FreeBSD Transient Memory problem?

Thu Sep 12 20:05:43 UTC 2013

On Sep 12, 2013, at 2:33 PM, Jonathon Wright <jonathon.s.wright at gmail.com> wrote:

> I agree, really, I do. This is very frustrating to me. Unfortunately, the
> team has left and gone to another project. They indicated to our management
> that we had 90 days to address the issue with our plan. Its a bit harder to
> contact them now since they are gone, but I can probably get some questions
> to them. They did leave a copy of the report, here is the entire verbiage:
> 
> ---BEGIN
> 
> *Description of Finding:* Object reuse cannot be verified. The FreeBSD
> servers used have not been evaluated or certified by NIAP. As such, it
> cannot be verified that the operating system ensures transient memory
> cleansing (object reuse) features are in place.
> 
> *Rationale for Severity Code Determination:* The Validation team has
> determined this to be a Category II finding. By using unapproved Operating
> Systems (OS) which do not ensure that no residual data from a former object
> exists, a malicious user could gain access to memory and OS objects that
> contain sensitive information.
> 
> *Recommended Countermeasure(s):* Transition servers to an NIAP approved OS.
> Decommission the FreeBSD servers.
>  ---END
> 
> What I think they are looking for is a verification that every malloc has a
> call to free afterwords that zeros out the memory used. I could be wrong,
> but just a guess.
> 
> JW

Two common forms of object reuse are in memory allocation to a process and in blocks allocated to a file. As far as I understand the issue, malloc/free within a single process would not be a relevant concern (generally, only inter-process activity crosses security boundaries). A malloc that causes VM pages to be assigned to the process by the kernel, or file writes that cause blocks to be allocated to a file, would be the among the relevant issues. Unfortunately, as I'm not a VM or FS guru, I can't point to particular points in the kernel source that show that memory is zeroed when allocated to a new process, or blocks are zeroed when allocated to a file. However, this is fundamental to secure operation of any modern system, and if there is *any* evidence that FreeBSD operates to the contrary, it would be worthy of a security advisory (witness the sendfile() security advisory from earlier this week).

I don't have a copy of "Design and Implementation of FreeBSD" handy, but I would imagine it points out the relevant code paths. However, it seems your management wants evidence of EAL certification, not evidence from code. Perhaps you can borrow such certification from nCircle or others.

Guy

> On Thu, Sep 12, 2013 at 8:00 AM, Julian Elischer <julian at freebsd.org> wrote:
> 
>> On 9/13/13 1:49 AM, My Email wrote:
>> 
>>> My apologies, I have been replying too all, I hope that is the correct
>>> method.
>>> 
>>> Anyway, that is very interesting information. I'd be extremely interested
>>> in information on customizing malloc and jemalloc. Let me know where to
>>> start. Thanks!
>>> 
>> 
>> it's hard to know how to refute it because they don't explain WHAT memory
>> they are talking about.
>> there is NO OS in the world that can survive that test if they are talking
>> about protection from a malware kernel module.
>> On the other hand if they are just talking about user memory allocation
>> then of course we NEVER hand uncleared memory to anyone. (even root). Ask
>> them to tell you what memory they are talking about..
>> and if they want free memory in the pool to be clear then it wouldn't take
>> much to
>> add a module that zeros non vnode memory when it's handed back to the
>> kernel.
>> 
>> But for all we know they are talking about people stealing punch cards and
>> photographing them..
>> 
>> JW
>>> 
>>> On Sep 11, 2013, at 7:35 PM, John-Mark Gurney <jmg at funkthat.com> wrote:
>>> 
>>> Jonathon Wright wrote this message on Wed, Sep 11, 2013 at 14:15 -1000:
>>>> 
>>>>> I have posted this question (username-scryptkiddy) in the forums:
>>>>> http://forums.freebsd.org/**showthread.php?t=41875<http://forums.freebsd.org/showthread.php?t=41875>
>>>>> but was suggested to bring it here to the mailing list for discussion.
>>>>> 
>>>>> Basically, FreeBSD 8.3 (64bit) is what we use in our shop. We were
>>>>> inspected by a security team and they had issues with FreeBSD's memory
>>>>> management.
>>>>> 
>>>>> Namely the transient memory and object reuse areas of FreeBSD. They
>>>>> claimed
>>>>> that FreeBSD did not have a Common Criteria (EAL1-4) evaluation
>>>>> completed,
>>>>> and therefore was vulnerable to the Transient memory problem.
>>>>> 
>>>> Any system that uses malloc will have difficulties with this as most
>>>> versions of free will not zero out the memory...  You could make
>>>> modifications to kernel malloc to always zero memory on free, and turn on
>>>> the junk feature of jemalloc and that could possibly close this issue
>>>> for them...
>>>> 
>>>> Our higher ups need some sort of documentation / testing  that can be
>>>>> used
>>>>> to counter this, since changing Operating Systems is not something we
>>>>> have
>>>>> time / manpower to do, but might have too based on this supposed
>>>>> 'finding'.
>>>>> 
>>>>> The post has all the details. Let me know I need to repost in this as
>>>>> well.
>>>>> 
>>>> I know that FreeBSD 4.7 and 4.9 has been EAL3 ceritfied.  I worked for
>>>> nCircle a number of years ago, and they got their products EAL3
>>>> cerified.
>>>> 
>>>> Link:
>>>> http://www.**commoncriteriaportal.org:80/**files/epfiles/nCircle%20CR%**
>>>> 20v1.0.pdf<http://www.commoncriteriaportal.org:80/files/epfiles/nCircle%20CR%20v1.0.pdf>
>>>> 
>>>> It is possible someone else has received certification on a newer
>>>> version,
>>>> but I'm not aware of any at this time...
>>>> 
>>>> --
>>>>  John-Mark Gurney                Voice: +1 415 225 5579
>>>> 
>>>>     "All that I will do, has been done, All that I have, has not."
>>>> 
>>> 
>>> 
>> 
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"