Fresh from the just concluded e2k19 hackathon, Claudio Jeker (claudio@) writes in:
After 2 years it was once again time to pack skis and snowshoes,
put a satellite dish onto a sledge and hike through the snowy rockies
to the Elk Lakes hut.
Contributed by
rueda
on
from the hard-as-nails-(in-the-coffin-of-exploit-techniques) dept.
Theo de Raadt (deraadt@) has
committed
code for a new exploit-prevention mechanism:
[…]
Repurpose the "syscalls must be on a writeable page" mechanism to
enforce a new policy: system calls must be in pre-registered regions.
We have discussed more strict checks than this, but none satisfy the
cost/benefit based upon our understanding of attack methods, anyways
let's see what the next iteration looks like.
This is intended to harden (translation: attackers must put extra
effort into attacking) against a mixture of W^X failures and JIT bugs
which allow syscall misinterpretation, especially in environments with
polymorphic-instruction/variable-sized instructions. It fits in a bit
with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash
behaviour, particularily for remote problems. Less effective once on-host
since someone the libraries can be read.
[…]
Contributed by
rueda
on
from the ecstatic-nostrils dept.
Florian Obser (florian@) has
committed
code to give
unwind(8)
a flexible approach to resolving strategies:
Modified files:
sbin/unwind : resolver.c resolver.h
usr.sbin/unwindctl: unwindctl.c
Log message:
Instead of only considering if a resolving strategy is dead, works or
validates, measure how well it is doing.
Next up in our hackathon series from p2k19 is one from Stefan Sperling (stsp@),
who writes:
My main goal for the p2k19 hackathon was 9260 device support in iwm(4).
Firmware updates for previous device generation were an important
prerequisite step. One day before p2k19, the oldest generation of hardware
supported by the iwm(4) driver was switched to latest available firmware images.
Contributed by
rueda
on
from the of elephants and gems dept.
Our next p2k19 report comes from Jeremy Evans (jeremy@):
While I had originally planned to attend the entire hackathon,
circumstances changed and I was only able to make it there for a few
days. Still, I was able to get some work done.
Contributed by
Peter N. M. Hansteen
on
from the leashing-the-lizard-and-the-fox dept.
Fresh from the just concluded p2k19 hackathon comes this report from Landry breuil (landry@), who writes:
This year having been a bit hectic with work and house renovation, i was
really planning to enjoy bucarest as the first real break of the year..
and it definitely was a blast.
Contributed by
Paul 'WEiRD' de Weerd
on
from the cheese-induced-hallucinations dept.
Fresh from Bucharest is this story from Martin Pieuchot (mpi@) with his experience from p2k19:
Since I attend OpenBSD hackathons, I hear stories about how crazy are
the ports hackathons. So I try my best to look like a porter in order
to experience this craziness. I must admit p2k19 was awesome but the
craziness of port hackathons is still an enigma to me.
Hi,
I just committed all the dependencies for OpenSSH security key (U2F)
support to base and tweaked OpenSSH to use them directly. This means
there will be no additional configuration hoops to jump through to use
U2F/FIDO2 security keys.
We are constantly on the lookout for stories of how you put OpenBSD to work.
Please submit any informative articles on how OpenBSD is helping your company.
2019-11-22SECURITYA local user could cause the system to hang by reading specific registers when Intel Gen8/Gen9 graphics hardware is in a low power state. A local user could perform writes to memory that should be blocked with Intel Gen9 graphics hardware.
