|
|
Subscribe / Log in / New account

OpenBSD system-call-origin verification

OpenBSD system-call-origin verification

Posted Dec 13, 2019 16:21 UTC (Fri) by rweikusat2 (subscriber, #117920)
In reply to: OpenBSD system-call-origin verification by Cyberax
Parent article: OpenBSD system-call-origin verification

Sure. And you can also ride a bike with a sofa in tow.

The underlying message is nevertheless: From now on, it's strengstens verboten to call into the OpenBSD kernel from machine code. This is a necessary security measure because only criminals would do that, anyway.

NB: This is *not* a statement in favour of the great usefulness of machine code programming. But that's a hobby of some people who enjoy building stuff, as opposed to "make money by coming up with ever more abstruse ways of tearing it down".

to post comments

OpenBSD system-call-origin verification

Posted Dec 13, 2019 18:26 UTC (Fri) by atai (subscriber, #10977) [Link] (1 responses)

riding a bike with a sofa in tow.

That can be a sport with regular races. Seriously.

OpenBSD system-call-origin verification

Posted Dec 13, 2019 18:28 UTC (Fri) by atai (subscriber, #10977) [Link]

https://www.eveningtelegraph.co.uk/2016/06/23/video-man-t...

OpenBSD system-call-origin verification

Posted Dec 13, 2019 18:32 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (13 responses)

> The underlying message is nevertheless: From now on, it's strengstens verboten to call into the OpenBSD kernel from machine code.
Dude, you have some really strange concepts of pretty much everything CS-related.

The overhead of libc functions is pretty much negligible, since you're doing syscalls.

OpenBSD system-call-origin verification

Posted Dec 13, 2019 19:42 UTC (Fri) by rweikusat2 (subscriber, #117920) [Link] (12 responses)

The reply text doesn't really match the quoted text ;-).

I wasn't referring to the additional runtime cost of invoking the system call through a C wrapper, although that's not necessary negligible and someone writing machine code would very likely care about it nevertheless, but about the "infrastructure overhead" of having to link with this library (including the size of the thing) and the absurdity of writing code following the C calling conventions of a particularly system so that one can interface with (compiled) C code supposed to enable other C code to use an interface defined in machine code.

For a loosely related example, people implement alternative C libraries for Linux solely because they're horrified by "glibc bloat". That's not much of a real practical concern, either, because today's "embedded systems" vastly more powerful than "high-end UNIX workstations of the mid-1990s", but some people do care about it very much nevertheless.

OpenBSD system-call-origin verification

Posted Dec 19, 2019 6:31 UTC (Thu) by marcH (subscriber, #57642) [Link] (11 responses)

> people implement alternative C libraries for Linux solely because they're horrified by "glibc bloat"
> That's not much of a real practical concern, either, because today's "embedded systems" vastly more powerful than "high-end UNIX workstations of the mid-1990s", but some people do care about it very much nevertheless.

Yes of course: some hobbyists have fun implementing libraries with insanely small footprints, only to be used in systems several orders of magnitude bigger. It's like a sport.

You should actually look at some of these libraries and corresponding operating systems, they tend to give examples of the sort of real hardware they target.

OpenBSD system-call-origin verification

Posted Dec 19, 2019 10:29 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (10 responses)

To be fair, musl libc is a full-blown replacement for glibc. And it's better in many regards.

OpenBSD system-call-origin verification

Posted Dec 19, 2019 15:46 UTC (Thu) by mathstuf (subscriber, #69389) [Link] (9 responses)

Eh, without NSS or PAM, some of my use cases aren't supported. I already had to drop a Go program because it wouldn't use the `mymachines` NSS plugin from `systemd-machined` to be able to get hostnames of sibling containers.

OpenBSD system-call-origin verification

Posted Dec 19, 2019 20:15 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (8 responses)

Well, would be nice to drop NSS libraries entirely.

OpenBSD system-call-origin verification

Posted Dec 20, 2019 17:06 UTC (Fri) by cortana (subscriber, #24596) [Link] (7 responses)

Somehow I get the feeling that many who dislike NSS won't be happy to replace it with systemd-resolved... ;)

OpenBSD system-call-origin verification

Posted Dec 20, 2019 20:31 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (5 responses)

It should be replaced by a simple local daemon with a simple well-defined protocol. Libraries that are loaded behind your back into the running process are just a bad idea.

OpenBSD system-call-origin verification

Posted Dec 21, 2019 13:26 UTC (Sat) by cortana (subscriber, #24596) [Link] (3 responses)

resolved for all then! :)

OpenBSD system-call-origin verification

Posted Dec 21, 2019 16:44 UTC (Sat) by dezgeg (subscriber, #92243) [Link] (2 responses)

Using nscd in non-caching configuration is already practical and done in NixOS for everything except the built-in NSS modules. IIRC not everything in NSS is supported via nscd though, but fixing nscd to have 100% feature parity should be much easier than reinventing anything new.

