Shawn Webb is an information security professional who has been involved in opensource information security technologies for the past few years. He fell in love with FreeBSD as a teenager during the 4.x days. He serves as the cofounder of HardenedBSD and is one of the lead security engineers on the project.
Luca Ferrari: Can you please introduce yourself and explain when and how you got in touch with HardenedBSD project?
Shawn Webb: Around two-and-a-half years ago, I had blogged about some of my personal goals and one of them was implementing ASLR (Address Space Layout Randomization) for FreeBSD. An awesome dude from Hungary named Oliver Pinter came across my blog post and suggested we work together. He had the beginnings of a working patch. I added execution base randomization for position-independent executables (PIEs) and per-jail support.
We started the upstreaming process for our ASLR patch nearly two years ago. In order to make our lives easier, we started the HardenedBSD project to serve as a staging area for our development prior to upstreaming. So I got started with HardenedBSD by cofounding it with Oliver Pinter.
Luca Ferrari: What are the main innovations of HardenedBSD project with regard to the last year?
Shawn Webb: Our ASLR implementation is the strongest ever implemented in any of the BSDs.
We are the only OS in existence that has true stack randomization and can achieve 42 bits of entropy introduced into the stack.
All of our enhancements are also per-jail. So if an application misbehaves with our enhancements, that application can reside in a jail with the enhancements turned off just for that jail. Those enhancements (ASLR, SEGV- GUARD, PaX PAGEEXEC/MPROTECT, etc.) remain on for the rest of the system.
Additionally, we have the secadm project, allowing you to do that same toggling on a per-binary basis. If jailing the application doesn’t look attractive, then you can use secadm to simply disable the enhancement for just that application. Rulesets loaded by secadm are also per-jail. We’ve been working with the OPNSense team to help them switch from FreeBSD to HardenedBSD so they can enjoy the same level of protection I enjoy. We’re really excited to see this relationship develop further and for the switch to be made.
Luca Ferrari: What are the main advantages of HardenedBSD project?
Shawn Webb: You get the normal awesomeness that FreeBSD delivers along with expert exploit mitigation and security technologies. We’ve done a great job with our current enhancements, but there’s still a lot we’d like to do. This next year will be a great one for us and our users. We have a lot more planned for the next year.
Luca Ferrari: How difficult is it for the average developer/sysadmin to customize HardenedBSD project? (I do not know if it is possible?)
Shawn Webb: It’s just as difficult (or easy, if you prefer to think of it that way) as customizing FreeBSD. Hardened- BSD is FreeBSD with our security work on top of it.
Luca Ferrari: How does the HardenedBSD project cope with an enterprise scenario?
Shawn Webb: We still have a bit of work to do in this arena. We still don’t have an official release, though we plan to have our first official release at around the same time FreeBSD releases 11.0.
We provide our own packages for 11-CURRENT/amd64 and 10-STABLE/amd64. However, we don’t provide binary updates for base. We’re waiting on base packaging support in Poudriere/pkg. If that doesn’t happen within the next six or so months, we’ll likely write our own secure binary updating mechanism.
Luca Ferrari: Where do you see the HardenedBSD project growing in the near future?
Shawn Webb: We are currently running a fundraiser to help us become a not-for-profit 501(C) (3) organization in the USA, similar to the FreeBSD Foundation. Once that happens, future donations will become tax-deductible. However, becoming a not-for-profit is pretty costly in the USA, so we need support from the community to do so. The classic chicken-and-egg scenario.
We just added a new developer, Brian Salcedo, who is tasked with revamping secadm to be more efficient. He’s doing some great work and we’re excited to see where he takes secadm in the near future. He hopes to add a feature similar to grsecurity’s TPE (Trusted Path Execution), an addition that would be very much welcomed by Oliver and me.
Luca Ferrari: Who do they see themselves competing with?
Shawn Webb: We don’t like to see us as competitors to anything or anyone. We simply like to write great code and make FreeBSD better. With companies like Netflix using FreeBSD to deliver around 36% of peak North American Internet traffic, these security enhancements are crucial. We need to raise the bar for attackers.
We’ll work with anyone and everyone who uses FreeBSD to help them bring in HardenedBSD’s work–making us not competitors but collaborators.
Luca Ferrari: Please tell us more about OPNSense.
Shawn Webb: OPNSense is an up-and-coming fork of pfSense. I own a little ASUS wireless router at home and know of its many vulnerabilities. I figured that I really dislike major vulnerabilities that can allow random people on the Internet to be able to man-in-the-middle (MitM) me, switching to a dedicated firewall/routing appliance would be better.
I used pfSense heavily in the past and grew to love the project. However, I wanted a custom version of it for my own use, but instead of using FreeBSD as the base, I wanted to use HardenedBSD. I like to eat my own dog- food. After a bit of digging, I figured out that it’s near impossible to do your own builds of pfSense. The documen- tation for the build process doesn’t exist and the pfSense project doesn’t want such documentation to exist.
So I kept looking. I had heard of OPNSense before and that it was a fork of pfSense. Their build documentation is front-and-center. Though pfSense was my first choice, I naturally went with OPNSense. After a bit of digging and some handholding from the OPNSense team, I was able to produce a working build relatively quickly.
I found that I work really well with the OPNSense team and they work well with me. Their interest became piqued as soon as they learned who I was and what I was doing. We began talking about switching OPNSense from FreeBSD to HardenedBSD. We have teamed up to help and support each other in our ventures.
Luca Ferrari: How is the VDSO (Virtual Dynamic Shared Object) integration going?
Shawn Webb: Really well! It was completed over the weekend of 04 July 2015. Finishing the Virtual Dynamic Shared Object (VDSO) randomization was the final piece to finishing our ASLR implementation.
Luca Ferrari: Why did you choose FreeBSD?
Shawn Webb: I was introduced to FreeBSD as a teenager by some cool hackers. I instantly fell in love. I’ve been an advocate of FreeBSD ever since. Choosing FreeBSD as a base for HardenedBSD was a natural choice.
Luca Ferrari: Please tell us more what the basic needs of HardenedBSD project are and how the community can help develop the project?
Shawn Webb: What we at HardenedBSD need most is funding. It takes a lot to run a project like HardenedBSD. I’m paying for it all myself out of my own pocket. We really need help in order to become a not-for-profit organization.
Additional donated hosted servers would be great, too. We could make use of another package building server and another nightly build server.
Luca Ferrari: Summing up, please tell our Readers why the HardenedBSD project is so unique and what the users can achieve when they decide to use it?
Shawn Webb: HardenedBSD provides expert exploit mitigation and security technologies to FreeBSD. These technologies have proven to make life difficult for would-be attackers. Our goal is to piss off the bad guys.
About The Author:
Luca Ferrari lives in Italy with his wife and son. He received a PhD in Computer Science by University of Modena and Reggio Emil- ia, has been co-founder, member of the board of directors and president of Italian PostgreSQL Users’ Group (ITPUG). Luca loves Open Source software and Unix culture, uses GNU Emacs, Perl, zsh and FreeBSD along with a lot of other cool tools.
Interview comes from BSD Mag 09/2015