HoaS goes on an OpenBSD Adventure

Talk about anything you feel like talking about. Pull up a soapbox and pontificate to your heart's content. May contain some adult humour or otherwise objectionable content (NSFW). No warez, pr0n or illegal stuff.

HoaS goes on an OpenBSD Adventure

Postby Head_on_a_Stick » October 27th, 2018, 3:06 pm

cynwulf wrote:The clue is in that word "audit".

^ I'm going to come back to this point to fill the last page :)

Yes, it is true that the OpenBSD developers audit their code regularly to try and catch bugs and it is also true that the Linux kernel developers do not do this at all.

But I would draw attention to this quote from Brian W Kernighan & P J Plauger's seminal Elements of Programming Style text:
Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it.

Accordingly, in Linux such auditing is instead performed by specialist penetration testers who are expert at finding bugs & vulnerabilities in other people's code.

One such individual is Ilja von Sprundel and he recently decided to look at the BSDs to see if he could find the same sort of problems that are exposed in the Linux kernel, here is an excellent talk from him:

https://media.ccc.de/v/34c3-8968-are_al ... lly#t=2359

It's all rather dry and technical (but very interesting) and the conclusions start at 38 minutes in, just after it is revealed that the OpenBSD developers do not audit any of the DRM code imported from Linux at all because they don't like the format of the code (!).

tl;dr: OpenBSD fares better than the others but he still manages to find a bunch of exploitable bugs in the three months he was looking at the code.

And there is also the small matter of the recent X hole: why did OpenBSD's much-vaunted audits not catch that bug?

The truth is that auditing is considered a bit old-hat now that we are in the brave new world of kernel fuzzing :ugeek:

OpenBSD is catching up[1] but Linux has a clear lead here with Google's syzbot running through code paths that a billlion users could never have discovered in a million years even as we speak.

[1] https://www.openbsd.org/papers/fuzz-slides.pdf
Last edited by Head_on_a_Stick on October 31st, 2018, 9:35 pm, edited 1 time in total.
Show Off
User avatar
Head_on_a_Stick
 
Posts: 163
Joined: June 16th, 2015, 8:35 pm
Location: London baby!

Re: My Awesome Adventure (CoC debate)

Postby cynwulf » October 28th, 2018, 9:29 pm

Head_on_a_Stick wrote:But I would draw attention to this quote from Brian W Kernighan & P J Plauger's seminal Elements of Programming Style text:
Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it.

Accordingly, in Linux such auditing is instead performed by specialist penetration testers who are expert at finding bugs & vulnerabilities in other people's code.

That's quite some leap... plus "specialist penetration testers" are not by definition code auditers... you're talking about some kind of retroactive security auditing, as the only kind of auditing - big difference...

Head_on_a_Stick wrote:One such individual is Ilja von Sprundel and he recently decided to look at the BSDs to see if he could find the same sort of problems that are exposed in the Linux kernel, here is an excellent talk from him:

https://media.ccc.de/v/34c3-8968-are_al ... lly#t=2359

Old news, as I recall there was errata for these.

The irony here is that von Sprundel decided to sit down and "audit" the code... and quite unsurprisingy he found a few things...

https://www.csoonline.com/article/32506 ... nk-so.html

Head_on_a_Stick wrote:tl;dr: OpenBSD fares better than the others but he still manages to find a bunch of exploitable bugs in the three months he was looking at the code.

He was doing exactly what was needed... a thorough audit.

Head_on_a_Stick wrote:And there is also the small matter of the recent X hole: why did OpenBSD's much-vaunted audits not catch that bug?

If X were part of OpenBSD this would be relevant.
User avatar
cynwulf
 
Posts: 2549
Joined: April 26th, 2011, 2:46 pm

Re: My Awesome Adventure (CoC debate)

Postby Head_on_a_Stick » October 28th, 2018, 9:46 pm

cynwulf wrote:If X were part of OpenBSD this would be relevant.

https://github.com/openbsd/xenocara?
Show Off
User avatar
Head_on_a_Stick
 
Posts: 163
Joined: June 16th, 2015, 8:35 pm
Location: London baby!

Re: My Awesome Adventure (CoC debate)

Postby cynwulf » October 28th, 2018, 11:27 pm

Is X11 developed by OpenBSD developers or is it 3rd party software which is included in the base? Yes or no?

https://www.openbsd.org/faq/faq1.html

xenocara runs privsep and pledged, the project has worked hard to integrate and handle X.org properly, but it's still a glaring problem and badly needs replacing with something much simpler (on all OS which use it). It has obviously been patched now and deraadt had this to say: https://marc.info/?l=openbsd-cvs&m=154050453117246&w=2

I also draw your attention to this important statement: https://marc.info/?l=openbsd-tech&m=154050351216908&w=2

(this kind of scenario seems to be getting all too familiar)

In this case I believe this CVE was more easily exploited on OpenBSD than on other OS (probably due to legacy (none KMS/DRM) X video drivers, but that's just a complete guess.

At the end of the day there are two major problems here - despite it's history, X.org has become very focused on Linux and is a freedesktop.org project after all. DRM drivers are all developed for Linux, with the assistance, or direct involvement, of Intel and AMD engineers among others - the *BSDs are very much downstream just importing this code and that's not always a good position to be in. It's still better than maintaining and patching legacy versions and losing support for newer hardware.

So you do seem to be resorting to petty trolling again Mr Developer, perhaps with the hope that I might somehow get offended if my chosen OS is not some perfect bastion of code quality and security?

Take your observations and questions on this X bug in OpenBSD to it's mailing lists, as that is the correct place for them.
User avatar
cynwulf
 
Posts: 2549
Joined: April 26th, 2011, 2:46 pm

Re: My Awesome Adventure (CoC debate)

Postby Head_on_a_Stick » October 29th, 2018, 10:37 pm

cynwulf wrote:Is X11 developed by OpenBSD developers or is it 3rd party software which is included in the base? Yes or no?

Well, yes the original code is created by the freedesktop folks but the OpenBSD devs patch it heavily. And yes, it is included in the base system, which is why I presumed that it would be included in the audits.

Do you know if the devs audit Xenocara at all?

The DRM omission shocked me, to be honest, I didn't expect that at all.

cynwulf wrote:In this case I believe this CVE was more easily exploited on OpenBSD than on other OS (probably due to legacy (none KMS/DRM) X video drivers, but that's just a complete guess.

I think it was the devs' decision to apply the setuid bit to the Xorg binary was the main problem, at least if Theo's post on cvs@ was anything to go by:
Theo wrote:Disable setuid on the X server. We have always known it is a trash fire
and we held out hope too long.

https://marc.info/?l=openbsd-cvs&m=154050453117246&w=2

cynwulf wrote:So you do seem to be resorting to petty trolling again Mr Developer

FFS d00d, how many times do I have to repeat myself?
  • Trolling in the Nonsense section is fine (I checked the rules), not that I am trolling but whatever.
  • I am an ex-developer, I retired my position because I felt that I was under-qualified.
Are you hard of hearing or just hard of understanding? :mrgreen:

cynwulf wrote:perhaps with the hope that I might somehow get offended if my chosen OS is not some perfect bastion of code quality and security?

Take your observations and questions on this X bug in OpenBSD to it's mailing lists, as that is the correct place for them.

Chill out, I was attempting to have a discussion, just ignore my posts if they bother you so much.
Show Off
User avatar
Head_on_a_Stick
 
Posts: 163
Joined: June 16th, 2015, 8:35 pm
Location: London baby!

Re: My Awesome Adventure (CoC debate)

Postby cynwulf » October 30th, 2018, 10:40 am

Head_on_a_Stick wrote:Well, yes the original code is created by the freedesktop folks

No. X.org.
Head_on_a_Stick wrote:but the OpenBSD devs patch it heavily.

No. I'm also not sure what "heavily" is supposed to mean in this context? Can you link to these supposedly "weighty" patches?
Head_on_a_Stick wrote:Do you know if the devs audit Xenocara at all?

xenocara is a build system for X.

I think it's about time that you stopped pretending to know what you're talking about.
Head_on_a_Stick wrote:FFS d00d, how many times do I have to repeat myself?
  • Trolling in the Nonsense section is fine (I checked the rules), not that I am trolling but whatever.
  • I am an ex-developer, I retired my position because I felt that I was under-qualified.
Are you hard of hearing or just hard of understanding? :mrgreen:

I think it's about time that you stopped pretending to know what you're talking about.
User avatar
cynwulf
 
Posts: 2549
Joined: April 26th, 2011, 2:46 pm

Re: My Awesome Adventure (CoC debate)

Postby Head_on_a_Stick » October 30th, 2018, 7:35 pm

cynwulf wrote:
Head_on_a_Stick wrote:Well, yes the original code is created by the freedesktop folks

No. X.org.

D'oh! Thanks for the correction :)

cynwulf wrote:
Head_on_a_Stick wrote:but the OpenBSD devs patch it heavily.

No.

