An update on the recent security affairs and how they are, or were, handled on
DEFCON 25 and 34c3
Ilja Van Sprundel presented at Defcon 25 (July 2017) and 34c3 (December 2017)
the results of his audit of the BSD kernels.
The issues affecting NetBSD were fixed overnight in the NetBSD-current branch,
and were propagated to the stable branches within a month. Kernels from NetBSD-6
and NetBSD-7 built after August 23rd 2017 had all the necessary fixes.
Some reports published recently suggest that the stable branches remained
vulnerable for months, and that NetBSD was lagging behind; that is simply not
In Ilja Van Sprundel’s report, NetBSD was criticized for having too much legacy
and buggy code. Several proactive measures were taken, within a month again, to
clean up the system. These measures were:
- TCP_COMPAT_42 was removed.
- COMPAT_FREEBSD was disabled.
- COMPAT_SVR4 and COMPAT_SVR4_32 were disabled on all architectures.
- COMPAT_IBCS2 was disabled on all architectures but Vax.
- COMPAT_SVR4 support for i386 was removed.
- COMPAT_IBCS2 support for i386 was removed.
- VM86 was removed.
Several of these changes were propagated to the stable branches. Since, several
additional improvements were made to further externalize some parts of the kernel,
in such a way that features can be taken out of the system by default, but still
be loaded as kernel modules dynamically when they are needed. This aims, of
course, at reducing the attack surface in the base system.
Due to the limited human resources available in security-team@, Security
Advisories generally take time to be issued. A Security Advisory for the
reported problems had not been issued in time, and it was decided not to
issue one. The Security Team will continue working on more recent security
Meltdown and Spectre
The counter-measure for Meltdown, called SVS (Separate Virtual Space), is
being developed. It was first committed on January 7th 2018, and has now reached
a stable state. It is available only on x86 64bit (amd64) for now, this
architecture being our primary target.
A significant effort is required to back-port SVS to the stable branches: many
improvements were made in the amd64 port (better security and performance) since
the last release, and they will have to be, at some point, back-ported too.
Regarding Spectre, Intel and AMD have issued microcode updates. In the case of
Intel, the new microcode adds several MSRs, that the OS can tune to disable
branch prediction. Given that NetBSD supports microcode updates, it is possible
to install a new microcode; however, no option is available yet to tune the
It is not clear whether the fixes proposed by Intel and AMD are sufficiently
reliable. Recent reports suggest that some CPUs have started misbehaving when
running with the new microcodes. Therefore, the fix for Spectre is expected to
take a little more time to produce than that of Meltdown.
Go to Source
Author: Maxime Villard
Powered by WPeMatico