guest - flak

toying with wireguard on openbsd

New year, new network. WireGuard promises to be a simpler more secure alternative to IPsec, and there’s a beta iOS client, so I thought I’d try my hand at setting up a server endpoint.

Continue reading toying with wireguard on openbsd...

Posted 2019-01-01 15:45:15 by tedu Updated: 2019-01-01 15:45:15
Tagged: openbsd

openbsd changes of note 628

EuroBSDCon in two weeks. Be sure to attend early and often.

Many and various documentation improvements for libcrypto. New man pages, rewrites, expanded bugs sections, and more.

Continue reading openbsd changes of note 628...

Posted 2017-09-07 16:31:29 by tedu Updated: 2017-09-07 16:35:55
Tagged: openbsd

yet another introduction to yacc

One of the great tools in the unix toolbox is yacc. Regrettably, the documentation can be somewhat weak. The OpenBSD man page covers command line options, but doesn’t even provide a reference to the grammar of the input file. For that, one must read Stephen Johnson’s paper, Yacc: Yet Another Compiler-Compiler. It’s pretty good, and there’s some other tutorials out there, but perhaps it’s worth highlighting a few tips and tricks.

Continue reading yet another introduction to yacc...

Posted 2017-08-30 17:20:58 by tedu Updated: 2017-08-30 17:20:58
Tagged: openbsd programming

openbsd changes of note 627

The hackers, they thonned.

We are no longer processing router advertisements in the kernel. We are no longer generating privacy addresses in the kernel. Remove knob and always do neighbor unreachable detection.

Continue reading openbsd changes of note 627...

Posted 2017-08-28 16:12:55 by tedu Updated: 2017-08-28 16:12:55
Tagged: openbsd

openbsd changes of note 626

Hackerthon is imminent.

There are two signals one can receive after accessing invalid memory, SIGBUS and SIGSEGV. Nobody seems to know what the difference is or should be, although some theories have been unearthed. Make some attempt to be slightly more consistent and predictable in OpenBSD.

Continue reading openbsd changes of note 626...

Posted 2017-08-08 21:59:17 by tedu Updated: 2017-08-08 21:59:17
Tagged: openbsd

openbsd changes of note 625

Halcyon changes of summer.

Continue with some cleanup and improvement of the depend step of building. Lots of little things to support lex and yacc better as well.

Continue reading openbsd changes of note 625...

Posted 2017-07-20 22:15:08 by tedu Updated: 2017-07-20 22:15:08
Tagged: openbsd

bind broker

You’ve got a great big server that’s capable of supporting multiple users. Everybody wants to run a web server. This would be great, but alas, archaic decisions made long ago mean that network sockets aren’t really files and there’s this weird concept of privileged ports. Maybe we could assign each user a virtual machine and let them do whatever they want, but that seems wasteful. Think of the megabytes! Maybe we could setup nginx.conf to proxy all incoming connections to a process of the user’s choosing, but that only works for web sites and we want to be protocol neutral. Maybe we could use iptables, but nobody wants to do that.

Continue reading bind broker...

Posted 2017-07-11 13:06:11 by tedu Updated: 2017-07-11 13:06:11
Tagged: c openbsd programming

userland xnr jit

One ROP mitigation is Execute no Read (XnR) or Execute Only (XOM) memory. We can wait for someone to add this to our operating system kernel using paging (You Can Run But You Can’t Read: Preventing Disclosure Exploits in Executable Code PDF) or VT-x and EPT (ExOShim: Preventing Memory Disclosure using Execute-Only Kernel Code PDF). Or we can do it today in userland. This is only a partial implementation, that protects JIT pages only, but demonstrates the technique.

Continue reading userland xnr jit...

Posted 2017-05-29 10:05:51 by tedu Updated: 2017-05-29 10:05:51
Tagged: c openbsd programming

network transparent audio with sndiod and vmd

Another way to isolate untrusted media players is to run them in a virtual machine. I was joking with mlarkin that if he’s run out of things to work on, he can add audio emulation to vmd. But of course, this is actually pretty easy to do (playing sounds, not emulating audio), thanks to network support in sndiod.

Continue reading network transparent audio with sndiod and vmd...

Posted 2017-05-27 21:08:34 by tedu Updated: 2017-05-27 21:08:34
Tagged: openbsd

openbsd changes of note 622

Catching up to current.

Don’t let windows fall off the end of the world in calmwm.

Remove last remnants of rtsol in the intaller, netstart, everywhere.

Continue reading openbsd changes of note 622...

Posted 2017-05-21 16:41:49 by tedu Updated: 2017-05-21 16:41:49
Tagged: openbsd

experiments with prepledge

MP3 is officially dead, so I figure I should listen to my collection one last time before it vanishes entirely. The provenance of some of these files is a little suspect however, and since I know one shouldn’t open files from strangers, I’d like to take some precautions against malicious malarkey. This would be a good use for pledge, perhaps, if we can get it working.

Continue reading experiments with prepledge...

Posted 2017-05-20 16:28:36 by tedu Updated: 2017-05-20 16:28:36
Tagged: c openbsd programming