The developers of OpenBSD are very careful about licensing issues and the consequent use of free software in their base system. Recently, this has most notably resulted in missing support for many Wireless LAN chipsets due to the non-openess of manufacturers - either they require the usage of their very restrictive licensed firmware or the usage of precompiled, binary only kernel objects which control hardware access to the chipsets.

This speech addresses these problems and how various manufacturers could be convinced to release their firmwares under less restrictive licenses, how the Open Source HAL module for the ath(4) driver was developed as well as details about the enhanced WLAN support with new drivers and features for the upcoming OpenBSD release 3.7. The Open Source community has support for nearly all Ethernet, SCSI and RAID chipsets and why shouldn't there be Open Source support for all of the Wireless LAN chipsets? Or is "Wireless 802.11 a Microsoft only technology?"

speaker: Reyk Floeter

location: SITE B0138

speaker: Colin Percival

location: SITE B0138

The presentation will describe the DocBook slides infrastructure, how it can be used to automatically import content from other XML documents to keep slides up to date. I will examine the FreeBSD doc/en_US.ISO8859-1/slides implementation that pulls in content from the release notes, includes file for the most recent releases of FreeBSD, etc.

The presentation will also deal with XSL-FO processors. The open source PassiveTeX is not a viable platform for producing high quality PDF slides because of the lack of support for background images in flow object regions. Therefore I will examine other Java based open source solutions, and the commercial Java based XSL-FO processors that can produce very high quality slides.

speaker: Murray Stokely

location: SITE G0103

The pkgsrc system will download the package's sources, which is then unpacked, patched, configured, compiled and installed for later querying and removing. The pkgsrc system is based on the NetBSD Packages Collection and was ported to a number of other operating systems like Linux, FreeBSD, OpenBSD, MacOS X, Solaris, Irix and even MS Windows.

speaker: D'Arcy J.M. Cain

location: SITE H0104

Spamd is a small, non-forking minimal smtp implementation used for spam deferral. It can be used both to blacklist connections to a tarpit for known spam sources, or greylist smtp connections from previously seen MTA's.

Like many common greylisting implementations, spamd will greylist based the incoming tuple of connecting IP address, envelope-from, and envelope-to addresses. Unlike many other greylisting implementations, spamd uses the packet filtering mechansims in pf to control the greylisting of mail connections, and whitelists known MTA's, once seen.

Best of all it's MTA independant, so you don't need to either run it on your MTA, or take a load for doing greylisting on your MTA box. All you need do is put it on a firewall in front of it. As such in typical setups we have found it will reduce the amount of mail that will need to be recieved by a mailserver by 60% or more in practice, with practically no collateral damage.

This paper will cover the concepts of greylisting and blacklisting, compare spamd to other implementations, and cover current and future feature sets. It will also discuss the setup of a large mail cluster using spamd and pf, as well as various statistics seen for various spam blocking tactics in the wild (including Caller-ID/SPF), particularly to address why spamd does and does not implement certain tactics for spam blocking.

speaker: Bob Beck

location: SITE G0103

The net80211 layer is a device-independent implementation of the 802.11 network protocols that is a standard part of FreeBSD. It is derived from earlier work done for NetBSD but has undergone almost a complete rewrite to support contemporary wireless devices. Net80211 is designed to be reasonably portable; it is used--in one form or another--by all BSD systems and by several Linux-based projects. In the past year this software has undergone major changes to support security protocols such as WPA and 802.11i and for multi-media extensions such as WME. Recent work virtualizes the notion of an 802.11 station to support interesting applications such as multiple "virtual access points" operating on top of a single device and wireless bridge/repeaters.

This talk will describe the basics of 802.11 wireless networks and discuss the design of the net80211 layer. Examples will demonstrate how the net80211 layer is used by device drivers to implement full-featured systems.

speaker: Sam Leffler

location: SITE H0104

speaker: Scott Long

location: SITE B0138

FreeSBIE <http://www.freesbie.org/> is a LiveCD based on the FreeBSD operating system developed mainly by a group of Italian people, and supported by the Italian FreeBSD Users Group, known as GUFI <http://www.gufi.org/>. The first release (1.0) came to life on April 15th, 2004, with 1.1 following on December 6th.

But FreeSBIE is not only an ISO file you can download from one of our mirrors, it consists of a toolkit to provide any user with the ability to create its very own, fully customized, LiveCD. As a small project, made of about 5 people, FreeSBIE was awarded a prize for best user interaction in an Italian Open source projects contest.

