ABSTRACT. i'd like to keep it somewhat flexible, as i am for the lillehammer meeting.
it'll be related to dns and security, likely oriented toward DoH, but with
specifics that i either don't know yet or don't want to pre-announce.
ABSTRACT. The sendfile(2) system call provides an efficient, zero-copy mechanism for transferring large amounts of static content to remote clients over a network socket. It is particularly well suited to fulfilling replies to FTP and HTTP requests. When encryption is added to HTTP via TLS, this efficiency is lost in current FreeBSD systems. For several years, Netflix has worked on a long-running project to enable the efficiency and performance of sendfile(2) when using TLS for HTTP. This talk will describe the motivation for performing TLS framing and encryption in the kernel and describe the current implementation. It will also provide a brief history of how the implementation has evolved over time to support TLS offload in network interface cards.
Learning to (Open)BSD through its porting system: an attendee-driven educational session
ABSTRACT. This workship is an educational session of learning to (Open)BSD through its porting system. This is a combination of the new to BSD session run at BSDCan with some hands-on programming work.
Topics likely to be covered: 1) Learn *BSD lingo, 2) Some history, 3) How to set up a (Open)BSD system from the perspective of an (average) user (think: a nice X desktop), 4) History of ports and packages (broad-based *BSD survey), 5) An overview of writing your own (Open)BSD port
Designed for attendees to come in and out, it is a supplement to the talks. Take a break from talks with some hands-on hacking!
ABSTRACT. The ways many users discover and adopt FreeBSD has seen some changes recently; my story is one of beginning as a novice FreeNAS user, progressing to become a well-known FreeNAS power user, and then ultimately transforming into a FreeBSD user. This highway, however, has a few tolls. In this presentation, we explore some of the social and technical details of my transformation, with particular attention to the interesting challenges and learning opportunities along the way. There will be more coming after me as FreeNAS begins to speak more and more to its functionality as a user appliance, and less as a veneer over FreeBSD. While the subject of the talk is certainly applicable to those many users considering the same transition, perhaps more importantly it demonstrates how our recruitment ecosystem may scarcely resemble its former self.
ABSTRACT. With FreeBSD renewing its focus on security, NetBSD's enabling of its
PaX ASLR and NOEXEC implementations by default, OpenBSD's continued
striving for code correctness and strangely attractive APIs,
DragonFlyBSD's recent adoption of SMAP and SMEP, HardenedBSD's
continued advancements in the adoption of Control-Flow Integrity (CFI)
and SafeStack, it has never been a better time to work in information
security within the BSDs.
This presentation dives into the intricacies of various exploit
mitigations, their use cases, their weaknesses, the status of
their adoption within each of the BSDs, and where we need to be in the
future.
The goal of security is to raise the economic cost of successful
exploitation. We will discuss in detail the different exploit
mitigations, how they work, when and where each mitigation succeeds
and fails, and the history behind each mitigation. Each mitigation can
be implemented differently and care will be taken to discuss each
difference within the BSDs, Linux, and Windows.
The BSDs are making great strides implementing innovative and unique
solutions that protect us from monocultures. Diversity, even within
the BSDs, provides users with different tools for solving difficult
problems.
The BSDs, however, are at a point where collaboration regarding
security vulnerabilities is critical in order to provide protection to
an ever-wider audience. Though individual projects may disagree on the
merits of certain technical implementations, diversity of thought
throughout the vulnerability reporting lifecycle will ensure that the
solutions resolving the vulnerability are robust, scalable, and don't
introduce new issues. Increased collaboration, rather than
"ad-hominem attacks as keynotes" will guarantee the strongest
innovations in security going forward. Let's piss off the bad guys
together!
Replacing an Oracle Server with FreeBSD, OpenZFS, and PostgreSQL
ABSTRACT. In this talk, we will present how we replaced a Windows-based Oracle server that has been used in the CS department of the University of Applied Sciences, Darmstadt in the database education of our undergraduate students with FreeBSD 12.0, OpenZFS, and PostgreSQL 10.
We will briefly explain the use of the server in our database labs and what the pain points were (costs, usability, missing features, etc) in the past. We will then outline how we built our new solution, addressing these pain points. FreeBSD plays a central role in this solution not only as the base operating system, but also as the system providing students with a self service to register themselves with the database and create accounts. This avoids creation of a massive number of dummy accounts at the beginning of the semester, which was done with the Oracle server. With the new solution, students can use their own university account provided by LDAP. Everything is nicely hooked together with a couple of scripts and open source software. If we would have built this solution with Oracle, we would have to get additional licenses simply to connect to our LDAP server.
With OpenZFS, we have a quick and easy way to reset a working lab configuration after the semester to a clean state. Additionally, we benefit from dataset compression and some specific tuning of the PostgreSQL database for ZFS. This will be outlined in the talk by providing the relevant configuration settings and datasets, as well as some ARC stats. We achieved good compression rates on the database (1/3rd the original size) and logs (nearly 12 times), something we would not have gotten for free from any other filesystem.
FreeBSD provided us with the necessary tooling to set up the system fairly easy and cost-effective, which is an important factor in academia in times of short budgets. The open source nature of the operating system and database allows new approaches in our academic education in the field of databases which where not available to us before. For example, DTrace probes can now be used to show the path of a transaction through the database to the disk.
The solution we've built has been used for two semesters (one year) now with great success. We will present some future work and learnings from the two semesters at the end of our talk. Sysadmins will get an insight from our talk into how systems in academia are managed. The solution we've built can be adopted in other academic institutions and companies dealing with similar issues.
ABSTRACT. Jails started as a limited virtualization system, but over the decades they've become more and more powerful. This talk takes you through what modern jails can do, discarding the limits of what they were and demonstrating what they can be today.
We'll cover jails using the base system specifically:
jails as VMs
configuring the jail host
properties and parameters
jail management
packages and upgrades
base jails
virtual networking with VNET
firewalls in jails
jails in jails
resource restrictions
You'll leave with an understanding of what modern jails can and cannot do, and hints for future development.