The results are in. About 5 billion fuzz cases, a few 10 hours streams, and we found 6 unique bugs in OpenBSD ctags. All with an absolutely garbage fuzzer. Some were pretty tricky (uninit stack use, global overflows), but vecemu was able to detect em!
https://twitter.com/gamozolabs/status/1229379329248784385
https://gist.github.com/gamozolabs/ac79a6d755e44d71f5bf0659a0848265
#security #ctags #fuzzing
https://twitter.com/gamozolabs/status/1229379329248784385
https://gist.github.com/gamozolabs/ac79a6d755e44d71f5bf0659a0848265
#security #ctags #fuzzing
LPE and RCE in OpenSMTPD's default install (CVE-2020-8794).
https://www.openwall.com/lists/oss-security/2020/02/24/5
#opensmtpd #security
https://www.openwall.com/lists/oss-security/2020/02/24/5
#opensmtpd #security
Remote root exploits are now publicly available for LPE and RCE in OpenBSD's OpenSMTPD's default install (CVE-2020-8794).
https://www.openwall.com/lists/oss-security/2020/02/26/1
#security #opensmtpd
https://www.openwall.com/lists/oss-security/2020/02/26/1
#security #opensmtpd
OpenBSD Full Disk Encryption with CoreBoot and Tianocore Payload.
https://functionallyparanoid.com/2020/03/07/openbsd-full-disk-encryption-with-coreboot-and-tianocore-payload/
#encryption #security
https://functionallyparanoid.com/2020/03/07/openbsd-full-disk-encryption-with-coreboot-and-tianocore-payload/
#encryption #security
022: RELIABILITY FIX: March 10, 2020 All architectures
Missing input validation in sysctl(2) can be used to crash the kernel.
023: RELIABILITY FIX: March 13, 2020 All architectures
Local outbound UDP broadcast or multicast packets sent by a spliced socket can crash the kernel.
#security
Missing input validation in sysctl(2) can be used to crash the kernel.
023: RELIABILITY FIX: March 13, 2020 All architectures
Local outbound UDP broadcast or multicast packets sent by a spliced socket can crash the kernel.
#security
My machines are hosted in 3 different places. First is at Exoscale, second is Vultr and the third is... my flat. All of them run either OpenBSD on its -current branch, or the latest version of Ubuntu. At this time, that's Ubuntu 19.10. After a couple of years working on OpenBSD ports (i.e. packaging), I believe fresh software is better, security-wise.
https://chown.me/blog/infrastructure-2019.html
#server
https://chown.me/blog/infrastructure-2019.html
#server
Using OpenBSD relayd to Add Security Headers.
I am a huge fan of OpenBSD’s built-in httpd server as it is simple, secure, and quite performant. With the modern push of the large search providers pushing secure websites, it is now important to add security headers to your website or risk having the search results for your website downgraded. Fortunately, it is very easy to do this when you combine httpd with relayd.
https://goblackcat.com/posts/using-openbsd-relayd-to-add-security-headers/
#relayd
I am a huge fan of OpenBSD’s built-in httpd server as it is simple, secure, and quite performant. With the modern push of the large search providers pushing secure websites, it is now important to add security headers to your website or risk having the search results for your website downgraded. Fortunately, it is very easy to do this when you combine httpd with relayd.
https://goblackcat.com/posts/using-openbsd-relayd-to-add-security-headers/
#relayd
Introduction to doas on OpenBSD.
OpenBSD's alternative to sudo is doas, although it does not work the same way as sudo and requires some configuration...
https://www.vultr.com/docs/introduction-to-doas-on-openbsd
#doas
OpenBSD's alternative to sudo is doas, although it does not work the same way as sudo and requires some configuration...
https://www.vultr.com/docs/introduction-to-doas-on-openbsd
#doas
OpenBSD makes life pretty easy when it comes to securing your web-app...
https://blog.snailtext.com/posts/berkeley-smorgasbord.html
https://blog.snailtext.com/posts/berkeley-smorgasbord-part-2.html
https://blog.snailtext.com/posts/berkeley-smorgasbord.html
https://blog.snailtext.com/posts/berkeley-smorgasbord-part-2.html
Fullstack mailserver based on OpenSMTPD for OpenBSD using ansible
https://github.com/AnsiMail/AnsiMail
#ansible #opensmtpd
https://github.com/AnsiMail/AnsiMail
#ansible #opensmtpd
A privilege separated implementation of WireGuard for OpenBSD.
https://github.com/timkuijsten/wiresep
#wireguard
https://github.com/timkuijsten/wiresep
#wireguard
pf-badhost is a simple, easy to use badhost blocker that uses the power of the pf firewall to block many of the internet's biggest irritants.
https://www.geoghegan.ca/pfbadhost.html
#pf #firewall
https://www.geoghegan.ca/pfbadhost.html
#pf #firewall
OpenBSD's 'spinning' CPU time category.
Unix systems have long had a basic breakdown of what your CPU (or CPUs) was spending its time doing. The traditional division is user time, system time, idle time, and 'nice' time (which is user time for tasks that have their scheduling priority lowered through nice(1) or the equivalent), and then often 'interrupt' time, for how much time the system spent in interrupt handling. Some Unixes have added 'iowait', which is traditionally defined as 'the system was idle but one or more processes were waiting for IO to complete'. OpenBSD doesn't have iowait, but current versions have a new time category, 'spinning'...
https://utcc.utoronto.ca/~cks/space/blog/unix/OpenBSDCpuSpinTime
#cpu #spinning
Unix systems have long had a basic breakdown of what your CPU (or CPUs) was spending its time doing. The traditional division is user time, system time, idle time, and 'nice' time (which is user time for tasks that have their scheduling priority lowered through nice(1) or the equivalent), and then often 'interrupt' time, for how much time the system spent in interrupt handling. Some Unixes have added 'iowait', which is traditionally defined as 'the system was idle but one or more processes were waiting for IO to complete'. OpenBSD doesn't have iowait, but current versions have a new time category, 'spinning'...
https://utcc.utoronto.ca/~cks/space/blog/unix/OpenBSDCpuSpinTime
#cpu #spinning
Tale of OpenBSD secure memory allocator internals - malloc(3)
So, again I started reading OpenBSD source codes with debugger after reducing my sleep timings and managing to get some time after professional life. This time I have picked one of my favourite item from my wishlist to learn and share, that is, OpenBSD malloc(3), secure allocator
I will try to keep it as n part series due to lengthy content and this series will be mostly focussed on user-space code of malloc(3) and friends
First of all, I would like to thanks Otto Moerbeek, Bryan Steele and Fabien Romano for helping me to understand the malloc(3) internals and cleared all my queries.
So, we should start now... :)
https://bsdb0y.github.io/blog/deep-dive-into-the-OpenBSD-malloc-and-friends-internals-part-1.html
#malloc
So, again I started reading OpenBSD source codes with debugger after reducing my sleep timings and managing to get some time after professional life. This time I have picked one of my favourite item from my wishlist to learn and share, that is, OpenBSD malloc(3), secure allocator
I will try to keep it as n part series due to lengthy content and this series will be mostly focussed on user-space code of malloc(3) and friends
First of all, I would like to thanks Otto Moerbeek, Bryan Steele and Fabien Romano for helping me to understand the malloc(3) internals and cleared all my queries.
So, we should start now... :)
https://bsdb0y.github.io/blog/deep-dive-into-the-OpenBSD-malloc-and-friends-internals-part-1.html
#malloc
An OpenBSD E-Mail Server Using OpenSMTPD, Dovecot, Rspamd, and RainLoop.
This tutorial demonstrates a full-featured email server running on OpenBSD using OpenSMTPD, Dovecot, Rspamd, and RainLoop. OpenSMTPD is the default mail server for OpenBSD. Choose a Vultr Compute Cloud instance with plenty of storage for the expected number of users.
https://www.vultr.com/docs/an-openbsd-e-mail-server-using-opensmtpd-dovecot-rspamd-and-rainloop
#opensmtpd #mail
This tutorial demonstrates a full-featured email server running on OpenBSD using OpenSMTPD, Dovecot, Rspamd, and RainLoop. OpenSMTPD is the default mail server for OpenBSD. Choose a Vultr Compute Cloud instance with plenty of storage for the expected number of users.
https://www.vultr.com/docs/an-openbsd-e-mail-server-using-opensmtpd-dovecot-rspamd-and-rainloop
#opensmtpd #mail
A great desktop experience on OpenBSD with fluxbox.
https://ybad.name/Logiciel-libre/OpenBSD/Great_desktop_experience_fluxbox_openbsd.html
#desktop #fluxbox
https://ybad.name/Logiciel-libre/OpenBSD/Great_desktop_experience_fluxbox_openbsd.html
#desktop #fluxbox