Fakecracker: NetBSD as a Function Based MicroVM
> This is fun and all, but we can’t really talk about security only with chroot, and the Firecracker solution seemed about right for this matter, yet the overall NetBSD boot process was a bit too long for my taste. So how exactly can we significantly improve NetBSD‘s boot speed?
Announcing NetBSD 9.0
> This release brings significant improvements in terms of hardware support, quality assurance, security, along with new features and hundreds of bug fixes.
Improvements in forking, threading, and signal code
> I am improving signaling code in the NetBSD kernel, covering corner cases with regression tests, and improving the documentation. I’ve been working at the level of sytems calls (syscalls): forking, threading, handling these with GDB, and tracing syscalls. Some work happens behind the scenes as I support the work of Michal Gorny on LLDB/ptrace features.
From Zero to NVMM
> Six months ago, I told myself I would write a small hypervisor for an old x86 AMD CPU I had. Just to learn more about virtualization, and see how far I could go alone on my spare time. Today, it turns out that I’ve gone as far as implementing a full, fast and flexible virtualization stack for NetBSD. I’d like to present here some aspects of it.
Increasing coverage of signal semantics in regression tests
> Kernel signal code is a complex maze, it’s very difficult to introduce non-trivial changes without regressions. Over the past month I worked on covering missing elementary scenarios involving the ptrace(2) API. Part of the new tests were marked as expected to success, however a number of them are expected to fail.
Announcing NetBSD 8.0
> This release brings stability improvements, hundreds of bug fixes, and many new features.
> We support older releases, but due to the mass of recent urgent fixes and a lot of work having been done to harden NetBSD in general, we are not backporting the CPU errata related workarounds and mitigations to older release branches!
GSoC 2018 report: Kernel Address Sanitizer, Part 2
> The Kernel Address Sanitizer or KASAN is a fast and efficient memory error detector designed by developers at Google. It is heavily based on compiler optimization and has been very effective in reporting bugs in the Linux Kernel. The aim of my project is to build the NetBSD kernel with the KASAN and use it to find bugs and improve code quality in the kernel. This Sanitizer will help detect a lot of memory errors that otherwise would be hard to detect.
=?iso-8859-8-i?Q? Handling non-UTF-8 Hebrew email
> In the dark ages before Unicode, Hebrew used its own encodings which allowed typing both Latin and Hebrew letters: Windows-1255, ISO-8859-8. I speculate that people initially expected input to be written in reverse order (aka “visual order“), assuming that everything will display text left to right.
NetBSD 7.1.1 released
> The NetBSD Project is pleased to announce NetBSD 7.1.1, the first security/critical update of the NetBSD 7.1 release branch. It represents a selected subset of fixes deemed important for security or stability reasons.
One year checkpoint and Thread Sanitizer update
> The past year has been started with bugfixes and the development of regression tests for ptrace(2) and related kernel features, as well as the continuation of bringing LLDB support and LLVM sanitizers (ASan + UBsan and partial TSan + Msan) to NetBSD.
NetBSD dtrace and ZFS update
> I’ve been working on updating netbsd’s copy of the dtrace and zfs code to rebase from the existing ancient opensolaris version to a recent freebsd version. most of the freebsd changes are pretty close to what netbsd needs, so that seems like a more useful upstream for us. I have things working well enough now that I want to share the code in preparation for committing.
Are all BSDs created equally? A survey of BSD kernel vulnerabilies.
A sampling of bugs, here, there, and everywhere.
Porting NetBSD to Allwinner H3 SoCs
> This is one of the first evbarm ports built from the ground up with device tree support, which helps us to use a single kernel config to support many different boards.
Episode 198: BSDNorth or You can’t handle the libtruth
secmodel sandbox : An application sandbox for NetBSD
> We introduce a new security model for NetBSD – sec-model sandbox – that allows per-process policies for re- stricting privileges. Privileges correspond to kauth authorization requests, such as a request to create a socket or read a file, and policies specify the sandbox’s decision: deny, defer, or allow. Processes may apply multiple sandbox policies to themselves, in which case the policies stack, and child processes inherit their parent’s sandbox. Sandbox policies are expressed in Lua, and the evaluation of policies uses NetBSD 7’s experimental in-kernel Lua interpreter. As such, policies may express static authorization decisions, or may register Lua functions that secmodel sandbox invokes for a decision.
EuroBSDcon 2017 Talks & Schedule
> 21-24 September, Paris, France
NetBSD 7.1 released
RPi Zero, maybe nvidia graphics, and Adobe Flash Player 24.
ptrace(2) tasks segment finished
> During this month I’ve finished the needed work in the base distribution in order to host fully featured LLDB. Currently the ptrace(2) interfaces in NetBSD are, in terms of features, closely related to FreeBSD and Linux.
NetBSD fully reproducible builds
> I did not think at the time it would take as long or be so difficult, so I did not keep a log of all the changes I needed to make. I was also not the only one working on this.
> Here’s is what we found that we needed to fix, how we chose to fix it and why, and where are we now. There are many reasons why two separate builds from the same sources can be different. Here’s an (incomplete) list:
Firefox 51 on sparc64 - we did not hit the wall yet
Life support continues for one more release.