OpenBSD system-call-origin verification

Posted Dec 24, 2019 1:01 UTC (Tue) by mathstuf (subscriber, #69389) [Link]

This kind of approach is certainly the best, but until then, those of us who need NSS-provided functionality are stuck on glibc.

OpenBSD system-call-origin verification

Posted Dec 24, 2019 12:31 UTC (Tue) by cortana (subscriber, #24596) [Link]

I believe nscd doesn't play well with sssd (though I haven't bothered to investigate why, perhaps it's just that it's unnecessary since sssd does it's own caching anyway).

And that NSS will tell you a host's addresses but not which interface they are reachable via, or whether the query was secured by DNSSEC, dns-over-tls, etc, which resolved does provide via its D-BUS API.

(As well as being able to do nifty things like LLMNR, or split-DNS. OTOH resolved does have its own bugs and limitations that drive me up the wall a bit...)

OpenBSD system-call-origin verification

Posted Jan 8, 2020 11:20 UTC (Wed) by nix (subscriber, #2304) [Link]

AIUI this is upstream glibc's longer-term goal too -- however, it will still look like NSS from the viewpoint of both NSS modules themselves and existing users. Quite what to do is still up in the air, but it's likely that we'll end up with something like an always-on, possibly autospawned nscd which aggressively loads all modules names in nsswitch.conf at startup and on nsswitch.conf change.

This isn't to avoid libraries getting loaded behind your back into a running process so much as it is to allow removal of the incredibly convoluted and invasive statically-linked dlopen() feature, which is only really there so that statically linked programs can do name lookups. (But moving all the NSS stuff out of every process's address space into one more controllable domain is definitely a side benefit!)

(I am only an egg, but this is my understanding, anyway. My apologies if I'm mischaracterizing anything or accidentally mixing it up with my own ideas of obviously right implementations etc: human memory is a fallible thing...)

OpenBSD system-call-origin verification

Posted Jan 9, 2020 1:34 UTC (Thu) by anselm (subscriber, #2796) [Link]

Probably not, given that the uses of NSS and those of systemd-resolved only overlap slightly.

OpenBSD system-call-origin verification

Posted Dec 14, 2019 8:50 UTC (Sat) by dvdeug (guest, #10998) [Link] (3 responses)

Who cares? If you have a problem with this, there's Minix, Illumos, Linux, FreeBSD and NetBSD kernels, plus older versions of OpenBSD or versions of OpenBSD with this feature patched out. You're complaining that a niche demand (not your actual problem, but someone else's) is not being supported by a somewhat niche operating system that is following its own explicitly stated, somewhat niche, goals that conflict in this instance, when people have any number of alternatives to OpenBSD.

A hobby of many people is low-level computer hacking, wherein any Unix-type system is going to get in the way with all this "filesystem" and "virtual memory" crap. Guess what they do? They use a system that supports their needs.

OpenBSD system-call-origin verification

Posted Dec 16, 2019 20:12 UTC (Mon) by rweikusat2 (subscriber, #117920) [Link] (1 responses)

I'm not "complaining" about anything, I'm just pointing out that the "eternal OpenBSD quest" of "hopefully increase resilience against bugs we cannot fix by making the system more complicated to program" has meanwhile crossed the boundary of "your programming language of choice must not be one we disapprove of".

OpenBSD system-call-origin verification

Posted Dec 17, 2019 5:44 UTC (Tue) by dvdeug (guest, #10998) [Link]

And we're pointing, in part, that that's false. You can still engage in assembly language programming; you just have to call libc instead of directly making system calls. With a suitable assembler or binary patcher to replace direct syscalls with libc calls, you could get around even that problem.

Most code ever written won't compile or run on modern Unix systems, short of emulation, and the dialects they're written in fundamentally won't work well on Unix. You can't really use certain Forth dialects, as they implement hard drives as an array of sectors that the program has arbitrary access to. MS-DOS C dialects assume segmented pointers. VMS C has its own system calls that makes porting any non-trivial program challenging. Same thing with Windows C. Many BASICs assume you can PEEK and POKE certain memory locations for certain effects. You can't run most assembly languages or machine language; 68000 assembly written for OpenBSD won't run on any modern version, and never ran on any non-68K OpenBSD. You can run any language or program on any sufficiently large system with enough layers of indirection, but virtually all non-trivial code not written for Unix systems is going to make enough assumptions about how things work that Unix disagrees with to require serious emulation or virtualization to work without code changes.

The boundary of "your programming language of choice must not be one we disapprove of" was first willfully crossed when memory protection and filesystems were added.

And you say you're not "complaining", but you've chosen to characterize the "eternal OpenBSD quest" in a biased way that sounds a lot like a complaint; the goal is to "increase resilience against bugs", by many tactics, not just those which some rare programmers might find complicating things.

OpenBSD system-call-origin verification

Posted Jan 8, 2020 17:36 UTC (Wed) by marcH (subscriber, #57642) [Link]

According to de Raadt, OpenBSD is a "research operating system for developing security mitigations". Not exactly something anyone is forced to use.

Other systems often get these mitigations "for free" once OpenBSD paid the initial development price for them.

I really can't see anything to be unhappy about.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds