WhiteWinterWolf.com - openbsdhttps://www.whitewinterwolf.com/2017-09-26T00:00:00+02:00BSDA certification review2017-09-22T00:00:00+02:002017-09-26T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-09-22:/posts/2017/09/22/bsda-certification-review/<h3>The five Ws</h3>
<ul>
<li>
<p><strong>What</strong>:
The <a href="http://www.bsdcertification.org/certification/certification/bsd-associate" rel="external" title="BSDA certification homepage (BSD Certification Group)"><abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> Associate</a> (<abbr title="BSD Associate"><span class="caps">BSDA</span></abbr>) is a technical certification on <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr>
systems administration.
It covers DragonFlyBSD, FreeBSD, NetBSD and OpenBSD.</p>
<p>This certification covers general <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems administration (there is not
much about system architecture itself), the specificities of each covered
<span class="caps">BAD</span> flavors, common Unix services administration, and also a few
non-technical points notably on the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> license and its difference with
other licensing types.</p>
<p>I personally find the official naming misleading, as the requirement for
this certification actually targets system <em>administrators</em>, not assistants.</p>
</li>
<li>
<p><strong>When</strong>:
The <abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> has no prerequisites, but is very technical and covers a wide
range of domains so I would certainly not recommend it for the beginners.</p>
<p>It can be seen as the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> counter-part of the <a href="/posts/2017/09/03/linux-lpic-certification-review/" title="Linux LPIC certification review"><abbr title="Linux Professional Institute Certification"><span class="caps">LPIC</span></abbr>-2</a> Linux certification.</p>
</li>
<li>
<p><strong>Why</strong>:
<abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems have a different approach than Linux ones on a lot of things,
both technical and non-technical.
Being Linux certified does …</p></li></ul><h3 id="the-five-ws"><a class="toclink" href="#the-five-ws">The five Ws</a></h3>
<ul>
<li>
<p><strong>What</strong>:
The <a href="http://www.bsdcertification.org/certification/certification/bsd-associate" rel="external" title="BSDA certification homepage (BSD Certification Group)"><abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> Associate</a> (<abbr title="BSD Associate"><span class="caps">BSDA</span></abbr>) is a technical certification on <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr>
systems administration.
It covers DragonFlyBSD, FreeBSD, NetBSD and OpenBSD.</p>
<p>This certification covers general <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems administration (there is not
much about system architecture itself), the specificities of each covered
<span class="caps">BAD</span> flavors, common Unix services administration, and also a few
non-technical points notably on the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> license and its difference with
other licensing types.</p>
<p>I personally find the official naming misleading, as the requirement for
this certification actually targets system <em>administrators</em>, not assistants.</p>
</li>
<li>
<p><strong>When</strong>:
The <abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> has no prerequisites, but is very technical and covers a wide
range of domains so I would certainly not recommend it for the beginners.</p>
<p>It can be seen as the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> counter-part of the <a href="/posts/2017/09/03/linux-lpic-certification-review/" title="Linux LPIC certification review"><abbr title="Linux Professional Institute Certification"><span class="caps">LPIC</span></abbr>-2</a> Linux certification.</p>
</li>
<li>
<p><strong>Why</strong>:
<abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems have a different approach than Linux ones on a lot of things,
both technical and non-technical.
Being Linux certified does not mean that you are proficient, or even
familiar with <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> ecosystems.
This certification demonstrates that you are knowledgeable in the
specificities of <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems at a whole, and on each covered flavor more specifically.</p>
<p>I did not encountered any job offer specifically requiring this
certification.
It is not a common certification, and require a real determination.
Therefore, although it is not a stated as a requirement, I think it may
still make a significant difference in your resume and distinguish yourself
from the Linux-certified engineers crowd.</p>
</li>
<li>
<p><strong>Who</strong>:
It is not adapted for beginners in the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> world as it require a good
experience in administrating <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems in professional environments.
Practical experience of <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems in large corporation is not needed
(lucky for me!), but you need to have a practical experience on a wide
range of <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems components and situations, things you won’t have if
you only occasionally played with some <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> guest in a lab.</p>
<p>When you receive your results you also get a report providing some stats
including the average scores of your group and I was astonished about the
low average scores.