The idea behind the talk is to instruct the audience about the engineering behind a FreeSBIE LiveCD and its toolkit, and the background needed to create their own release.

speakers: Massimiliano Stucchi, Matteo Riondato

location: SITE B0138

speaker: Adam Weinberger

location: SITE B0138

The ICMP protocol is fundamental part of the TCP/IP protocol suite, and is used mainly for reporting network error conditions. However, the current IETF specifications do not recommend any kind of security checks on the received ICMP error messages, thus leaving the door open to a variety of attacks. ICMP can be used to perform a number of attacks against the TCP protocol, which include blind connection-reset and blind throughput-reduction attacks.

Fernando will introduce the attacks that can be performed against TCP by means of ICMP, and will discuss the possible counter-measures against them. Of particular interest will be a discussion of a counter-measure for the attack against the Path-MTU discovery mechanism, and a discussion of advanced packet filtering policies that could be used to mitigate the impact of these attacks.

speaker: Fernando Gont

location: SITE G0103

Proper design of userland kernel APIs is changing with the times. Once ioctl() was the catch-all way to communicate things, but that was back when both software and hardware stayed the same from boot to crash. With loadable modules and pluggable hardware, ioctl() is just not enough.

Poul-Henning will talk about the concerns to be addressed and methods available to design modern APIs, and go through a number of his creatations: GEOMs XML export and g_ctl(). nmount(2). device_statistics export etc.

speaker: Poul-Henning Kamp

location: SITE G0103

Early unix mainframe computing brought elegant process and resource sharing systems which helped get more application use out of expensive hardware. These concerns have been largely been pushed aside in computing with the rise of desktop PCs, and large farms of ever-shrinking pizza boxes in the data center. Today, as more punch gets packed into 1u than ever, server resources can be further consolidated and abstracted to securely separate complex and sophisticated services in the same hardware server, by running secure virtual UNIX machines. FreeBSD Jails are a time-tested, secure, reliable UNIX virtual machine with endless uses.

Who wants jails?

• System Administrators who need to securely separate small yet important services.
• Software Developers who always need more dev machines.
• System Architects who need affordable high-availability systems.
• Educators who could use virtual machines to provide clean unix server systems for student use.

What I think people would like me to talk about:

• How Jails Work, the technical nitty-gritty
• How to setup jails, the practical how-to, cooking show style...
• When NOT to use jails
• jail(8) security vulnerabilities
• Jails vs. Linux UML, technical and philosophical differences
• Tools and management practices

speaker: Isaac Levy

location: SITE H0104

An important system administration task, and a principle of running a defensible network, is keeping operating systems and applications up-to-date. Running current software is critical when older services are vulnerable to exploitation. Obtaining new features not found in older applications is another reason to run current software. Fortunately, open source software offers a variety of means to give users a secure, capable computing environment.

This talk presents multiple ways to keep the FreeBSD operating system up-to-date. I take a FreeBSD 5.2.1 RELEASE system through a subset of security advisories to explain the different sorts of patches an administrator might apply. Time-permitting, ways to keep FreeBSD applications up-to-date will be presented as well.

speaker: Richard Bejtlich

location: SITE G0103

speaker: der Mouse

location: SITE H0104

The talk will concentrate on IleSansFil and the community aspect for 20 minutes, and about WiFiDog and the technical aspect for 40 minutes.

speaker: Mina Naguib

location: SITE H0104

The purpose of this talk is to improve an administrator's awareness of the hosts and services on a network using open source tools. First I will introduce dhcpdump, a tool to sniff DHCP traffic. Admins can use this tool to keep track of IP addresses assigned to systems as they join a network, independent of any logs kept by the DHCP server. Next I will explain the Passive Asset Detection System (PADS), a tool which watches network traffic and records the services it sees. This program helps an admin passively enumerate services; it is not an active assessment application like Nessus.

After PADS, I will describe P0f. This tool determines the operating system of hosts it sees communicating on the network. It complements PADS, which does not make OS guesses.

Finally I will provide information on the Security Analyst Network Connection Profiler (SANCP). SANCP is a session data collection program which passively summarizes conversations on the network. It can track TCP flows and estimates sessions for stateless protocols like UDP and ICMP. SANCP is integrated with Sguil, the subject of my talk at BSDCan 2004.

