FreeBSD Transient Memory problem?

Jonathon Wright jonathon.s.wright at gmail.com
Thu Sep 12 19:33:35 UTC 2013 

I agree, really, I do. This is very frustrating to me. Unfortunately, the
team has left and gone to another project. They indicated to our management
that we had 90 days to address the issue with our plan. Its a bit harder to
contact them now since they are gone, but I can probably get some questions
to them. They did leave a copy of the report, here is the entire verbiage:

---BEGIN

*Description of Finding:* Object reuse cannot be verified. The FreeBSD
servers used have not been evaluated or certified by NIAP. As such, it
cannot be verified that the operating system ensures transient memory
cleansing (object reuse) features are in place.

*Rationale for Severity Code Determination:* The Validation team has
determined this to be a Category II finding. By using unapproved Operating
Systems (OS) which do not ensure that no residual data from a former object
exists, a malicious user could gain access to memory and OS objects that
contain sensitive information.

*Recommended Countermeasure(s):* Transition servers to an NIAP approved OS.
Decommission the FreeBSD servers.
  ---END

What I think they are looking for is a verification that every malloc has a
call to free afterwords that zeros out the memory used. I could be wrong,
but just a guess.

JW


On Thu, Sep 12, 2013 at 8:00 AM, Julian Elischer <julian at freebsd.org> wrote:

> On 9/13/13 1:49 AM, My Email wrote:
>
>> My apologies, I have been replying too all, I hope that is the correct
>> method.
>>
>> Anyway, that is very interesting information. I'd be extremely interested
>> in information on customizing malloc and jemalloc. Let me know where to
>> start. Thanks!
>>
>
> it's hard to know how to refute it because they don't explain WHAT memory
> they are talking about.
> there is NO OS in the world that can survive that test if they are talking
> about protection from a malware kernel module.
> On the other hand if they are just talking about user memory allocation
> then of course we NEVER hand uncleared memory to anyone. (even root). Ask
> them to tell you what memory they are talking about..
> and if they want free memory in the pool to be clear then it wouldn't take
> much to
> add a module that zeros non vnode memory when it's handed back to the
> kernel.
>
> But for all we know they are talking about people stealing punch cards and
> photographing them..
>
>  JW
>>
>> On Sep 11, 2013, at 7:35 PM, John-Mark Gurney <jmg at funkthat.com> wrote:
>>
>>  Jonathon Wright wrote this message on Wed, Sep 11, 2013 at 14:15 -1000:
>>>
>>>> I have posted this question (username-scryptkiddy) in the forums:
>>>> http://forums.freebsd.org/**showthread.php?t=41875<http://forums.freebsd.org/showthread.php?t=41875>
>>>> but was suggested to bring it here to the mailing list for discussion.
>>>>
>>>> Basically, FreeBSD 8.3 (64bit) is what we use in our shop. We were
>>>> inspected by a security team and they had issues with FreeBSD's memory
>>>> management.
>>>>
>>>> Namely the transient memory and object reuse areas of FreeBSD. They
>>>> claimed
>>>> that FreeBSD did not have a Common Criteria (EAL1-4) evaluation
>>>> completed,
>>>> and therefore was vulnerable to the Transient memory problem.
>>>>
>>> Any system that uses malloc will have difficulties with this as most
>>> versions of free will not zero out the memory...  You could make
>>> modifications to kernel malloc to always zero memory on free, and turn on
>>> the junk feature of jemalloc and that could possibly close this issue
>>> for them...
>>>
>>>  Our higher ups need some sort of documentation / testing  that can be
>>>> used
>>>> to counter this, since changing Operating Systems is not something we
>>>> have
>>>> time / manpower to do, but might have too based on this supposed
>>>> 'finding'.
>>>>
>>>> The post has all the details. Let me know I need to repost in this as
>>>> well.
>>>>
>>> I know that FreeBSD 4.7 and 4.9 has been EAL3 ceritfied.  I worked for
>>> nCircle a number of years ago, and they got their products EAL3
>>> cerified.
>>>
>>> Link:
>>> http://www.**commoncriteriaportal.org:80/**files/epfiles/nCircle%20CR%**
>>> 20v1.0.pdf<http://www.commoncriteriaportal.org:80/files/epfiles/nCircle%20CR%20v1.0.pdf>
>>>
>>> It is possible someone else has received certification on a newer
>>> version,
>>> but I'm not aware of any at this time...
>>>
>>> --
>>>   John-Mark Gurney                Voice: +1 415 225 5579
>>>
>>>      "All that I will do, has been done, All that I have, has not."
>>>
>> ______________________________**_________________
>>
>> freebsd-security at freebsd.org mailing list
>> http://lists.freebsd.org/**mailman/listinfo/freebsd-**security<http://lists.freebsd.org/mailman/listinfo/freebsd-security>
>> To unsubscribe, send any mail to "freebsd-security-unsubscribe@**
>> freebsd.org <freebsd-security-unsubscribe at freebsd.org>"
>>
>>
>

More information about the freebsd-security mailing list