FreeBSD Transient Memory problem?
John-Mark Gurney
jmg at funkthat.com
Thu Sep 12 05:36:00 UTC 2013
Jonathon Wright wrote this message on Wed, Sep 11, 2013 at 14:15 -1000:
> I have posted this question (username-scryptkiddy) in the forums:
> http://forums.freebsd.org/showthread.php?t=41875
> but was suggested to bring it here to the mailing list for discussion.
>
> Basically, FreeBSD 8.3 (64bit) is what we use in our shop. We were
> inspected by a security team and they had issues with FreeBSD's memory
> management.
>
> Namely the transient memory and object reuse areas of FreeBSD. They claimed
> that FreeBSD did not have a Common Criteria (EAL1-4) evaluation completed,
> and therefore was vulnerable to the Transient memory problem.
Any system that uses malloc will have difficulties with this as most
versions of free will not zero out the memory... You could make
modifications to kernel malloc to always zero memory on free, and turn on
the junk feature of jemalloc and that could possibly close this issue
for them...
> Our higher ups need some sort of documentation / testing that can be used
> to counter this, since changing Operating Systems is not something we have
> time / manpower to do, but might have too based on this supposed 'finding'.
>
> The post has all the details. Let me know I need to repost in this as well.
I know that FreeBSD 4.7 and 4.9 has been EAL3 ceritfied. I worked for
nCircle a number of years ago, and they got their products EAL3
cerified.
Link:
http://www.commoncriteriaportal.org:80/files/epfiles/nCircle%20CR%20v1.0.pdf
It is possible someone else has received certification on a newer version,
but I'm not aware of any at this time...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the freebsd-security
mailing list