From owner-freebsd-security@FreeBSD.ORG Mon Mar 13 09:03:39 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7269216A41F for ; Mon, 13 Mar 2006 09:03:37 +0000 (UTC) (envelope-from silby@silby.com) Received: from relay03.pair.com (relay03.pair.com [209.68.5.17]) by mx1.FreeBSD.org (Postfix) with SMTP id E09AD43D46 for ; Mon, 13 Mar 2006 09:03:36 +0000 (GMT) (envelope-from silby@silby.com) Received: (qmail 18031 invoked from network); 13 Mar 2006 09:03:35 -0000 Received: from unknown (HELO localhost) (unknown) by unknown with SMTP; 13 Mar 2006 09:03:35 -0000 X-pair-Authenticated: 209.68.2.70 Date: Mon, 13 Mar 2006 03:03:33 -0600 (CST) From: Mike Silbersack To: Peter Jeremy In-Reply-To: <20060130073935.GA702@turion.vk2pj.dyndns.org> Message-ID: <20060313025812.S85735@odysseus.silby.com> References: <20060129022943.GJ2341@turion.vk2pj.dyndns.org> <20060130073935.GA702@turion.vk2pj.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: Should I use gbde or geli? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Mar 2006 09:03:39 -0000 On Mon, 30 Jan 2006, Peter Jeremy wrote: >> If some burglar were to steal the >> computer it most likely would be cut off from power. > > If I knew that the computer had sensitive information that would be > lost to me if the computer got powered off, I would ensure that the > computer didn't lose power whilst I was stealing it. Maybe I can > steal the UPS with the computer. If not, I could try opening the > case and paralleling my own supply. > > -- > Peter Jeremy I know I'm coming in on this thread WAY late, but I thought I'd throw one more piece of info in here. If I'm not mistaken, an easier way to recover the key would be to use firewire, if the server has a firewire port. Theoretically you should be able to make a custom FreeBSD kernel that will dump the contents of another machine's memory just by connecting to its firewire port. But that's just info I've gleaned from skimming bugtraq, it could be wildly inaccurate. > Actually, even though you haven't mentioned the company, someone with > the resources to consider breaking AES would probably not find it too > difficult to find the company's name. You _have_ admitted that you > are one of the people who knows the passphrase. Hey, if we come up with a good attack plan, do you think those people would find us and hire us to do the attack? :) Mike "Silby" Silbersack From owner-freebsd-security@FreeBSD.ORG Mon Mar 13 10:04:03 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03D3316A41F for ; Mon, 13 Mar 2006 10:03:57 +0000 (UTC) (envelope-from talonz@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C59043D45 for ; Mon, 13 Mar 2006 10:03:57 +0000 (GMT) (envelope-from talonz@gmail.com) Received: by wproxy.gmail.com with SMTP id i24so1110201wra for ; Mon, 13 Mar 2006 02:03:56 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=aPvHfqzHVm9BvwglT8wWsBsylgbKAlNCKpmBFaFl0qsqHLBPt0022dcf16GeKvmVvzu/VclCmrbtQzzrG8oU+HJ8WDmY9XVqtPpJQXkkCtxs/csqu6DLrmp8Hp8m5PhPRJw8/ZyG9XBaLi3NCZjOHmI0XJqE1j0KGMdlKP8Epx8= Received: by 10.54.66.5 with SMTP id o5mr4082708wra; Mon, 13 Mar 2006 02:03:56 -0800 (PST) Received: by 10.54.112.7 with HTTP; Mon, 13 Mar 2006 02:03:56 -0800 (PST) Message-ID: Date: Mon, 13 Mar 2006 20:03:56 +1000 From: "Jason M" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: DSD Approved Products X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Mar 2006 10:04:03 -0000 Hi, I am considering installing several `servers' in a facility that needs to conform with the products listed at: DSD Approved Products http://www.dsd.gov.au/infosec/evaluation_services/epl/dap.html As far as i can see freebsd performs above and beyond, for all the required criteria in the act. Can we see freebsd listed as an approved product in th= e near future? Best Regards, Jason - RF & CO From owner-freebsd-security@FreeBSD.ORG Mon Mar 13 11:50:38 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5203F16A41F for ; Mon, 13 Mar 2006 11:50:37 +0000 (UTC) (envelope-from eol1@yahoo.com) Received: from web51908.mail.yahoo.com (web51908.mail.yahoo.com [206.190.48.71]) by mx1.FreeBSD.org (Postfix) with SMTP id BA26A43D4C for ; Mon, 13 Mar 2006 11:50:36 +0000 (GMT) (envelope-from eol1@yahoo.com) Received: (qmail 4148 invoked by uid 60001); 13 Mar 2006 11:50:31 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=pI6cCaefZ6ZXXXDs8KS/ZyZrmnQd6nvEiZOc/QdoOMrDIj4SL4fQdHjw83BL1IXBwtle91C4WMgS5p0otG2AIdzwq+5SRroU/MOGGu7KPgLXdogi/B2MryVGfVMjSqw+czgJsqVoB6qVRqHBXdXIDTfwtpNOZVJ9Xv3aLXaU/f0= ; Message-ID: <20060313115031.4146.qmail@web51908.mail.yahoo.com> Received: from [212.118.13.163] by web51908.mail.yahoo.com via HTTP; Mon, 13 Mar 2006 03:50:31 PST Date: Mon, 13 Mar 2006 03:50:31 -0800 (PST) From: Peter Thoenen To: Jason M , freebsd-security@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: DSD Approved Products X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: eol1@yahoo.