May I refer you to this talk given by Matthieu Herrb (the OpenBSD Xenocara maintainer), I have taken this quote from the "Xenocara" section of the talk:
Based on released versions, plus OpenBSD-specific patches :
  • privilege separation,
  • support for some legacy architectures,
  • bug fixes not yet integrated or released upstream.

And I'm guessing that Matthieu knows better than you :)

cynwulf wrote:I'm also not sure what "heavily" is supposed to mean in this context?

Yes, quite right, adjectives are the weak tools of the sloppy mind, thank you for calling me on that.

cynwulf wrote:
Head_on_a_Stick wrote:Do you know if the devs audit Xenocara at all?

xenocara is a build system for X.

Yes, yes, and Matthieu named it after the fish that cleans aquaria, tell me something I don't know :roll:

Is it audited or not?

cynwulf wrote:I think it's about time that you stopped pretending to know what you're talking about.

Whatever.
Show Off
User avatar
Head_on_a_Stick
 
Posts: 163
Joined: June 16th, 2015, 8:35 pm
Location: London baby!

Re: My Awesome Adventure (CoC debate)

Postby cynwulf » October 31st, 2018, 10:13 am

Head_on_a_Stick wrote:May I refer you to this talk given by Matthieu Herrb (the OpenBSD Xenocara maintainer), I have taken this quote from the "Xenocara" section of the talk:
Based on released versions, plus OpenBSD-specific patches :
  • privilege separation,
  • support for some legacy architectures,
  • bug fixes not yet integrated or released upstream.

And I'm guessing that Matthieu knows better than you :)

He does, but where is the "heavily" you're referring to? privsep is for ports as well. It's patched, but not "heavily" patched. i.e. they haven't gone over every single piece of it and rewritten it. The key here is in the term "privilege separation". The X server hasn't been "heavily patched", it's simply not trusted.
Head_on_a_Stick wrote:Yes, yes, and Matthieu named it after the fish that cleans aquaria, tell me something I don't know :roll:

You've done some last minute web searches at least. But in your previous correspondence you seemed to regard it as some kind of "heavily patched" fork of X?
Head_on_a_Stick wrote:Is it audited or not?

Why not get your arse to the mailing lists and ask the maintainer or any other developer willing to give you the air time...? You can ask whether or not LLVM/clang, gdb and gcc are "audited" while you're there... have fun.

Now supposing it's actually not audited? Just like something from ports is not really audited to the same extent as the base system, what will you do then?
The ports collection does not go through the same thorough security audit that is performed on the OpenBSD base system. Although we strive to keep the quality of the packages high, we just do not have enough resources to ensure the same level of robustness and security.

Head_on_a_Stick wrote:Whatever.

You're clearly making it all up as you go along. But then that's how it works at FDN and the Linux fanboi sites isn't it?
User avatar
cynwulf
 
Posts: 2549
Joined: April 26th, 2011, 2:46 pm

Re: My Awesome Adventure (CoC debate)

Postby nodir » October 31st, 2018, 10:40 am

better don't make them trying to "give back" for BSD too.

Just glanced over the "are you testing buster" tutorial.
Fucking great idea to make people who need to get told how to run a mixed testing/unstable setup (and getting it told kinda wrong, what makes it worse) to send thousands of pointless bug reports, as they got no clue what the heck they are into when using testing and/or sid.
Probably gives them a boner if they talk to that magical thing called "developper". To be part of something. Mankind still seems to be in religion. "I know the forces" ... Well: you don't.
nodir
 
Posts: 307
Joined: June 16th, 2015, 10:10 pm

Re: HS goes on an OpenBSD Adventure

Postby cynwulf » October 31st, 2018, 11:34 am

The testing/unstable thing never really interested me. I ran it for a time and explored the options of running a mixed system, etc. It teaches you a lot about package management but not a lot else - I've never been interested in package management as it's not always a "transferable skill" as such. Running stable and backporting your own stuff was far more interesting and rewarding for me. For many users, packages seem to abstract things and they never really think beyond the concept of the package.

I could easily dig out historic threads at FDN where some "long term sid user" is complaining about some serious breakage and blaming everyone but himself...

It's a culture thing - Linux fans became more like "consumers" as the gulf between hacker and user widened and hackers became "developers" [in the employ of $SOME_CORPORATION]. Sadly the *BSDs have also been flooded with these twats in recent years, as they migrate in from the Linuxes because of systemd or whatnot.
User avatar
cynwulf
 
Posts: 2549
Joined: April 26th, 2011, 2:46 pm

Next

Return to Nonsense

Who is online

Users browsing this forum: No registered users and 1 guest

x