I think that the issue mainly comes from this poor denomination: the ‘A’
in <abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> should really stands for <em>Administrator</em>, not <em>Associate</em>, and the
next level (<abbr title="BSD Professional"><span class="caps">BSDP</span></abbr><sup id="fnref-BSDP"><a class="footnote-ref" href="#fn-BSDP">1</a></sup>) targeting <em>‘senior administrators”</em> should really be
recognized as a <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr>-expert level certification.</p>
<p>I still don’t get why the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> Certification Group decided to label them
<abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> and <abbr title="BSD Professional"><span class="caps">BSDP</span></abbr> instead of <abbr title="BSD Professional"><span class="caps">BSDP</span></abbr> and <span class="caps">BSDE</span> as they should have in my mind.
This would both:</p>
<ul>
<li>Better inform the students not used to pass exams about what to expect.</li>
<li>Better inform employers about the real value of this certification.</li>
</ul>
</li>
<li>
<p><strong>Where</strong>:
Sadly this certification is not associated with any common test center.
Exams are paper-based and organized during some <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> and open-source events.
It is not uncommon to have to go abroad to pass an exam suiting your
schedule, but this is not necessarily so much a bad point as it is also the
occasion to attend the event itself.</p>
<p>The <a href="https://archive.fosdem.org/2017/certification/" rel="external" title="FOSDEM 2017 Certification exams (FOSDEM archives)"><span class="caps">FOSDEM</span></a> in Belgium organizes a <abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> exam each year, this is where I
passed my exam.
Other events are listed on the <a href="https://register.bsdcertification.org/events" rel="external" title="Events (BSD Certification Group)"><abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> Certification Group</a> website.</p>
<p>You only need to pass one exam to be certified, and the exam fee is around
$75 <span class="caps">USD</span>.</p>
</li>
</ul>
<h3 id="training-material"><a class="toclink" href="#training-material">Training material</a></h3>
<h4 id="building-a-lab"><a class="toclink" href="#building-a-lab">Building a lab</a></h4>
<p>You will need a virtual machine for each of the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> system covered by the exam:</p>
<ul>
<li><a href="http://www.dragonflybsd.org/" rel="external" title="DragonFlyBSD homepage">DragonFlyBSD</a></li>
<li><a href="http://www.freebsd.org/" rel="external" title="FreeBSD homepage">FreeBSD</a></li>
<li><a href="http://www.netbsd.org/" rel="external" title="NetBSD homepage">NetBSD</a></li>
<li><a href="http://www.openbsd.org/" rel="external" title="OpenBSD">OpenBSD</a></li>
</ul>
<p>Pay attention to choose a version which matches the exam requirements.
Some of these systems may decide from one version to another to apply sometimes
really impacting changes.
While the exam will eventually be updated to reflect those changes, this may take some time so
just ensure that the systems you are using have all the files and commands
expected for the exam so you can practice in good conditions and not loose
unnecessary time and effort on off-topic subjects.</p>
<p>In all cases people from the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> Certification Group are very friendly and as I was studying
during such change period I receive an email from Dru Lavigne herself
informing me on which material to use for my studies.</p>
<p>Also note that you can buy an official <a href="http://www.bsdcertification.org/store" rel="external" title="BSDA Certification Study DVD (BSD Certification Group)"><abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> Certification Study <span class="caps">DVD</span></a>
which gather the virtual machines and documentation arranged specially for <abbr title="BSD Associate"><span class="caps">BSDA</span></abbr>
students in a convenient manner.
They are made and sold directly by the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> Certification Group and the profits
allow to maintain and develop the certification.</p>
<p>I often encounter comments from people explaining that they only use one or
maybe two of the covered systems and they don’t want to have to learn the
other operating systems to pass the certification.</p>
<p>In fact unless you target 100% good answers you don’t need to be expert in all
those systems.
Personally I have the most experience with FreeBSD and OpenBSD systems.
This certification was the occasion to discover NetBSD and DragonFlyBSD, but
I am nowhere near an expert on those.</p>
<p>When starting to study for this exam you should already start with a very good
knowledge on at least one of these system.
As long as the various flavors “issue” is concerned, to pass the exam you just
need to familiarize yourself with the main differences between the systems you
already know and the other ones.
