FreeBSD and security mitigations

[mod3777]

Hows FreeBSD security mitigations? I am new to FreeBSD and I am very satisfied with this system, until,
a guy who runs HBSD and OpenBSD told me:

" I don't know of any Linux distro which doesn't use PIC, PIE, and at least stack-protector-strong. The state of userland exploit mitigations in FreeBSD is similar to Linux in 1999. FreeBSD does not use any hardening outside of the weak -fstack-protector. The ASLR implementation FreeBSD is writing will have a very large performance impact "

Honestly, I am too scared. What he actually meant? Is that actually true? How that can affect my day to day desktop computing? Is that too unsafe? What he said was too technical for me.

 

[SirDice]

I think your friend is misinformed.

How that can affect my day to day desktop computing?

It won't.

Is that too unsafe?

It's not.

In order to be able to exploit anything you first need to have a proper bug to exploit. Perfect code doesn't have bugs so there's nothing to exploit. But we all know perfect code doesn't exist. It's written by humans, and humans make mistakes. All these techniques simply try to prevent successful exploitation of that bug. None of them are able to prevent everything so in certain cases any of those protections can also be circumvented. They're certainly not useless because they do make it a lot more difficult to consistently, and successfully, exploit a serious bug. But it doesn't mean that a system which doesn't have those protections is automatically akin to Swiss cheese.

The biggest risk to any computer system is sitting between the keyboard and chair. All those protections aren't going to help you in any way if you blindly run an application you just downloaded from the internet. If that application does something nefarious nothing is going to stop it.

 

[mod3777]

I think your friend is misinformed.


It won't.


It's not.

In order to be able to exploit anything you first need to have a proper bug to exploit. Perfect software doesn't have bugs so there's nothing to exploit. But we all know perfect software doesn't exist. All these techniques simply try to prevent successful exploitation of that bug. None of them are able to prevent everything so in certain cases any of those protections can also be circumvented. They're certainly not useless because they do make it a lot more difficult to exploit a serious bug. But it doesn't mean that a system which doesn't have those protections is automatically akin to Swiss cheese.

The biggest risk to any computer system is sitting between the keyboard and chair. All those protections aren't going to help you in any way if you blindly run an application you just downloaded from the internet. If that application does something nefarious nothing is going to stop it.

Thank you so much. I really freaked out at first. Okay, I will be careful about packages, and will learn proper security practices

 

[SirDice]

Proper security is a multi layered approach. All those techniques simply add more layers. And that's always good of course. But your friend makes it sound like they're the only things stopping malicious software and that's simply not true.

A good starting point for security on FreeBSD is security(7).

 

[Deleted member 30996]

"The state of userland exploit mitigations in FreeBSD is similar to Linux in 1999. FreeBSD does not use any hardening outside of the weak -fstack-protector.".

I object.

As the Red Devil's Advocate I would be derelict in daemonic defense declining to direct attention to the Court of Public Opinion irrefutable fact FreeBSD affords System Hardening options during the build and has since the introduction of FreeBSD 11.0-RELEASE circa October 10, 2016 previously entered into evidence to refute thus such an indictment levied in an erroneous article dated January 10, 2018:

https://forums.freebsd.org/threads/soldiex-website.66277/#post-391044

in addition, indulge me to introduce into evidence information indicating further System Hardening factors incorporated into FreeBSD 12:

A summary of changes since 12.0-RC1 includes: kernel debugging support in various kernel configurations has been disabled - this was missed when branching releng/12.0 from stable/12

 

[Phishfry]

A summary of changes since 12.0-RC1 includes: kernel debugging support in various kernel configurations has been disabled - this was missed when branching releng/12.0 from stable/12

No offense, but this has nothing to do with system hardening or security. This is more for developers to debug problems.
derelict demonic defense overruled.

The system hardening tools in the installer were inspired from HardenedBSD.

 

[Deleted member 30996]

No offense taken, Counselor. You're the only prosecutor who debates my legal arguments and always welcome to do so.

However, "information indicating" further System Hardening is speculative in nature and does not definitively state factual implementation of further System Hardening being incorporated.

An indeterminate inferrment imperative to legalese latitude in devilish debate.

 

[Deleted member 30996]

My incubi insight into information indicating further System Hardening factors incorporated into FreeBSD 12 indeed is irrefragable:



The "disable dtrace", "secure console", "hide jails" and if memory serves me "hide gids" options available during the build process are all new to FreeBSD 12.0-RELEASE.