All of these programs work on UNIX and most are in the FreeBSD ports tree. I will give installation instructions and sample output from each. Should I have any extra time to spare, I may cover other open source tools for NSM purposes. I have a few others in mind already. I'll probably build a case study around using these tools.

speaker: Richard Bejtlich

location not assigned

The OpenBSD project has been very aggressive in its use of strong pseudo-random data in its network code; as a policy, pseudo-random data is used in protocol fields wherever possible, in many cases in a way not envisioned by the protocol designers. Randomness is also used within the network code to protect against denial of service attacks.

This presentation outlines the reasons for this approach, discusses how and where it is implemented in OpenBSD, and provides examples of attacks which this approach has mitigated.

Why this is important: This provides real security benefits. We want people to:

1. implement and turn on this stuff by default in other OSes,
2. in particular, the more people that do this, the less applications will depend on the broken behaviour.
3. point out any other possible randomisations that we have missed

speaker: Ryan McBride

location: SITE H0104

speaker: Henning Brauer

location: SITE B0138

NSA's SELinux provides a set of security extensions to the Linux operating system based on the mandatory Type Enforcement policy language, permitting administrators to constrain the behavior of applications in a fine-grained way. SEBSD is a port of FLASK and TE from Linux to run as a TrustedBSD MAC Framework policy module on the FreeBSD operating system.

This talk describes the FLASK/TE security technology, extensions made to the MAC Framework to port the system to FreeBSD, and sample applications of the SEBSD policy module to improve system security. This talk is appropriate for system developers and system administrators interested in access control policies and implementation.

speaker: Chris Vance

location: SITE G0103

A full package build for the i386 4.x branch takes less than 24 hours to build 11000 packages, using 27 client build machines (Pentium 3 800MHz or slower). Achieving this level of performance has required a number of optimizations, which I will describe in detail. I will also describe plans for future work.

speaker: Kris Kennaway

location: SITE G0103

FreeBSD 5.3 was the first production release of FreeBSD to ship with the initial results of the multi-year SMPng Project. SMPng is a substantial change to the BSD kernel architecture to improve kernel concurrency and preemption by moving to finer-grained synchronization primitives. As part of this work, the FreeBSD network stack was modified to no longer require the Giant lock for correctness, allowing user processees and multiple kernel threads to execute in the network stack in parallel. The use of finer grained synchronization requires careful consideration of competing concerns, however: the cost of additional synchronization balanced with improved concurrency and reduced latency.

This paper/talk discuss the architectural goals, implementation process, performance measurements, and refinement associated with the Netperf project, as well as future directions for continued performance improvement. While oriented at developers with kernel or application threading experience, the talk may also be interesting to users wanting to learn about system performance optimization and operating system design trade-offs.

speaker: Robert Watson

location: SITE H0104

Security Audit is a security feature provided by most commercial operating systems to track security-related events in security-critical environments, but currently not available in most open source systems.

This talk describes the FreeBSD Audit implementation, based on the Darwin audit implementation, which provides the industry-standard BSM token stream format and application programming interface. We discuss an audit event stream engine introduced into the FreeBSD kernel, modifications throughout the kernel to capture security event information, the BSM audit format and APIs, and the pre-selection/post-selection "interest" mechanism that allows the administrator to select what types of events should be logged.

This talk is appropriate for system developers and system administrators interested in security event logging.

speaker not assigned

location: SITE B0138

• What is VuXML? (XML application, tools, web site)
• Why was VuXML created? (history, design goals)
• How is VuXML used today?
• The VuXML document format (in detail)
• Tips for creating and committing/submitting entries VuXML.org features
• Future work

speaker: Jacques Vidrine

location: SITE H0104

This year, BSDCan will be hosting a set of Work-in-Progress (WIP) sessions, which will offer an opportunity for individuals or groups to give up to five minute presentations on a on-going project. Slides are permitted but not obligatory, but pictures are highly recommended! Typical topics for WIPs might include new open source software projects, specific works in progress for future releases of existing projects, student projects, or other new and interesting things. WIP topics this year may make good conference papers for next year!

A one hour time slot is available for WIPs, so the number of slots is limited! Sign up well in advance to be assured a spot. Please e-mail papers@bsdcan.org to sign up -- send a one or two paragraph summary of the topic to be presented, and the person(s) presenting it. Also, please give a time estimate -- typically times will be one to five minutes. The time limit will be strictly enforced. The WIP e-mail registration deadline is May 6, after which remaining slots (if any) may be signed up for in person. Any slides must be provided in advance, in PDF, Open Office, or Powerpoint format. The WIP session will be chaired by Robert Watson. The deadline for slides is midnight Friday 13 May 2005 and they should be sent to rwatson@FreeBSD.org.

speaker not assigned

location: SITE B0138