Install them, compare how things such as software management and network
settings features work, and you should be fine.</p>
<p>Again, the goal of the <abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> is not to certify that you’re an expert on each of
these platforms.
The goal is only to test that you are able to administrate a <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> system in a
professional context.
I think it is fair to consider the ability to adapt yourself and a general
culture over the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> world to be part of the exam requirements.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>As opposed to the <abbr title="Linux Professional Institute Certification"><span class="caps">LPIC</span></abbr> certification which also covers several Linux
distributions but only requires the student to know the various commands,
files and settings without necessarily being able to infer the underlying
system, with the <abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> you will need to be able, from the availability of
certain specific commands and files, to deduce which <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> flavor you are facing.</p>
<p>Questions are never asked this straight, but for instance some questions
may very well have equally valid answers matching several <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> (and Linux
(!)) systems, you should be able to find the clue telling you which system
you are facing and therefore which is the right answer.</p>
</div>
<h4 id="learning-resources"><a class="toclink" href="#learning-resources">Learning resources</a></h4>
<p>A good point to start your journey is Wikipedia’s
<a href="https://en.wikipedia.org/wiki/Comparison_of_BSD_operating_systems" rel="external" title="Comparison of BSD operating systems (Wikipedia)">Comparison of <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> operating systems</a>.
This is general information, but provides a good introduction to approach
the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> ecosystem as a whole.</p>
<p><span class="lb-small floatright"><a href="#bsd-certification-group.png" id="bsd-certification-group.png-thumb" title="Click to enlarge"><img alt="BSD Certification Group logo" src="https://www.whitewinterwolf.com/posts/2017/09/22/bsda-certification-review/bsd-certification-group.png"/></a></span>
The <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> Certification Group created <a href="http://bsdwiki.reedmedia.net/wiki/" rel="external" title="BSDwiki homepage">a collaborative wiki</a> with the aim
to be the main resource for <abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> students.
Sadly it is not very complete and a bit outdated now, nevertheless it remains
very useful to guide your studies through the large amount of domains covered
by this certification.</p>
<p>On their <a href="https://register.bsdcertification.org/exam-preparation-checklist" rel="external" title="Exam Preparation Checklist (BSD Certification Group)">Exam Preparation Checklist</a>, the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> Certification Group
website provides useful links (including the above mentioned wiki).
Be sure to carefully follow the certification requirement and commands
reference guide as they will help you to ensure that you did not missed any
notion during your studies.
The Certification requirement is particularly detailed as an attempt from the
<abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> certification group to compensate for the lack of a formal study guide:
take advantage of this.</p>
<p>The <a href="http://www.bsdcertification.org/resources" rel="external" title="Resources for BSD Certification">Resources</a> section of the same website contains more general
information on how the certification has been created.
They are not directly useful to pass the exam, but it is not very often that
such kind of information “from behind the scene” is made available and I found
it quite interesting.</p>
<p>There is no book specifically focusing on the <abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> certification.
However, if you like to study from books as I do, you should have no real
problem to find a book which will help you to clarify the point remaining
obscure in your studies.</p>
<p>Prefer one general book covering several <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> flavors instead of several books
each one focusing on a particular <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> flavor.
A general book has indeed more chance to highlight the differences between the
systems when there is one, the kind of information you may easily miss if you
are studying from different books and the kind of information you will most
likely need to pass your exam.</p>
<p>I have no recommendation in terms of books as I happen to have just fetched an
old French one I bought when starting on <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems and which was taking dust
for more than a dozen of years somewhere on my shelves ;).</p>
<p>There is no official <abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> practice exams out there, at least none I am aware of.
This is in part a deliberated choice from the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> Certificiation Group,
as stated by <a href="https://www.mail-archive.com/bsdcert@lists.nycbug.org/msg01275.html" rel="external" title="Re: [BSDCert] BSDA Practice Questions (BSDCert mailing list)">Dru Lavigne</a> (her whole email is an interesting reading):</p>
<blockquote>
<p>On purpose, we do not provide practice questions. Part of this is philosophical
(we don’t want people to just learn to an exam), part is practical (if you
understand the exam objectives, it does not matter how the question is asked),
and part of it deals with the psychometrics (which requires us to only ask
questions covered by the objectives in a very clear manner, which means there
really is only so many ways you can ask a question).</p>
</blockquote>
<p>However, for those not familiar with such exams, as long as common Unix
services are concerned you may expect the same kind of question as in the
<a href="/posts/2017/09/03/linux-lpic-certification-review/" title="Linux LPIC certification review"><abbr title="Linux Professional Institute Certification"><span class="caps">LPIC</span></abbr>-2</a> exam.