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Mar 2006 11:50:38 -0000 > I am considering installing several `servers' in a facility that > needs to conform with the products listed at: DSD Approved Products You might want to contact your local government security wonk and ask him if there is a open source loop hole. The US Department of Defense has a similar requirement that all Infosec / IA / crypto / blah blah items must be approved by CSLA or various CSLA like agencies (forgot what established this .. been awhile .. want to say some DOD /DISA / DODI / CJCSI reg). Lots of good tools are open source though and the cost of getting certified is outrageous with limited actual returns to the software in question. To combat this, a loophole was created to exempt open source software. You might have the same in Australia. > As far as i can see freebsd performs above and beyond, for all the > required criteria in the act. Can we see freebsd listed as an approved > product in the near future? I know for CSLA and NIST the process runs in the US$40.000 plus range. You fork the money over and you just might see it. The problem isn't getting on the list / meeting the requirements. Its that the agency that puts out this list requires the entity seeking approval to pay for all associated costs to confirm your software / hardware does indeed meet all the requirements. This can get expensive quick .. especially if you do not pass the first time. From owner-freebsd-security@FreeBSD.ORG Mon Mar 13 11:53:41 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16C4916A46F for ; Mon, 13 Mar 2006 11:53:27 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id 65E4843D53 for ; Mon, 13 Mar 2006 11:53:22 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id B205C20A2; Mon, 13 Mar 2006 12:53:13 +0100 (CET) X-Spam-Tests: AWL,BAYES_00,FORGED_RCVD_HELO X-Spam-Learn: ham X-Spam-Score: -2.4/3.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on tim.des.no Received: from xps.des.no (des.no [80.203.243.180]) by tim.des.no (Postfix) with ESMTP id A5553208E; Mon, 13 Mar 2006 12:53:13 +0100 (CET) Received: by xps.des.no (Postfix, from userid 1001) id 880FC33C31; Mon, 13 Mar 2006 12:53:13 +0100 (CET) From: des@des.no (Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?=) To: "Jason M" References: Date: Mon, 13 Mar 2006 12:53:13 +0100 In-Reply-To: (Jason M.'s message of "Mon, 13 Mar 2006 20:03:56 +1000") Message-ID: <864q22a7di.fsf@xps.des.no> User-Agent: Gnus/5.110003 (No Gnus v0.3) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: DSD Approved Products X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Mar 2006 11:53:41 -0000 "Jason M" writes: > I am considering installing several `servers' in a facility that > needs to conform with the products listed at: DSD Approved Products > http://www.dsd.gov.au/infosec/evaluation_services/epl/dap.html > > As far as i can see freebsd performs above and beyond, for all the > required criteria in the act. Can we see freebsd listed as an > approved product in the near future? Unfortunately, getting on that list costs a lot of money, and you have to start over with every new release. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Mar 13 12:07:15 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E74216A400 for ; Mon, 13 Mar 2006 12:07:14 +0000 (UTC) (envelope-from eol1@yahoo.com) Received: from web51904.mail.yahoo.com (web51904.mail.yahoo.com [206.190.48.67]) by mx1.FreeBSD.org (Postfix) with SMTP id E3D4E43D45 for ; Mon, 13 Mar 2006 12:07:13 +0000 (GMT) (envelope-from eol1@yahoo.com) Received: (qmail 7526 invoked by uid 60001); 13 Mar 2006 12:07:13 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding; b=KIs6/cI/3+mmRXm6FldeNHSV+jCiEX4uxz+sC+d/1gkql67M6AIWer7Qu/48Mh+mZU1kXokkm99Sg4sp+fR5Yd3X5t48I6xZw7+22XLaRDhisksYaHigwhttAssFBb6eplCKixNIj22o2ff+HZarXzHFtujMtLy7Xb3H3xDyBZM= ; Message-ID: <20060313120713.7524.qmail@web51904.mail.yahoo.com> Received: from [212.118.13.163] by web51904.mail.yahoo.com via HTTP; Mon, 13 Mar 2006 04:07:13 PST Date: Mon, 13 Mar 2006 04:07:13 -0800 (PST) From: Peter Thoenen To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: m.schiesser@quantentunnel.de Subject: Complete GBDE / GELI encryption for systems without removable local boot tokens (aka USB drives) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: eol1@yahoo.