort by blocks, not cylinders, untaring the ports tree now only needs a bit more than 4 minutes. That's about 3x faster.

                      A trivial patch to do this is there :

                      http://www.42-networks.com/obsd_patches/blk_disksort.patch

                      The real problem may be in the geometry of the disk that is not properly recognized, or in the BIOS (unfortunately there are no more revisions for this mobo) .

                      Comments
                      1. By tedu () on

                        awesome

        2. By krh () on

          I think my attributes must be larger than your attributes, for my gateway is a 486DX2/66 with 8 megs of RAM and a 400 meg HD. :-)

          Strangely enough, though, I don't have the same network speed problem you report: I never have network slowdown due to activity on the gateway, despite immense swapping activity (If you nc to the mail server, you can listen to it swap in. I regularly use this to determine if I have new mail.)

          I haven't noticed any significant slowdown since upgrading to 3.3. Everything seems to run about the same as before, which, considering the system, is pretty good! But then I never compile anything (there's not enough room on the HD for compXX.tgz the way it's partitioned) and I don't do computationally-intensive tasks on it, either. Still, it sounds like you've got funny hardware.

    3. By Schubert () on http://schubert.cx/

      Assuming any potential slowdown is a "fixed" constant (which I can't imagine it not being fixed) is irrelevant in the long run. Hardware is geting a whole lot faster, faster than software is getting a whole lot better security.

    4. By Dries Schellekens () on

      You can specify NO_PROPOLICE in your kernel configuration when compiling.

  2. By asp3n () on

    A few of our pen tools wont run unless compiled with stack-protector disabled. what then?

    Comments
    1. By Dries Schellekens () on

      So? This is the OpenBSD kernel being compiled with propolice.

      Comments
      1. By sean allin aka asp3n () on

        Ok, think I misread last part. Thought meant removing -fno-stack-protector from compiler, not the flag from kernel compile. My bad.

      2. By sean allin aka asp3n () on

        Ok, think I misread last part. Thought meant removing -fno-stack-protector from compiler, not the flag from kernel compile. My bad.

    2. By Anonymous Coward () on

      whats the error you get with these tools? unless they are deliberately overflowing their stacks, they should run with propolice ...

    3. By krh () on

      It sounds like they're buggy. Have you looked at the output from ProPolice?

  3. By OpenBSD Beginner () till.boehmert@t-online.de on mailto:till.boehmert@t-online.de

    Hi,

    does this news mean, that todd just enabled propolice in the makefile of the kernel?

    I thought it is enabled by default in OpenBSD 3.3 stable? Or is it not?

    Comments
    1. By Anonymous Coward () on

      3.3 userland is compiled with propolice, but not the kernel. That's for 3.4 (or OpenBSD-current).

      Comments
      1. By OpenBSD Beginner () till.boehmert@t-online.de on mailto:till.boehmert@t-online.de

        So is it than possible to remove the -fno-stack-protector flag from the 3.3 stable kernel makefile without any risk?

        Comments
        1. By Anonymous Coward () on

          no, unless you try importing the changes to init_main.c and kern_xxx.c from current

      2. By Anonymous Coward () on

        Doesn't the (relatively) new W^X memory handling make the ProPolice stack protection redundant?

  4. By Xezuz Tsyperovich () on

    I will keep 3.1 until it drops, but that's it with the hokus-pokus.

  5. By Eduardo Alvarenga () eduardo at thrx dot dyndns dot org on mailto:eduardo at thrx dot dyndns dot org

    There was a bug (buffer overflow) im dhcpd discovered by propolice when multiple interfaces were supposed to be binded. I've made some research on the CVS logs and found no corrections about this issue.

    http://marc.theaimsgroup.com/?l=openbsd-misc&m=104621509408933&w=2

    Any clue?

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]