Feel free to check resources developed for this exam as, for instance, an
Apache server remains an Apache server, no matter if it running on a Linux
or a <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> box.
Once you gets used to answer questions on common Unix services, you
should be able to answer questions on anything else and it is just, as
Dru Lavigne stated, a matter of correctly following the exam objective in your studies.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Studying <abbr title="Linux Professional Institute Certification"><span class="caps">LPIC</span></abbr> material for a <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> certification may be double-sided.
While questions on common Unix services will usually remain the same,
the correct answer may not.
In particular paths and platform specific commands may not be the same.</p>
<p>Use such material for the questions, but practically check your answer in
your <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> lab.</p>
</div>
<h3 id="personal-impressions"><a class="toclink" href="#personal-impressions">Personal impressions</a></h3>
<h4 id="curriculum"><a class="toclink" href="#curriculum">Curriculum</a></h4>
<p>As I said throughout this article, I really feel the <abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> certification as the
<abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> counter-part of the <abbr title="Linux Professional Institute Certification"><span class="caps">LPIC</span></abbr>-2 certification, and the good impressions that
applied to the <abbr title="Linux Professional Institute Certification"><span class="caps">LPIC</span></abbr>-2 certification also apply here.</p>
<p>It is very complete and allows you to deepen, systematize and better organize
your knowledge of numerous aspects on <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems.</p>
<p>I liked to use this as an occasion to try different systems.
As I said I am more used to FreeBSD and OpenBSD systems.
I was very surprised with NetBSD which really feels mature (I did not
imagine that an internationalized <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> system could even exist!).
I was also very surprised with DragonFlyBSD which may be the fastest for
scientific computing but really doesn’t seem to lead the group in terms of security:</p>
<p><span class="lb-small"><a href="#DragonFlyBSD_rootpw.png" id="DragonFlyBSD_rootpw.png-thumb" title="Click to enlarge"><img alt="Characters restriction for root password on DragonFlyBSD" src="https://www.whitewinterwolf.com/posts/2017/09/22/bsda-certification-review/DragonFlyBSD_rootpw.png"/></a></span></p>
<h4 id="exam"><a class="toclink" href="#exam">Exam</a></h4>
<p>I cannot discuss the questions or the exam in details here, but there were no
surprise: I was tested on the topics I expected, the exam questions were clear,
non-ambiguous, and closely matched the topics list.</p>
<p>The allocated time did not left me a lot of room.
While it was enough to answer the questions, I made the final check in a
hurry during the very last minutes and focused only on the most troublesome questions.</p>
<p>Nevertheless, even-though this is a paper-based exam the proctor does a good
job in notifying of the passed time so it is easy to correctly manage your time.</p>
<h4 id="conclusion"><a class="toclink" href="#conclusion">Conclusion</a></h4>
<p>This certification lacks enough reconnaissance, as do <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems in general
by-the-way.
More reconnaissance would mean more certified people would mean more funds to
make more study material and exam sessions available.</p>
<p>Nevertheless, I highly recommend this certification despite these limitations.
<abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems deserve a professional certification program, I am happy that this
certification exists and proud to have earned it.</p>
<div class="footnote">
<hr/>
<ol>
<li id="fn-BSDP">
<p>As far as I remember I only encountered the <a href="http://www.bsdcertification.org/certification/certification/bsd-professional" rel="external" title="BSDP certification homepage (BSD Certification Group)"><abbr title="BSD Professional"><span class="caps">BSDP</span></abbr></a> certification
documented as in <em>“beta”</em> or project stage.
It is meant to include practical exercises, making it even more complex to
organize during events, and the documentation about these exercises is
still not available
(<em>“Details about the lab portion of the exam will be listed here once they are confirmed.”</em>).
