Linked by Dareka on Fri 19th Apr 2013 10:40 UTC
BeOS & Derivatives "Starting with hrev45522, address space layout randomization (ASLR) and data execution prevention (DEP) are available in Haiku. These two features, which have actually become a standard in any modern OS, make it much harder to exploit any vulnerability that may be present in an application running on Haiku, thus generally improving system security."
Thread beginning with comment 559251
To read all comments associated with this story, please click here.
Security fail
by peteo on Fri 19th Apr 2013 13:24 UTC
peteo
Member since:
2011-10-05

I was (un)fortunate enough to get intimate knowledge about the Haiku source code after fixing the PCNet driver, and doing a few rounds of code review.

And I have to say that ASLR support at this point is pretty comical when the rest of the system basically ignores security.

A code review is long overdue.

GSoC is nice and all, but the students doesn't even avoid the most basic exploits (at a basic level, Haiku is littered with buffer overflow sensitive code, but that's the least of their problems from a security standpoint.)

As an avid BeOS fan, I sincerely hope they get their act together and start reviewing code properly before committing.

Reply Score: 1

RE: Security fail
by drcouzelis on Fri 19th Apr 2013 18:07 in reply to "Security fail"
drcouzelis Member since:
2010-01-11

I'm a huge fan of Haiku, and I think your comment here is extremely important.

Do the Haiku developers know about your concerns? Considering other features, do you feel that fixing the security problems you mention a priority? If you haven't done so yet, would you be willing to list out what you feel needs to be done before you would consider Haiku to begin to be secure?

Do you think this is something that existed in BeOS, despite not being able to look at the source code?

Thank you! ;)

Reply Parent Score: 4

RE[2]: Security fail
by peteo on Mon 22nd Apr 2013 18:26 in reply to "RE: Security fail"
peteo Member since:
2011-10-05

I'm a huge fan of Haiku, and I think your comment here is extremely important.

[...]

Do you think this is something that existed in BeOS, despite not being able to look at the source code?

Thank you! ;)


I have obviously never seen the BeOS code, but from what I hear from the Be folks, they had serious security audits.

The reason why security became very important is of course the fact that they bet the company on BeOS in Internet connected appliances.

Edited 2013-04-22 18:27 UTC

Reply Parent Score: 1

RE: Security fail
by v_bobok on Sat 20th Apr 2013 00:47 in reply to "Security fail"
v_bobok Member since:
2008-08-01

Haiku is off GSoC this year, so no "ignorant students" this year, yaaay.

Patches are welcome, The Master of Security. xD

Reply Parent Score: 1

RE: Security fail
by axeld on Mon 22nd Apr 2013 09:55 in reply to "Security fail"
axeld Member since:
2005-07-07

I was (un)fortunate enough to get intimate knowledge about the Haiku source code after fixing the PCNet driver, and doing a few rounds of code review.


Are there any bug reports for your claims? Have you ever provided a patch?

Oh, and BTW Haiku is using FreeBSD's pcnet driver since six years.

Please troll somewhere else.

Reply Parent Score: 4

RE[2]: Security fail
by peteo on Mon 22nd Apr 2013 18:23 in reply to "RE: Security fail"
peteo Member since:
2011-10-05

"I was (un)fortunate enough to get intimate knowledge about the Haiku source code after fixing the PCNet driver, and doing a few rounds of code review.


Are there any bug reports for your claims? Have you ever provided a patch?
"

Yes, a lot of my patches were accepted, thank you very much.

Reply Parent Score: 0

RE: Security fail
by bebop on Mon 22nd Apr 2013 20:19 in reply to "Security fail"
bebop Member since:
2009-05-12

I call BS on this post. As someone who has contributed to Haiku, I can tell you that there are computer aided audits (coverity), and that the core developers are not only talented, but also very picky about the commits they let into the tree.

Also as axled pointed out, we have been using the FreeBSD net stack for sometime, so I do not buy your claim about being familiar with the Haiku source code. I have also not seen you in the dev list or on the commits.

If you see real problems, please feel free to file bug reports, preferably with diff's attached.

Reply Parent Score: 4