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Mar 2006 12:07:15 -0000 Speaking of GELI / GBDE. I was reading Marc's excellent paper on Complete harddrive encryption for FreeBSD using GBDE/GELI and the problem I have is it all depends on a bootable removable token that can by physically secured. While an excellent solution for laptop / desktop users it just doesn't work with a remote colo users. No way you can physically remove your unsecure boot token or at least not remove it and hope to recover remotely from a panic / reboot / failure in a timely manner. Anybody have any ideas on a solution how to do this with a colo'd server. Ideally you could, during boot, send some token (or lock file) via ssh or other secure method but boot does not currently support this. Other ideas considered and thrown out: - Boot your system as you would a headless system. The problem is how do you securely get your unsecure boot image from A to B (as it contains your keys and lock files). This fails as some local attacker could just stick a hub between your boot server and server and pull your unsecure image during a reboot. - Intel's secure boot (forgot what the tech is called, want to say PXE). Doesn't work as this only verifies the images checkum. Sure we know the image wasn't tampered with but the attacker still has your keys. Cheers, -Peter From owner-freebsd-security@FreeBSD.ORG Mon Mar 13 13:35:21 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8175216A42A for ; Mon, 13 Mar 2006 13:35:21 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 66C1943D49 for ; Mon, 13 Mar 2006 13:35:18 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id E4BE55CB3; Mon, 13 Mar 2006 08:35:17 -0500 (EST) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 38677-06; Mon, 13 Mar 2006 08:35:17 -0500 (EST) Received: from [192.168.1.3] (pool-68-161-129-91.ny325.east.verizon.net [68.161.129.91]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id 13DFE5C78; Mon, 13 Mar 2006 08:35:17 -0500 (EST) Message-ID: <44157518.4090102@mac.com> Date: Mon, 13 Mar 2006 08:35:20 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Mike Silbersack References: <20060129022943.GJ2341@turion.vk2pj.dyndns.org> <20060130073935.GA702@turion.vk2pj.dyndns.org> <20060313025812.S85735@odysseus.silby.com> In-Reply-To: <20060313025812.S85735@odysseus.silby.com> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-security@freebsd.org Subject: Re: Should I use gbde or geli? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Mar 2006 13:35:21 -0000 Mike Silbersack wrote: [ ... ] >> Actually, even though you haven't mentioned the company, someone with >> the resources to consider breaking AES would probably not find it too >> difficult to find the company's name. You _have_ admitted that you >> are one of the people who knows the passphrase. > > Hey, if we come up with a good attack plan, do you think those people > would find us and hire us to do the attack? :) Of course they will. They'll make you an offer you can't refuse. :-) -- -Chuck From owner-freebsd-security@FreeBSD.ORG Mon Mar 13 22:57:00 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77AA616A400 for ; Mon, 13 Mar 2006 22:57:00 +0000 (UTC) (envelope-from eol1@yahoo.com) Received: from web51905.mail.yahoo.com (web51905.mail.yahoo.com [206.190.48.68]) by mx1.FreeBSD.org (Postfix) with SMTP id DDC5543D48 for ; Mon, 13 Mar 2006 22:56:59 +0000 (GMT) (envelope-from eol1@yahoo.com) Received: (qmail 40919 invoked by uid 60001); 13 Mar 2006 22:56:59 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=c7oQYNrW1SggRycUJe7IgJApTC417wt60/Yd1lNTHe5xL4gLunFVr79Q9TvPqzrVJxxTDSOnHMTzG9XFlNwZfrSwdvQjNvPa2hV7QsNjs1bl/2tt9nDPb7Zy7k0fXkjYu9icfvdRZgQL8/M6amzzTJCWB2o1MQUzaosYMpwM5Zs= ; Message-ID: <20060313225659.40917.qmail@web51905.mail.yahoo.com> Received: from [195.229.241.180] by web51905.mail.yahoo.com via HTTP; Mon, 13 Mar 2006 14:56:59 PST Date: Mon, 13 Mar 2006 14:56:59 -0800 (PST) From: Peter Thoenen To: Thorsten Steentjes In-Reply-To: <20060313175458.GA79121@duke.tm.priv> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: Re: DSD Approved Products X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: eol1@yahoo.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Mar 2006 22:57:00 -0000 --- Thorsten Steentjes wrote: > Could you please explain what you mean with loophole in that context? Arg..going to make be track down obscure government regs are you ... been a couple years since I did IA work :) Unsure exactly which higher level US Department of Defense Instruction this loophole was originally derived from but US Army Regulation 25-2 Information Assurance, dated 03JUN14 Section II 4-6l states 'Use of “open source” software (for example, Red Hat Linux) is permitted when the source code is available for examination of malicious content, applicable configuration implementation guidance is available and implemented, a protection profile is in existence, or a risk and vulnerability assessment has been conducted with mitigation strategies implemented with DAA and CCB approval. Notify NETCOM RCIOs and the supporting RCERT/TNOSC of local software use approval.' So infact what it is saying is open source software is exempt from the CSLA process provided the local Designated Approving Authority (read in corporate speak: Division President) approves it. Yes this has been debated at multiple high level theater conferences and yes this really is what it says (some anti-OSS IA guys felt it was still a bit vague and hence prohibited). It has been clarified to read exactly what it implies above. NOTE: Yes I used to be a US Army IA policy wonk years ago. From owner-freebsd-security@FreeBSD.ORG Mon Mar 13 17:55:04 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ADE1E16A41F for ; Mon, 13 Mar 2006 17:55:04 +0000 (UTC) (envelope-from thor@tst.homeunix.org) Received: from adicia.telenet-ops.be (adicia.telenet-ops.be [195.130.132.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCF2E43D49 for ; Mon, 13 Mar 2006 17:55:00 +0000 (GMT) (envelope-from thor@tst.homeunix.org) Received: from localhost (localhost.localdomain [127.0.0.1]) by adicia.telenet-ops.be (Postfix) with SMTP id 9E2CD7006A; Mon, 13 Mar 2006 18:54:59 +0100 (CET) Received: from duke.tm.priv (d54C09FED.access.telenet.be [84.192.159.237]) by adicia.telenet-ops.be (Postfix) with ESMTP id 51ADF70278; Mon, 13 Mar 2006 18:54:59 +0100 (CET) Received: from duke.tm.priv (localhost.tm.priv [127.0.0.1]) by duke.tm.priv (8.13.4/8.13.4) with ESMTP id k2DHswLb079231 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 13 Mar 2006 18:54:58 +0100 (CET) (envelope-from thor@duke.tm.priv) Received: (from thor@localhost) by duke.tm.priv (8.13.4/8.13.4/Submit) id k2DHswaO079230; Mon, 13 Mar 2006 18:54:58 +0100 (CET) (envelope-from thor) Date: Mon, 13 Mar 2006 18:54:58 +0100 From: Thorsten Steentjes To: Peter Thoenen Message-ID: <20060313175458.GA79121@duke.tm.priv> References: <20060313115031.4146.qmail@web51908.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="KsGdsel6WgEHnImy" Content-Disposition: inline In-Reply-To: <20060313115031.4146.qmail@web51908.mail.yahoo.com> User-Agent: Mutt/1.4.2.1i X-PGP-Key: http://www.steentjes.de/thor/pubkey.asc X-Virus-Scanned: ClamAV 0.88/1327/Mon Mar 13 15:50:10 2006 on duke.tm.priv X-Virus-Status: Clean X-Mailman-Approved-At: Tue, 14 Mar 2006 13:17:36 +0000 Cc: freebsd-security@freebsd.org Subject: Re: DSD Approved Products X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Mar 2006 17:55:04 -0000 --KsGdsel6WgEHnImy Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Peter, On Mon, Mar 13, 2006 at 03:50:31AM -0800, Peter Thoenen wrote: > To combat this, a loophole was created to > exempt open source software. >=20 Could you please explain what you mean with loophole in that context? TIA Thorsten --=20 /* Thorsten Steentjes, Hoeilaartsesteenweg 250, 3090 Overijse, Belgium */ /* Please remember: rm -rf means "read mail -really fast" */ --KsGdsel6WgEHnImy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFEFbHyFRuplBF1wuMRArPPAJ4muFWCRO5fZ7EFEOS9Slh4FR1mLQCeJ5mH POn6FadJL8DXvWZDHbaRWA0= =jjmx -----END PGP SIGNATURE----- --KsGdsel6WgEHnImy-- From owner-freebsd-security@FreeBSD.ORG Mon Mar 13 18:56:39 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49C7F16A422 for ; Mon, 13 Mar 2006 18:56:39 +0000 (UTC) (envelope-from julian@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C5ED43D4C for ; Mon, 13 Mar 2006 18:56:38 +0000 (GMT) (envelope-from julian@elischer.org) Received: from unknown (HELO [10.251.17.229]) ([10.251.17.229]) by a50.ironport.com with ESMTP; 13 Mar 2006 10:56:39 -0800 Message-ID: <4415C065.7040206@elischer.org> Date: Mon, 13 Mar 2006 10:56:37 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.11) Gecko/20050727 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jason M References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 14 Mar 2006 13:18:21 +0000 Cc: freebsd-security@freebsd.org Subject: Re: DSD Approved Products X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Mar 2006 18:56:39 -0000 Jason M wrote: >Hi, > >I am considering installing several `servers' in a facility that needs >to conform >with the products listed at: DSD Approved Products >http://www.dsd.gov.au/infosec/evaluation_services/epl/dap.html > > I like the motto.. no beating around the bush.. "reveal their secrets.. protect our own" >As far as i can see freebsd performs above and beyond, for all the required >criteria in the act. Can we see freebsd listed as an approved product in the >near future? > >Best Regards, > >Jason - RF & CO >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > From owner-freebsd-security@FreeBSD.ORG Tue Mar 14 13:33:04 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 63F3D16A41F for ; Tue, 14 Mar 2006 13:33:04 +0000 (UTC) (envelope-from timothy@open-networks.net) Received: from titan.open-networks.net (ns.open-networks.net [202.173.176.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1DE8243D45 for ; Tue, 14 Mar 2006 13:33:01 +0000 (GMT) (envelope-from timothy@open-networks.net) Received: from [192.168.1.200] (titan.open-networks.net [192.168.1.200]) by titan.open-networks.net (Postfix) with ESMTP id 2E51BB83F; Tue, 14 Mar 2006 23:34:05 +1000 (EST) Message-ID: <4416C64C.7090309@open-networks.net> Date: Tue, 14 Mar 2006 23:34:04 +1000 From: Timothy Smith User-Agent: Thunderbird 1.5 (X11/20060128) MIME-Version: 1.0 To: Julian Elischer References: <4415C065.7040206@elischer.org> In-Reply-To: <4415C065.7040206@elischer.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Jason M Subject: Re: DSD Approved Products X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Mar 2006 13:33:04 -0000 Julian Elischer wrote: > Jason M wrote: > >> Hi, >> >> I am considering installing several `servers' in a facility that needs >> to conform >> with the products listed at: DSD Approved Products >> http://www.dsd.gov.au/infosec/evaluation_services/epl/dap.html >> >> > > I like the motto.. > no beating around the bush.. "reveal their secrets.. protect our own" > >> As far as i can see freebsd performs above and beyond, for all the >> required >> criteria in the act. Can we see freebsd listed as an approved product >> in the >> near future? it can't be too hard to get on that list. windows 2000 is on there. From owner-freebsd-security@FreeBSD.ORG Tue Mar 14 14:21:37 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52A3C16A401 for ; Tue, 14 Mar 2006 14:21:37 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB58643D6A for ; Tue, 14 Mar 2006 14:21:33 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 908F4208E; Tue, 14 Mar 2006 15:21:29 +0100 (CET) X-Spam-Tests: AWL,BAYES_00,FORGED_RCVD_HELO X-Spam-Learn: ham X-Spam-Score: -2.4/3.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on tim.des.no Received: from xps.des.no (des.no [80.203.243.180]) by tim.des.no (Postfix) with ESMTP id 82F842086; Tue, 14 Mar 2006 15:21:29 +0100 (CET) Received: by xps.des.no (Postfix, from userid 1001) id 63F1233C8D; Tue, 14 Mar 2006 15:21:29 +0100 (CET) From: des@des.no (Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?=) To: Timothy Smith References: <4415C065.7040206@elischer.org> <4416C64C.7090309@open-networks.net> Date: Tue, 14 Mar 2006 15:21:29 +0100 In-Reply-To: <4416C64C.7090309@open-networks.net> (Timothy Smith's message of "Tue, 14 Mar 2006 23:34:04 +1000") Message-ID: <86irqhf6om.fsf@xps.des.no> User-Agent: Gnus/5.110003 (No Gnus v0.3) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Julian Elischer , Jason M Subject: Re: DSD Approved Products X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Mar 2006 14:21:37 -0000 Timothy Smith writes: > it can't be too hard to get on that list. windows 2000 is on there. Very funny. Getting a Common Criteria certification requires: - a big wad of money - lots and lots of very boring paperwork - an even bigger wad of money Sadly, Microsoft has that, and we don't. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Mar 15 12:01:44 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DC0216A420 for ; Wed, 15 Mar 2006 12:01:44 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E65B43D69 for ; Wed, 15 Mar 2006 12:01:27 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 92A9C46BA1; Wed, 15 Mar 2006 07:01:02 -0500 (EST) Date: Wed, 15 Mar 2006 12:02:19 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= In-Reply-To: <86irqhf6om.fsf@xps.des.no> Message-ID: <20060315115842.M5861@fledge.watson.org> References: <4415C065.7040206@elischer.org> <4416C64C.7090309@open-networks.net> <86irqhf6om.fsf@xps.des.no> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1890501141-1142424139=:5861" Cc: Timothy Smith , freebsd-security@freebsd.org, Julian Elischer , Jason M Subject: Re: DSD Approved Products X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Mar 2006 12:01:44 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1890501141-1142424139=:5861 Content-Type: TEXT/PLAIN; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Tue, 14 Mar 2006, Dag-Erling Sm=F8rgrav wrote: > Timothy Smith writes: >> it can't be too hard to get on that list. windows 2000 is on there. > > Very funny. > > Getting a Common Criteria certification requires: > > - a big wad of money > - lots and lots of very boring paperwork > - an even bigger wad of money > > Sadly, Microsoft has that, and we don't. Having been involved in the certication process for Mac OS X, I know a litt= le=20 about this process now, and the main thing to understand is that the common= =20 criteria process is about certifying products from vendors. We have a=20 product, but we're not actually a vendor. Vendors are typically the ones t= hat=20 find the rather large sums of cash required to complete the certification= =20 process. That said, we're now at the point where we basically have all the required= =20 functionality for a CAPP evaluation in 7.x-CURRENT, and I'll be merging the= =20 audit support to 6.x in the near future. I had hoped to ship it in 6.1, bu= t=20 things haven't gone quite as quickly as I hoped. I'll MFC the security aud= it=20 support pretty quickly after the 6.1 release now that it has settled out so= me=20 in CVS HEAD. There is some additional functional work that needs to be don= e,=20 but it is generally in progress at this point. Something we can do to make a CAPP evaluation for FreeBSD easier is to star= t=20 providing the security target documentation and assurance documentation.=20 That way if a vendor turns up and is interested in certifying, it will be a= =20 lot easier for them. Robert N M Watson --0-1890501141-1142424139=:5861-- From owner-freebsd-security@FreeBSD.ORG Fri Mar 17 06:32:02 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DE7516A422 for ; Fri, 17 Mar 2006 06:32:02 +0000 (UTC) (envelope-from talonz@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00D2F43D48 for ; Fri, 17 Mar 2006 06:32:00 +0000 (GMT) (envelope-from talonz@gmail.com) Received: by wproxy.gmail.com with SMTP id i20so141242wra for ; Thu, 16 Mar 2006 22:32:00 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ebjEplaJ+RtfpS6NhVZ23gnYqGc9b5gaDjl/zkxiz4nukqaS3MvH5yl38OM/XbimWLOjMkz3ED8a6mRai7b40fNJMlIvIuJ3Ki6URbOVsXxI+a11ExJXQOF1XKypGc0UjGkaZE4tIr08FtiaMeP6wz/rQPeY0QbRvF1x0dLAkHg= Received: by 10.54.145.8 with SMTP id s8mr1309559wrd; Thu, 16 Mar 2006 22:32:00 -0800 (PST) Received: by 10.54.121.3 with HTTP; Thu, 16 Mar 2006 22:31:59 -0800 (PST) Message-ID: Date: Fri, 17 Mar 2006 16:31:59 +1000 From: "Jason M" To: freebsd-security@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: Subject: Re: DSD Approved Products X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Mar 2006 06:32:02 -0000 On 3/13/06, Jason M wrote: > I am considering installing several `servers' in a facility that needs > to conform > with the products listed at: DSD Approved Products > Thank you List for your input. I am investigating several loopholes that currently exist for the use of free source. 40/50k is a lot of money just to get a listing heh (places a few choice words about acquiring Australian standards here) Regards, Jason - RF & CO From owner-freebsd-security@FreeBSD.ORG Fri Mar 17 08:39:34 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8365516A400 for ; Fri, 17 Mar 2006 08:39:34 +0000 (UTC) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED5A043D45 for ; Fri, 17 Mar 2006 08:39:33 +0000 (GMT) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (localhost [127.0.0.1]) by caligula.anu.edu.au (8.12.9/8.12.9) with ESMTP id k2H8dWOw019421; Fri, 17 Mar 2006 19:39:32 +1100 (EST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.12.9/8.12.8/Submit) id k2H8dVEU019419; Fri, 17 Mar 2006 19:39:31 +1100 (EST) From: Darren Reed Message-Id: <200603170839.k2H8dVEU019419@caligula.anu.edu.au> To: talonz@gmail.com (Jason M) Date: Fri, 17 Mar 2006 19:39:31 +1100 (Australia/ACT) In-Reply-To: from "Jason M" at Mar 17, 2006 04:31:59 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: DSD Approved Products X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Mar 2006 08:39:34 -0000 In some mail from Jason M, sie said: > > On 3/13/06, Jason M wrote: > > I am considering installing several `servers' in a facility that needs > > to conform > > with the products listed at: DSD Approved Products > > > > Thank you List for your input. > I am investigating several loopholes that currently exist for the use > of free source. > 40/50k is a lot of money just to get a listing heh > (places a few choice words about acquiring Australian standards here) For DSD approval, you're not even in the ballpark. 