#BSDCan #FreeBSD #devsummit: Day two. More live tooting. We'll kick off this day with an update by the FreeBSD Security Team (secteam@).
#BSDCan #FreeBSD #devsummit: The security officer position has its own charter. The challenges facing the security team are quite difficult:
1. Extremely broad mandate
2. A lot of hurry up and wait activities not conducive to a friendly employment environment
3. Very high level of very technical knowledge required to respond to the large variety of issues
#BSDCan #FreeBSD #devsummit: There's a lot of burnout. Especially so since there's few qualified people to work on the security team.
#BSDCan #FreeBSD #devsummit: They're fixing these challenges by splitting vulnerability response and mitigation implementation.
#BSDCan #FreeBSD #devsummit: FreeBSD needs technical resources and need people who are willing to work on issues that cannot be disclosed outside.
#BSDCan #FreeBSD #devsummit: [Personal note: Gordon's moving pretty fast. I won't be able to capture everything.]
#BSDCan #FreeBSD #devsummit: Two basic workstreams:
1. FreeBSD only response:
- No NDA or explicit embargo
- Only applies to FreeBSD (and maybe Net/Open)
- No major risk of exposure
2. Multi-vendor coordinated response:
- NDA and/or explicit embargo
- Coordinated response via private party or CERT/CC
- Requires limited internal disclosure to contain risk of exposure
#BSDCan #FreeBSD #devsummit: Note on exposure: Some bugs details have leaked because a security team member disclosed to their employer the bug, even when they weren't supposed to do so.
#BSDCan #FreeBSD #devsummit: We don't want to end up like #OpenBSD where vendors don't notify us of vulnerabilities due to violating embargoes.
#BSDCan #FreeBSD #devsummit: There were FreeBSD committers that were notified of Meltdown by Intel via unofficial channels prior to the secteam's official notification in late December. Those committers did not notify secteam.
#BSDCan #FreeBSD #devsummit: How the FreeBSD Foundation enables secteam:
1. Holder of NDA and vendor relationships
- Survivability of changeover of security officer
- Vendor relationships
2. Funds resources
- Pays for Ed's time
- Pays for Gordon's travel
- Pays for development resources to enable response (kib@ specifically)
#BSDCan #FreeBSD #devsummit: Once CERT/CC was involved with CVE-2018-8897 / SA-18:06.debugreg, FreeBSD was able to give pre-embargo patches to pfSense.
[Personal note: this is rather... interesting...]
#BSDCan #FreeBSD #devsummit: FreeBSD uses Coverity, but doesn't pay much attention to it.
#BSDCan #FreeBSD #devsummit: From Ed Maste: the FreeBSD Foundation interns worked on Syzkaller. FreeBSD is hoping to help enhance its FreeBSD support.
#BSDCan #FreeBSD #devsummit: Question in the audience: do these embargoes have rules regarding early disclosure by other vendors (ie, #OpenBSD)?
Answer: embargoes are usually negotiated with the researcher. You'll notice that the embargo dates fall around the Blackhat conference.
#BSDCan #FreeBSD #devsummit: [Personal note: there seems to be some hostility towards #OpenBSD by multiple people here.]
#BSDCan #FreeBSD #devsummit: Ed Maste: I certainly don't want a reputation of blowing embargoes.
#BSDCan #FreeBSD #devsummit: From Allan Jude: Should secteam@ have a phone number?
#BSDCan #FreeBSD #devsummit: secteam update finished. On break for a half hour.
#BSDCan #FreeBSD #devsummit: The devsummit is about to continue with FreeBSD 12.0 planning.
#BSDCan #FreeBSD #devsummit: FreeBSD would like to get #OpenSSL 1.1 in base for the 12.0 release.
#BSDCan #FreeBSD #devsummit: Bikeshedding how to take notes.
#BSDCan #FreeBSD #devsummit: Desired to get in to 12.0: geli UEFI support.
#BSDCan #FreeBSD #devsummit: Desired for 12.0: Removal of gets(3).
#BSDCan #FreeBSD #devsummit: Desired for 12.0: kill gcc 4.2.1 in base completely.
#BSDCan #FreeBSD #devsummit: pkgbase will be an experimental feature in 12.0. Perhaps provide the required infrastructure (pkg repo). Have pkgbase configured and enabled by default, but allow users to still use freebsd-update.
#BSDCan #FreeBSD #devsummit: LUA loader enabled by default. UEFI boot loader loose ends. devmatch loose ends.
#BSDCan #FreeBSD #devsummit: [Personal note: if I just list random stuff for the next little while, that likely means things that will/might go into 12.0]
#BSDCan #FreeBSD #devsummit: Making sure kernel memory mappings that don't need to be executable aren't on amd64.
#BSDCan #FreeBSD #devsummit: [Personal note: taking a break for a few minutes. Peeps are taking notes on a Google Doc, which I assume will be shared later.]
#BSDCan #FreeBSD #devsummit: [Personal note: I'm back. Something I ate yesterday isn't agreeing with me.]
#BSDCan #FreeBSD #devsummit: Juniper would like to volunteer to help get verified exec in 12.0.
#BSDCan #FreeBSD #devsummit: Kostik's ASLR and NVDIMM patches.
#BSDCan #FreeBSD #devsummit: Yahoo has made #OpenSSL a private library in base for multiple years and recommends against it. It's a huge landmine, especially if libprivatecrypto and libcrypto are loaded at the same time.
