OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
BSDCan 2016 Presentations Online
Contributed by pitrh on Fri Jun 17 13:57:19 2016 (GMT)
from the After the goat BOF dept.

The BSDCan 2016 conference in Ottawa has just concluded, with a number of OpenBSD-themed talks. These are the talks by OpenBSD developers:

Reyk Flöter: An OpenFlow implementation for OpenBSD - Introducing switchd(8) and more about SDN (slides)

Henning Brauer: Running an ISP on OpenBSD - Why OpenBSD and several uncommon uses of it (slides)

Peter Hessler: Bidirectional Forwarding Detection (BFD) implementation and support in OpenBSD. Or: A new protocol actually did improve our routing. (slides)

Mike Belopuhov: Implementation of Xen PVHVM drivers in OpenBSD (slides)

Antoine Jacoutot: OpenBSD rc.d(8) (slides)

Sebastian Benoit: Opensource Routing - Running an enterprise network on OpenBSD (slides)

In addition, two OpenBSD-centric tutorials were offered by people who are not themselves OpenBSD developers:

Peter Hansteen: Building The Network You Need With PF, The OpenBSD Packet Filter (slides)

Aaron Poffenberger: OpenSMTPD for the Real World (slides)

[topicconf]
[ 6 comments 9d14:25 ago ] (flat) (expanded)

Understanding the modernization of the OpenBSD network stack, part 1: ART single thread performances
Contributed by pitrh on Fri Jun 17 13:53:27 2016 (GMT)
from the parallel bunches of tubes dept.

Martin Pieuchot (mpi@) wrote in, saying

OpenBSD network developers are doing some great work at modernizing and improving the network stack. But even if you're following tech@, it might be tricky to understand what's going on.

Read more...
[topicopenbsd]
[ 4 comments 5d10:04 ago ] (flat) (expanded)

ARMv7 now has a bootloader
Contributed by tj on Sun May 29 15:41:10 2016 (GMT)
from the call-to-arms dept.

Progress on the armv7 platform continues, and Jonathan Gray writes in to the arm@ mailing list with some promising news:

There is now a bootloader for armv7 thanks to kettenis@ Recent armv7 snapshots will configure disks to use efiboot and install device tree dtb files on a fat partition at the start of the disk.

u-boot kernel images are no longer part of the release but can still be built for the time being. We are going to start assuming the kernel has been loaded with a dtb file to describe the hardware sometime soon. Those doing new installs can ignore the details but here they are.

Read more...
[topicmobile]
[ 0 comments ] (flat) (expanded)

W^X now mandatory in OpenBSD
Contributed by tj on Fri May 27 22:27:14 2016 (GMT)
from the x-chromosome dept.

Traditional Unix has allowed memory to be mapped W | X. Everyone now knows that’s a bad practice from a security standpoint, but the software ecosystem hasn't made much progress in this area. Theo de Raadt has just committed a change to begin blocking W^X violations in OpenBSD.

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2016/05/27 13:45:04

Modified files:
	lib/libc/sys   : mmap.2 mount.2 mprotect.2 
	sbin/mount     : mntopts.h mount.8 mount.c 
	sbin/mount_ffs : mount_ffs.c 
	sbin/mount_nfs : mount_nfs.c 
	sys/kern       : kern_sysctl.c vfs_syscalls.c 
	sys/sys        : mount.h sysctl.h 
	sys/uvm        : uvm_mmap.c 
	usr.sbin/pstat : pstat.c 

Log message:
W^X violations are no longer permitted by default.  A kernel log message
is generated, and mprotect/mmap return ENOTSUP.  If the sysctl(8) flag
kern.wxabort is set then a SIGABRT occurs instead, for gdb use or coredump
creation.

W^X violating programs can be permitted on a ffs/nfs filesystem-basis,
using the "wxallowed" mount option.  One day far in the future
upstream software developers will understand that W^X violations are a
tremendously risky practice and that style of programming will be
banished outright.  Until then, we recommend most users need to use the
wxallowed option on their /usr/local filesystem.  At least your other
filesystems don't permit such programs.

Read more...
[topicsecurity]
[ 27 comments 3d4:41 ago ] (flat) (expanded)

Privilege Separation and Pledge (video)
Contributed by tj on Wed May 25 13:34:54 2016 (GMT)
from the feathered-edges dept.