If you are interested in this exam, you should directly get in touch with
the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> Certification Group. <a class="footnote-backref" href="#fnref-BSDP" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Do randomized PIDs bring more security?2015-05-23T00:00:00+02:002015-05-23T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2015-05-23:/posts/2015/05/23/do-randomized-pids-bring-more-security/<h3>The issue</h3>
<p>I read an article in the french magazine <span class="caps">MISC</span> (<a href="https://boutique.ed-diamond.com/misc/594-misc-74.html" rel="external">no. 74 - July/August, 2014</a>)
publishing a flaw affecting <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0016" rel="external">stunnel</a> and <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0017" rel="external">libssh</a>.</p>
<p>To make things short, this flaw relies on the fact that a hello cookie created
by the server is generated using the current Unix timestamp (so up to the
second) and the <span class="caps">PID</span> of the process handling the request.
The exploit sends a high number of connection attempts in order to force the
server to generate duplicated cookies.
At the end this attacks aims to deduce the server private keys.</p>
<p>The author explains that such attack is not realizable on systems using
traditionnal sequential <span class="caps">PID</span> because it would require more than 65000
connections attempts to made in less than one second.</p>
<p>However, thanks to random PIDs used on some “hardened” systems the author
demonstrates that, with 20 connection attempts per seconds, there is
statistically more than one …</p><h3 id="the-issue"><a class="toclink" href="#the-issue">The issue</a></h3>
<p>I read an article in the french magazine <span class="caps">MISC</span> (<a href="https://boutique.ed-diamond.com/misc/594-misc-74.html" rel="external">no. 74 - July/August, 2014</a>)
publishing a flaw affecting <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0016" rel="external">stunnel</a> and <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0017" rel="external">libssh</a>.</p>
<p>To make things short, this flaw relies on the fact that a hello cookie created
by the server is generated using the current Unix timestamp (so up to the
second) and the <span class="caps">PID</span> of the process handling the request.
The exploit sends a high number of connection attempts in order to force the
server to generate duplicated cookies.
At the end this attacks aims to deduce the server private keys.</p>
<p>The author explains that such attack is not realizable on systems using
traditionnal sequential <span class="caps">PID</span> because it would require more than 65000
connections attempts to made in less than one second.</p>
<p>However, thanks to random PIDs used on some “hardened” systems the author
demonstrates that, with 20 connection attempts per seconds, there is
statistically more than one chance over two to generate a duplicate in less
than 5 minutes.</p>
<p>For me, this clearly shows that random <span class="caps">PID</span> creates new security weaknesses
(and a remotely exploitable in this case) over sequential PIDs.</p>
<p>I was therefore wondering what was the exact threat that random PIDs are trying
to solve.
The answer I got from <a href="http://www.vanheusden.com/linux/rnd_pid_faq.php" rel="external">here</a>, <a href="http://lists.freebsd.org/pipermail/freebsd-security/2010-February/005550.html" rel="external">here</a>, <a href="https://books.google.fr/books?id=t2yA8vtfxDsC&pg=PT667&lpg=PT667&dq=random%20pid%20security&source=bl&ots=4i3xvu1Ea6&sig=CMwixJVq9xe4UwZAAC_6UFLursE&hl=fr&sa=X&ei=qA1LVYjPH8PyUImxgZAM&ved=0CDkQ6AEwAzgK#v=onepage&q=random%20pid%20security&f=false" rel="external">there</a> and my personal
experience do not satisfy me:</p>
<ul>
<li>
<p><em>Poorly coded software</em> are using the <span class="caps">PID</span> to generate “unique” temporary
file names and as a main source of entropy: poorly coded software should
remain limited to “Hello world” projects and minesweepers ports and should
never be used for sensitive tasks.</p>
<p>Moreover, weakening the whole <span class="caps">OS</span> just to bring a marginal security gain for
such software seems really counter-productive.</p>
<p>At last, the flaws above show that as long as entropy is concerned,
sequential <span class="caps">PID</span> would be even more secure than random ones…</p>
</li>
<li>
<p><em>Protection against unknown future threats</em>: I do not see the logic behind
opening severe current and known threats to protect against potential
future and unknown threats…</p>
</li>
<li>
<p><em>Race conditions</em>: if it refers to the poor software using the <span class="caps">PID</span> to
generate temporary file names, then I already covered this point.
Otherwise, the flaw above shows how random <span class="caps">PID</span> is actually more prone to
race conditions than sequential ones.</p>
</li>
<li>
<p><em>OpenBSD already uses it</em>: this is indeed a good explanation regarding the
fashion aspect of this measure, but it has nothing to do with security.</p>
</li>
</ul>
<p><span class="lb-small"><a href="#xkcd1739_fixing-problems.png" id="xkcd1739_fixing-problems.png-thumb" title="Click to enlarge"><img alt="XKCD #1739: Fixing problems" src="/images/xkcd1739_fixing-problems.png"/></a></span></p>
<h3 id="the-origin"><a class="toclink" href="#the-origin">The origin</a></h3>
<p><span class="caps">PID</span> randomization was popularized by OpenBSD which
<a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/kern/kern_fork.c#rev1.8" rel="external">added it as soon as 1997</a>.
At that time it pursued two main goals:</p>
<ul>
<li>
<p><em>Protect against <span class="caps">PID</span> prediction vulnerabilities</em> affecting mostly software
which use the <span class="caps">PID</span> value to generate temporary file names.
This was a common concern at that time, but today I think it would be quite
rare to encounter production-level software still not using a cleaner method.</p>
</li>
<li>
<p><em>As a general preventive measure</em>,
<a href="http://www.openbsd.org/papers/dev-sw-hostile-env.html" rel="external">“If something can be random, make it random.”</a>, encompassing putting
randomness at several places in the <span class="caps">OS</span> (from the <span class="caps">IP</span> stack to the memory
allocation).
While some of the protection resulting from this randomness proved to be
useful and became more common, <span class="caps">PID</span> randomization has a more troubled history.</p>
</li>
</ul>
<p>As detailed above, <em>the cure may be worse than the disease</em>.
Due to faster <span class="caps">PID</span> reuse, fully random <span class="caps">PID</span> may allow remotely exploitable flaws,
while sequential <span class="caps">PID</span> was mainly known to allow local-only exploits.</p>
<p>As a side note, in an ideal world, all this should not cause any issue (yes, I
talk of this ideal world where software is free of bug and vulnerability).
In fact these vulnerabilities usually find their root in wrong usage of the <span class="caps">PID</span>.
<a href="https://en.wikipedia.org/wiki/Process_identifier" rel="external">Wikipedia</a> finely defines the <span class="caps">PID</span> as being a
“<em>number used […] to uniquely identify an active process</em>“.</p>
<p>Therefore:</p>
<ul>
<li>
<p><em>A <span class="caps">PID</span> is not designed to build temporary file names</em>.</p>
<p>Temporary files are usually created in a <strong>shared place</strong>, and that means
<em><a href="https://security.stackexchange.com/questions/34397/how-can-an-attacker-use-a-fake-temp-file-to-compromise-a-program" rel="external">danger</a></em>!
Because of this, temporary files must be created using dedicated functions
which will ensure that the three required actions (checking that the file
doesn’t already exists, create it and set restricted access permissions)
are done in an atomic (uninterrupted) way.
The C language proposes <a href="http://pubs.opengroup.org/onlinepubs/9699919799/functions/mkstemp.html" rel="external"><code>mkstemp()</code></a> and <a href="http://pubs.opengroup.org/onlinepubs/9699919799/functions/tmpfile.html" rel="external"><code>tmpfile()</code></a>, and most
Unix environments offer a <a href="http://linux.die.net/man/1/mktemp" rel="external">mktemp</a> command to be used by shell scripts, etc.</p>
</li>
<li>
<p><em>A <span class="caps">PID</span> is not designed to seed a random number generator or generate session <span class="caps">ID</span> or cookies</em>.</p>
<p>Here again you must refer to your language or environment documentation to
get a proper entropy source. On <span class="caps">UNIX</span> systems the <code>/dev/urandom</code> device file
is there for this purpose.</p>
</li>
<li>
<p>It is not by accident that Wikipedia definition precises <em>active process</em>.</p>
<p>On some language like C, you stay proprietary of the child process’ <span class="caps">PID</span>
until you <code>wait</code> for it, but this is not true for all languages (for
instance in shell scripts…) and never true for processes which are not
your child.
In these cases the <span class="caps">PID</span> is just a shared resource, and you should remember
that this “<strong>shared</strong>” notion implies “<strong><a href="https://stackoverflow.com/questions/9152979/check-if-process-exists-given-its-pid/9153003#9153003" rel="external">danger</a></strong>“, so must therefore
ensure that your take proper care and use the right functions designed to
match your situation and needs.</p>
</li>
</ul>
<h3 id="operating-systems-positons"><a class="toclink" href="#operating-systems-positons">Operating systems positons</a></h3>
<h4 id="linux"><a class="toclink" href="#linux">Linux</a></h4>
<p>Linux kernel main stream never implemented <span class="caps">PID</span> randomization, however this
feature was commonly provided for several years through a security oriented
third-party patch which finally decided to abandon it.</p>
<p>Around year 2000-2001, several people tried to implement <span class="caps">PID</span> randomization for
the Linux kernel (examples can be found <a href="http://lkml.iu.edu/hypermail/linux/kernel/0001.1/0400.html" rel="external">here</a> and <a href="http://www.vanheusden.com/Linux/sp/" rel="external">there</a>), however
none of these patches were accepted by the kernel development team who rejected
them mostly as <em>“security through obscurity”</em>.</p>
<p>However,
<a href="http://www.vanheusden.com/Linux/rnd_pid_faq.php" rel="external">since randomness may actually increase the global security posture of the <span class="caps">OS</span></a>
and prevent some attacks, these kernel modifications finally reached their
public through the third-party project: <a href="https://grsecurity.net" rel="external">grsecurity</a>.</p>
<p>This project started in 2001, bringing several new and advanced security
features to the Linux kernel. It allowed to enable/disable randomized <span class="caps">PID</span> using
a specific <code>sysctl</code> parameter: <code>kernel.grsecurity.rand_pids</code>. However, in
<a href="https://grsecurity.net/news.php#grsec2110" rel="external">the late 2006</a> (I guess - I hate news thread mentioning dates with no
year!) they finally decided to drop randomized <span class="caps">PID</span> functionality:</p>
<blockquote>
<p>grsecurity 2.1.10 was released today for Linux 2.4.34 and 2.6.19.2.
Changes in this release include:</p>
<ul>
<li>Removal of randomized PIDs feature, since it provides no useful
additional security and wastes memory with the 2.6 kernel’s pid bitmap</li>
</ul>
</blockquote>
<h4 id="openbsd"><a class="toclink" href="#openbsd">OpenBSD</a></h4>
<p>OpenBSD having initiated randomized <span class="caps">PID</span> functionality, it is still present for
historical purposes but has no real security scope nowadays. It is up to the
application themselves to ensure they correctly handle fast <span class="caps">PID</span> reuse.</p>
<p>OpenBSD aim is to encourage good development practices and thorough code
security auditing. That’s why they consider that
<a href="https://www.mail-archive.com/misc%40openbsd.org/msg138443.html" rel="external">it is not the responsibility of the <span class="caps">OS</span> to protect their users against flawed application</a>.
On the contrary an application flaw should be detected as soon as possible and
corrected in the application instead of remaining hidden by <span class="caps">OS</span>
(<em>”<a href="http://www.openbsd.org/papers/dev-sw-hostile-env.html" rel="external">The sooner we can break it, the sooner we can fix</a>”</em>).</p>
<p>As a side note, while such assertion justifies itself for the base <span class="caps">OS</span> which is
under direct control of the OpenBSD team, this becomes more discutable with
third-party software:</p>
<ul>
<li>Which <a href="http://www.openbsd.org/faq/faq15.html#Intro" rel="external">do not go through the same audit as the base <span class="caps">OS</span></a>,</li>
<li>While OpenBSD
<a href="http://www.openbsd.org/faq/faq15.html#Ports" rel="external">provides and recommends the use of binary packages over ports</a>,
no binary updates are provided between <span class="caps">OS</span> releases (every 6 months)<sup id="fnref-mtier"><a class="footnote-ref" href="#fn-mtier">1</a></sup></li>
<li>Some software versions <a href="http://www.openbsd.org/faq/faq15.html#Latest" rel="external">may be outdated</a>.
