Hacker News new | ask | show | jobs
by kev009 2917 days ago
The comparison is cherry picked cargo cult. ASLR and a lot of these mitigations were obsolete when HBSD implemented them https://www.endgame.com/blog/technical-blog/rop-dying-and-yo.... Their ASLR try was rejected by FreeBSD.org. Some of the bullets are completely asinine like xxx hardening, what does that even mean? The lead developer recently gave a conference talk where as far as I can tell he showed that you can root a box as.. root https://www.youtube.com/watch?v=bT_k06Xg-BE.

Can anyone point to a paper showing where HBSD successfully prevented an attack over FreeBSD?

So they generate a lot of noise. Instead of learning from the larger communities that are filled with extremely talented security people like Colin "cperciva" Percival, Robert Watson, Theo de Raadt, Maxime Villard, etc Shawn seems hellbent on being an exemplar of Dunning-Kruger effect. Unfortunately he is towing others along for the ride.
1 comments
auslander 2917 days ago
ASLR is obsolete? Why?
link
kev009 2917 days ago
Sorry, you didn't bother reading the link so you may consult Google if you are interested.
link
dang 2916 days ago
You started a nasty flamewar with this and got more uncivil downthread. We ban accounts that behave like that, so please don't. Instead, please present your arguments civilly, regardless of how right you are.

https://news.ycombinator.com/newsguidelines.html

link
kev009 2916 days ago
Sorry, wasn't the intent. It did appear we were going to make progress in the discussion at points but now is clearly two people with cemented viewpoints.
link
auslander 2917 days ago
The link is not about ASLR, but ROP. ROP != ASLR :)

Anyway, even there, we can read : "ASLR aims to prevent an attacker from using previous knowledge of the address space to gain an advantage and execute malicious code. This has proven extremely effective in “raising the bar” of exploitation and is one of the most significant research challenges"

So, back to square one, why ASLR is obsolete? Its one of the main security features.

Recap: OPNsense uses HardenedBSD as base OS, which have ASLR, along with other BSDs. pfSense uses FreeBSD, which don't have ASLR/ASR.

link
kev009 2917 days ago
The first sentence in the article should be a bell-ringer "Too often the defense community makes the mistake of focusing on the what, without truly understanding the why."

These are context sensitive things that aren't learned by reading a comment thread, if you can't read that article and understand that it shows a multitude of exploits that bypass ASLR and that almost every exploit and contest includes or relies on existing ASLR bypass I don't really know what to tell you other than to keep reading and researching. The answers you seek are linked from TFA.

link
auslander 2917 days ago
>The answers you seek

I expect you backing up your statement that ASLR is obsolete. So far all we have is a URL and advice to research ourselves.

What stops you from giving a direct answer? Hint: "ASLR is useless, because I can, for example, do this: ..."

link