This year's dotSecurity conference featured a presentation from OpenBSD founder Theo de Raadt, titled "Privilege Separation and Pledge."

The video is now available here, in addition to the slides.

[topicconf]
[ 3 comments 31d20:34 ago ] (flat) (expanded)

p2k16 Hackathon Report: pirofti@ on octeon and TPM
Contributed by tj on Thu May 19 11:27:55 2016 (GMT)
from the resume-hacking dept.

The next hackathon report comes from Paul Irofti, who writes:

This was probably the shortest hackathon I attended. The 4 days flew by and I realised we have to pack and go with nothing to show for.

My usual hackathon work flow is: waste 3-4 days trying to figure how some device works, and then polish the driver(s) for the remaining days while congratulating myself with coffee, Günther and beer.

Read more...
[topichardware]
[ 1 comment 38d19:24 ago ] (flat) (expanded)

p2k16 Hackathon Report: jasper@ on gnome, puppet and more
Contributed by tj on Tue May 17 12:37:04 2016 (GMT)
from the elastic-beats dept.

Our next report comes from Jasper Lievisse Adriaanse, who writes:

Hackathons have long since had two themes for me, gnomes and puppets. However this hackathon I actually didn't want to play with puppets for once, yet I ended up importing Puppet 4 after all. More on that later.

Read more...
[topicports]
[ 0 comments ] (flat) (expanded)

SROP mitigation committed
Contributed by tj on Thu May 12 03:28:12 2016 (GMT)
from the his-name-was-sigurd dept.

In a recent email, Theo de Raadt explains the SROP mitigation technique, a recent team effort.

This is the first demonstration of a mitigation against SROP.

Utilizing a trick from kbind(2), the kernel now only accepts signal returns from the PC address of the sigreturn(2) syscall in the signal trampoline. Since the signal trampoline page is randomized placed per process, it is only known by directly returning from a signal handler.

As well, the sigcontext provided to sigreturn(2) now contains a magic cookie constructed from a per-process cookie XOR'd against the address of the signal context. That part is similar to the LWN discussion mentioned above. I came to the same conclusion semi-independently as a result of Antoine's ports builds, which identified all the parts of the application software ecosystem I had to study. Woe is me!

Read more...
[topicsecurity]
[ 3 comments 31d20:53 ago ] (flat) (expanded)

p2k16 Hackathon Report: krw@ on pdisk, softraid and more
Contributed by tj on Wed May 11 16:31:49 2016 (GMT)
from the chasing-squirrels dept.

The next hackathon report comes from Ken Westerback, who writes:

I arrived at CDG, got on my train and arrived in Nantes just before a national train strike started. Whew. Did a pleasant walk paralleling the tram tracks to the appropriate tram stop and consulted the documentation. "Hackroom is nearby." Hmmm. Wandered around for a while without stumbling across it, and finally noticed the large neon sign for the hotel. From which I *did* have directions. Got to the hackroom building and found that the doors had been locked early. A few frantic texts later I got in and the normal hackathon routine took hold.

Read more...
[topicopenbsd]
[ 1 comment 45d11:07 ago ] (flat) (expanded)

Support OpenBSD!

Donate to OpenBSD

Buy OpenBSD products

Features

We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

Older Stuff
Sunday, May 08
14:09 p2k16 Hackathon Report: ajacoutot@ on Gnome, rc and rcctl improvements (2)
Tuesday, May 03
16:07 p2k16 Hackathon Report: naddy@ on graphics libs progress (yes, packages!) (1)
18:49 p2k16 Hackathon Report: landry@ on mozilla ports (6)
15:28 libcrypto errata - May 2016 (15)
15:35 OpenBSD Foundation Announces Gold Sponsor (2)
Monday, May 02
13:42 p2k16 Hackathon Report: tb@ on documentation, ports, wireless (2)
Saturday, April 30
23:06 p2k16 Hackathon Report: espie@ on proot (0)
16:32 proot: dpb meets chroot (1)
Monday, April 25
14:59 anti-ROP mechanism in libc (27)

Older Stuff...
Yesterday's Edition...

OpenBSD Errata
[xml]

OpenBSD Resources

XML/RSS/RDF
Users wishing RSS/RDF summary files of OpenBSD Journal, can retrieve: [xml]


[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. Some icons from slashdot.org used with permission from Kathleen. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]