100s of 1000s. Why does it cost so much? Because you're effectively paying for them to hire a contractor to evaluate the submission and contractors are not cheap. Yes, the government actually outsources this to local companies in Canberra. Darren From owner-freebsd-security@FreeBSD.ORG Sat Mar 18 06:13:54 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8F6D16A41F for ; Sat, 18 Mar 2006 06:13:54 +0000 (UTC) (envelope-from bestregardsus@yahoo.com) Received: from web33012.mail.mud.yahoo.com (web33012.mail.mud.yahoo.com [68.142.206.76]) by mx1.FreeBSD.org (Postfix) with SMTP id 5A79E43D49 for ; Sat, 18 Mar 2006 06:13:54 +0000 (GMT) (envelope-from bestregardsus@yahoo.com) Received: (qmail 37540 invoked by uid 60001); 18 Mar 2006 06:13:53 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=3Qs2QQYNqJQlpndnffGfmecxOHrnUgvq8Hd41UGQsnu/onISznrEYNon6ktij8qLxmWkMd0b2zaT/9cqS6azGnMGsVCjMwWshkMcGTE3wSKJ8mOSfUNKL07izIBD+uLP2M0IJxnRKLZXlwImQXpXqp5OGmQaqU2+INceaDHXkjM= ; Message-ID: <20060318061353.37538.qmail@web33012.mail.mud.yahoo.com> Received: from [159.226.5.225] by web33012.mail.mud.yahoo.com via HTTP; Fri, 17 Mar 2006 22:13:53 PST Date: Fri, 17 Mar 2006 22:13:53 -0800 (PST) From: Zhouyi Zhou To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: IPSEC with MAC/MLS support crack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Mar 2006 06:13:54 -0000 Hi, When I use FreeBSD-6.0 Release (also FreeBSD-5.4), I found IPSEC can't coexists with MAC. When the IpSec is setup, and we connects the TCP server with IPSEC and MAC support, the server innevitably crack. Because the m_pkthdr of some mbuf is mangled by unknown reasons. Following is my kernel configuration: options MAC options MAC_DEBUG options UFS_EXTATTR options UFS_EXTATTR_AUTOSTART options MAC_MLS # uncomment to put sebsd to kernel, but better to options IPSEC options IPSEC_ESP options IPSEC_DEBUG Following is the kernel dump backtrace: #0 0xc0668f0b in kdb_enter (msg=0x12
) at cpufunc.h:60 #1 0xc06509ab in panic (fmt=0xc08e6470 "mac_mls_dominate_element: b->mme_type invalid") at ../../../kern/kern_shutdown.c:545 #2 0xc07be3da in mac_mls_dominate_element (a=0xc14dfebc, b=0xc1b5eee4) at ../../../security/mac_mls/mac_mls.c:216 #3 0xc07be4e2 in mac_mls_effective_in_range (effective=0xc1b5eee0, range=0xc14dfe70) at ../../../security/mac_mls/mac_mls.c:266 #4 0xc07bf8de in mac_mls_check_ifnet_transmit (ifnet=0xc1646400, ifnetlabel=0x12, m=0xc16e5600, mbuflabel=0x12) at ../../../security/mac_mls/mac_mls.c:1564 #5 0xc07b49fb in mac_check_ifnet_transmit (ifnet=0xc1646400, mbuf=0xc16e5600) at ../../../security/mac/mac_net.c:409 #6 0xc06bfb46 in ether_output (ifp=0xc1646400, m=0xc16e5600, dst=0xc1a16330, rt0=0xc1816840) at ../../../net/if_ethersubr.c:161 #7 0xc06f3662 in ip_output (m=0xc16e5600, opt=0xc16e56ec, ro=0xc1a1632c, flags=0, imo=0x0, inp=0xc186d654) at ../../../netinet/ip_output.c:778 #8 0xc06fca6a in tcp_output (tp=0xc186fac8) at ../../../netinet/tcp_output.c:1080 #9 0xc0704bbc in tcp_disconnect (tp=0xc186fac8) at ../../../netinet/tcp_usrreq.c:1253 #10 0xc07034c0 in tcp_usr_disconnect (so=0x12) at ../../../netinet/tcp_usrreq.c:443 #11 0xc0689822 in sodisconnect (so=0x0) at ../../../kern/uipc_socket.c:576 #12 0xc0689490 in soclose (so=0xc19ec164) at ../../../kern/uipc_socket.c:457 #13 0xc0678d17 in soo_close (fp=0xc1736c60, td=0xc1730c00) at ../../../kern/sys_socket.c:317 #14 0xc062e818 in fdrop_locked (fp=0xc1736c60, td=0xc1730c00) at file.h:289 #15 0xc062e769 in fdrop (fp=0xc1736c60, td=0xc1730c00) at ../../../kern/kern_descrip.c:2112 #16 0xc062cd97 in closef (fp=0xc1736c60, td=0xc1730c00) at ../../../kern/kern_descrip.c:1932 #17 0xc062a175 in close (td=0xc1730c00, uap=0x12) at ../../../kern/kern_descrip.c:1008 #18 0xc086576f in syscall (frame= The failing point is not always the same and my system is: FreeBSD zzy.ios 6.0-RELEASE FreeBSD 6.0-RELEASE #13: Fri Mar 17 17:11:04 UTC 2006 root@zzy.ios:/root/Earth/earth/sys/i386/compile/earth i386 Thanks very much __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Sat Mar 18 06:10:53 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4EA9516A400 for ; Sat, 18 Mar 2006 06:10:53 +0000 (UTC) (envelope-from bestregardsus@yahoo.com) Received: from web33008.mail.mud.yahoo.com (web33008.mail.mud.yahoo.com [68.142.206.72]) by mx1.FreeBSD.org (Postfix) with SMTP id D8B8143D45 for ; Sat, 18 Mar 2006 06:10:52 +0000 (GMT) (envelope-from bestregardsus@yahoo.com) Received: (qmail 35612 invoked by uid 60001); 18 Mar 2006 06:10:52 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Huv3Agt2J54+qsTHZwxBPZ9fBbFsMNUDdUFdlHK6KpmmOpeDGsxIbXcmxHVvwuAXjGhu0B00eB/QeG3kpySWKlkqbnkRGt/vsswQ8QTGb1vHpTAfpKJluIySVaMVwnzmT+Exp7MGBmBiC8M4mP4w3gmYyMI87Z2yybIfzhBTb8E= ; Message-ID: <20060318061052.35610.qmail@web33008.mail.mud.yahoo.com> Received: from [159.226.5.225] by web33008.mail.mud.yahoo.com via HTTP; Fri, 17 Mar 2006 22:10:52 PST Date: Fri, 17 Mar 2006 22:10:52 -0800 (PST) From: Zhouyi Zhou To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Sat, 18 Mar 2006 06:35:45 +0000 Subject: IPSEC with MAC/MLS support crack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Mar 2006 06:10:53 -0000 Hi, When I use FreeBSD-6.0 Release (also FreeBSD-5.4), I found IPSEC can't coexists with MAC. When the IpSec is setup, and we connects the TCP server with IPSEC and MAC support, the server innevitably crack. Because the m_pkthdr of some mbuf is mangled by unknown reasons. Following is my kernel configuration: options MAC options MAC_DEBUG options UFS_EXTATTR options UFS_EXTATTR_AUTOSTART options MAC_MLS # uncomment to put sebsd to kernel, but better to options IPSEC options IPSEC_ESP options IPSEC_DEBUG Following is the kernel dump backtrace: #0 0xc0668f0b in kdb_enter (msg=0x12
) at cpufunc.h:60 #1 0xc06509ab in panic (fmt=0xc08e6470 "mac_mls_dominate_element: b->mme_type invalid") at ../../../kern/kern_shutdown.c:545 #2 0xc07be3da in mac_mls_dominate_element (a=0xc14dfebc, b=0xc1b5eee4) at ../../../security/mac_mls/mac_mls.c:216 #3 0xc07be4e2 in mac_mls_effective_in_range (effective=0xc1b5eee0, range=0xc14dfe70) at ../../../security/mac_mls/mac_mls.c:266 #4 0xc07bf8de in mac_mls_check_ifnet_transmit (ifnet=0xc1646400, ifnetlabel=0x12, m=0xc16e5600, mbuflabel=0x12) at ../../../security/mac_mls/mac_mls.c:1564 #5 0xc07b49fb in mac_check_ifnet_transmit (ifnet=0xc1646400, mbuf=0xc16e5600) at ../../../security/mac/mac_net.c:409 #6 0xc06bfb46 in ether_output (ifp=0xc1646400, m=0xc16e5600, dst=0xc1a16330, rt0=0xc1816840) at ../../../net/if_ethersubr.c:161 #7 0xc06f3662 in ip_output (m=0xc16e5600, opt=0xc16e56ec, ro=0xc1a1632c, flags=0, imo=0x0, inp=0xc186d654) at ../../../netinet/ip_output.c:778 #8 0xc06fca6a in tcp_output (tp=0xc186fac8) at ../../../netinet/tcp_output.c:1080 #9 0xc0704bbc in tcp_disconnect (tp=0xc186fac8) at ../../../netinet/tcp_usrreq.c:1253 #10 0xc07034c0 in tcp_usr_disconnect (so=0x12) at ../../../netinet/tcp_usrreq.c:443 #11 0xc0689822 in sodisconnect (so=0x0) at ../../../kern/uipc_socket.c:576 #12 0xc0689490 in soclose (so=0xc19ec164) at ../../../kern/uipc_socket.c:457 #13 0xc0678d17 in soo_close (fp=0xc1736c60, td=0xc1730c00) at ../../../kern/sys_socket.c:317 #14 0xc062e818 in fdrop_locked (fp=0xc1736c60, td=0xc1730c00) at file.h:289 #15 0xc062e769 in fdrop (fp=0xc1736c60, td=0xc1730c00) at ../../../kern/kern_descrip.c:2112 #16 0xc062cd97 in closef (fp=0xc1736c60, td=0xc1730c00) at ../../../kern/kern_descrip.c:1932 #17 0xc062a175 in close (td=0xc1730c00, uap=0x12) at ../../../kern/kern_descrip.c:1008 #18 0xc086576f in syscall (frame= The failing point is not always the same and my system is: FreeBSD zzy.ios 6.0-RELEASE FreeBSD 6.0-RELEASE #13: Fri Mar 17 17:11:04 UTC 2006 root@zzy.ios:/root/Earth/earth/sys/i386/compile/earth i386 Thanks very much __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Sat Mar 18 06:50:25 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4662016A400 for ; Sat, 18 Mar 2006 06:50:25 +0000 (UTC) (envelope-from arne_woerner@yahoo.com) Received: from web30307.mail.mud.yahoo.com (web30307.mail.mud.yahoo.com [68.142.200.100]) by mx1.FreeBSD.org (Postfix) with SMTP id C3E4B43D45 for ; Sat, 18 Mar 2006 06:50:24 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 33158 invoked by uid 60001); 18 Mar 2006 06:50:24 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=fx6N6BQekAEOFGBFrxNRLj7R2/NlewrKzO1pcbDJ6TlhQrB28DTHPFA3iyvM8hpKA/+rPweLJaQFsJ+AyiRX9Lg3OHhe9cpbSn3kjD53PV5gFtguWwAE0pnD7S9wetd+3yUEdcNkQZGQLhjpzhDM1r8Mqe/C4YuLzbFVJWAUcZU= ; Message-ID: <20060318065024.33155.qmail@web30307.mail.mud.yahoo.com> Received: from [213.54.77.3] by web30307.mail.mud.yahoo.com via HTTP; Fri, 17 Mar 2006 22:50:24 PST Date: Fri, 17 Mar 2006 22:50:24 -0800 (PST) From: Arne Woerner To: Zhouyi Zhou , freebsd-security@freebsd.org In-Reply-To: <20060318061353.37538.qmail@web33012.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: IPSEC with MAC/MLS support crack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Mar 2006 06:50:25 -0000 --- Zhouyi Zhou wrote: > #2 0xc07be3da in mac_mls_dominate_element > (a=0xc14dfebc, b=0xc1b5eee4) > at ../../../security/mac_mls/mac_mls.c:216 > Hi! Maybe I should not mention it, but somehow my mac_mls.c looks like, function mac_mls_dominate_element is already over in line 216 (there starts the next function (mac_mls_range_in_range))... Have u done something to your mac_mls.c? Bye Arne P. S.: Arne likes "The Others" (2001)... __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com