Colin Gordon
yazomie (she/her)Exciting news lately from the #BSD world:
- #NetBSD coming to #RISC-V (open-source hardware is eventually going to liberate us from US Big Tech bad influence)
- #smolBSD providing minimal NetBSD containers;
- #CheriBSD shaping up nicely...
What is less exciting:
- most if not all major BSDs apparently considering support for #Xlibre, while #Wayland is only more or less supported (thanks a bunch Red Hat for not thinking about all Unix systems...)
- #NetBSD coming to #RISC-V (open-source hardware is eventually going to liberate us from US Big Tech bad influence)
- #smolBSD providing minimal NetBSD containers;
- #CheriBSD shaping up nicely...
What is less exciting:
- most if not all major BSDs apparently considering support for #Xlibre, while #Wayland is only more or less supported (thanks a bunch Red Hat for not thinking about all Unix systems...)
ax6761#BSDCan_2025
Improvements to #FreeBSD #KASAN,
by Zhuo Ying Jiang Li,
https://toobnix.org/w/4QfYkB1s1bT3gZxxkrbys1
Improvements to FreeBSD KASAN By Zhuo Ying Jiang Li
David Chisnall (*Now with 50% more sarcasm!*)
h3artbl33d[2022] So you want to add a system call? - Brooks Davis
[2022] So you want to add a system call? - Brooks Davis
Graham PerrinArm Morello
https://www.youtube.com/watch?v=2zi28s83exk
– overheard during day one of the FreeBSD Developer Summit at BSDCan 2024.
Tony Christie - Amarillo 1972
The ‘security revenue addiction’ section in this WIRED article really struck home. I remember attending a talk by a new security VP at Microsoft who was talking about this revenue growth in after-market security products as if it were a good thing that customers needed to pay more to fix preventable issues in core products. It was then that I realised how hard it would be for Microsoft to push #CHERI. The cost of porting the Windows ecosystem across was large but the dent that it would put in that revenue stream was much larger.
This is a problem for incumbents (see: the innovator’s dilemma). If you already have 90% of the market, most changes will, at best, do nothing to your market share. If you have 5% then you need only a small number of switchers from the dominant platform do double your market share.
With the mature state of #CheriBSD (#FreeBSD for CHERI platforms), I think there’s a bit opportunity for another vendor to provide a CHERI solution and then pass the ‘must have two suppliers’ rule for requirements in government procurement.
Lucas Holt (@[email protected])
Apple arm based Mac Secure Enclave related vulnerabilities https://arstechnica.com/security/2024/03/hackers-can-extract-secret-encryption-keys-from-apples-mac-chips/
#CHERI all the way down (or up)!
Or: The worlds most overengineered (but secure!) lightswitch!
The #EclipseMosquitto MQTT server, running as a pure-capability #CheriBSD pure-capability binary on a Morello system, acting as the server component for an IoT system. Pure-capability programs run with hardware-enforced memory safety, with every pointer represented with a CHERI capability so even single-byte out-of-bounds errors will trap. The kernel is also built in this mode.
I accidentally booted with the wrong kernel, so we don't have temporal safety on the server yet.
On the client, we have a #CHERIoT system, where everything has spatial and temporal memory safety. This connects to the CheriBSD server and sends the state of the switches via MQTT and sets the LEDs on the board based on subscriptions to MQTT events. This all happens over TLS 1.2 with ECDSA.
The network stack is compartmentalised. This demo includes 9 isolated compartments as well as several shared libraries, on a board with 256 KiB of (code + data) RAM, including a memory-safe shared heap.