For each case this might be either a deliberate choice from OpenBSD team or
a consequence of the lack of resources in OpenBSD team.</li>
</ul>
<p>However, in this context OpenBSD team makes the assumption that, for a
correctly developed and audited software, the <span class="caps">PID</span> generation algorithm chosen
by the <span class="caps">OS</span> must have no impact (neither stability nor security) on the software
behavior.
If some software is vulnerable to an attack taking advantage of the <span class="caps">PID</span> being
reused, then
<a href="https://www.mail-archive.com/misc%40openbsd.org/msg138442.html" rel="external">it’s up to the software to be corrected, and not to the <span class="caps">OS</span> to ensure that the <span class="caps">PID</span> are not reused too quickly</a><sup id="fnref-pidtable"><a class="footnote-ref" href="#fn-pidtable">2</a></sup>.</p>
<h4 id="freebsd"><a class="toclink" href="#freebsd">FreeBSD</a></h4>
<p>FreeBSD provides a <code>sysctl</code> parameter allowing the administrator to tune the
<span class="caps">PID</span> generation algorithm from sequential to fully random. It is sequential by default.</p>
<p>FreeBSD <a href="https://svnweb.freebsd.org/base/stable/4/sys/kern/kern_fork.c#rev53842" rel="external">implemented random PIDs in 1999</a> (FreeBSD 4), using OpenBSD as
reference, and <a href="https://svnweb.freebsd.org/base/stable/4/sys/kern/kern_fork.c#rev53842" rel="external">improved it</a> to let the administrator set a balance between
potential issues caused by sequential <span class="caps">PID</span> (mostly <span class="caps">PID</span> prediction) and potential
issues caused by <span class="caps">PID</span> randomization (<span class="caps">PID</span> reuse and resource consumption).</p>
<p>In fact, FreeBSD design seems quite original since it is not actually the <span class="caps">PID</span>
which is random, but the <span class="caps">PID</span> increment which is a random value taken between 1
and the <code>kern.randompid</code> parameter:</p>
<ul>
<li>If <span class="caps">PID</span> randomization is disabled, then the increment will always be 1,</li>
<li>At maximum this parameter can be set to <code>PID_MAX</code><sup id="fnref-pid_max"><a class="footnote-ref" href="#fn-pid_max">3</a></sup>, in this case
the next <span class="caps">PID</span> will be fully randomly chosen.</li>
</ul>
<p>By default <span class="caps">PID</span> randomization is disabled (PIDs are generated sequentially).
To take effect, the <code>kern.randompid</code> parameter must be at least greater than 100.</p>
<p>If sequential <span class="caps">PID</span> remains a concern, I would personally recommend to set this
parameter to a low value like a few hundreds: this should be sufficient to
limit trivial <span class="caps">PID</span> prediction issues while avoiding more nasty issues caused by
PIDs re-use.</p>
<hr/>
<p class="footnote">Article based on a <a href="https://security.stackexchange.com/q/88692/32746#89961" rel="external">StackExchange answer</a>.</p>
<div class="footnote">
<hr/>
<ol>
<li id="fn-mtier">
<p>A third-party commercial company, <a href="https://stable.mtier.org/" rel="external">M:Tier</a>, provides its own
update system to reduce this issue. <a class="footnote-backref" href="#fnref-mtier" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn-pidtable">
<p>For the curious, OpenBSD added in 2013 an hardcoded table storing the 100
lastly freed PIDs in order to limit reliability issues on low loaded systems.
However, <a href="https://www.mail-archive.com/misc%40openbsd.org/msg138442.html" rel="external">this does not constitutes a security measure</a> since it quickly
becomes effectless with higher loads, would this load be caused by genuine
activity or as part of an attack. <a class="footnote-backref" href="#fnref-pidtable" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn-pid_max">
<p>For the purists it is actually <code>PID_MAX - 100</code> to cover only non-reserved <span class="caps">PID</span> range, it can also be set by using the special value <code>-1</code>. Out of range values are corrected immediately when setting the <code>sysctl</code> parameter so no risk to cause any damage here anyway. <a class="footnote-backref" href="#fnref-pid_max" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
</ol>
</div>