[nycbug-talk] BSDCan ike-notes - McBride-OpenBSD network stack randomization

Isaac Levy ike
Fri May 20 20:52:09 EDT 2005 

More BSDCan ike-notes,

Really cool stuff, Ryan McBride gave a lecture on network stack 
randomization in OpenBSD- which I thought was really cool stuff.  
Basically, as always, the OpenBSD crew makes software that belongs in 
the MOMA, IMHO- pretty intense stuff.  Ryan discussed the various 
sources of entropy that get xor'ed into a pool of packed ids for the 
tcp/ip packet stack.  The talk was brief, which led to a great Q&A with 
the bulk of the OpenBSD core team in attendance, which went into other 
randomization in OpenBSD, (pid randomization, ProPolice use for memory 
pointer stack randomization, etc...), and quickly spun into some 
general hardcore OpenBSD Q&A quality time.

I'm sad to say I missed Bob Beck's lecture on Spamd, as well as Henning 
Brauer speaking on OpenBGPD, but am pleased to say there was ton of 
great conversation at the bars about various topics with the OpenBSD 
crew- which made up for it.

While having drinks, Henning Brauer explained briefly how I could 
replicate the functionality I love from FreeBSD's jail facility (which 
I was speaking about at the conference), using OpenBSD.  Basically, it 
involves chroot'ing all the OpenBSD userland apps, and using PF to 
restrict an IP alias interface to the user process which is running the 
chroot.  (PF now can filter packets by user process).
I am currently hacking around with this procedure at home- mostly 
getting to know more about PF and hacking around...  (now that PF is 
native in FreeBSD, crossover will be MUCH easier.)

In another discussion, Mathieu Sauve-Frankel (Matt) explained in 
greater depth some of the reasoning behind why there's little interest 
for a jail facility in OpenBSD- basically that their concerns are with 
more fundamental security ideas, and that jailing bad software, is 
still jailing bad software... an attitude I can totally agree with.
However, I conversely argued basically that *all* software is bad 
software, and there are other applications for a jail facility...  Beer 
and food was served, and conversations switched gears a million times.

We called our own Mikey in NYC, who sadly could not attend, but will be 
in Canada soon for the OpenBSD Hackathon!

Discussions I had with all the OpenBSD folks were really fun, since I 
use (and love) so much in FreeBSD, we were coming at the same problems 
from opposite ends of the universe.  Needless to say, after the 
Conference, I'm now making my duct-tape-computers lab a *much* more 
hetrogenous enviornment all around...

Rocket-
.ike

More information about the talk mailing list