# How much is secure FreeBSD?



## P15C15 (Jan 13, 2019)

A time ago, I read about two malware, or some alike, I don't remember well. Well, these defects in the processors could be used for a hacker to get info which is storaged in the system. My question is: how much trusted can I be of FreeBSD? It is possible that someone try to use this malwares to obtain information? The two malware where called "Spectre", and "Meltdown".


----------



## getopt (Jan 13, 2019)

P15C15 said:


> My question is: how much trusted can I be of FreeBSD?


Trust is a highly subjective category which cannot be quantified without any calibration. Most people ask for trust just to get reassured but that does make little sense. A careless admin can ruin any hardened installation. Security is a bad term in IT as there is little to none security to be sold. What you can do is trying to harden your installations.



P15C15 said:


> It is possible that someone try to use this malwares to obtain information?


Which malwares? You did not reference anyone. So take this one:

Is it possible? A lot is possible. The question is how likely it is that you get hurt. When it comes to exploiting, economy matters.


----------



## P15C15 (Jan 13, 2019)

getopt said:


> Which malwares?


These: https://www.google.com/url?sa=t&rct...ability-faq/&usg=AOvVaw0npYuY73v4lgjPV_koHyQI


----------



## P15C15 (Jan 13, 2019)

In fact, not viruses. But a fail in the processors. As I remember, this was discovered in processors of Intel and AMD, I think.
I read a post were it says that such fails can be used to skip the restrictions of security, and access wit no problems to the core of the system.


----------



## VladiBG (Jan 13, 2019)

https://www.freebsd.org/security/advisories/FreeBSD-SA-18:03.speculative_execution.asc


----------



## ralphbsz (Jan 13, 2019)

P15C15 said:


> In fact, not viruses. But a fail in the processors.
> 
> I read a post were it says that such fails can be used to skip the restrictions of security, and access wit no problems to the core of the system.


Well, the underlying problem in Spectre and Meltdown is indeed not a virus.  It is a defect or bug in the design of the CPU, which allows one process to spy on memory of other processes or of the kernel; in particular it allows one to spy on privileged processes, and it allows finding valuable content in memory, like encryption keys or authentication tokens (keys).  But to exploit this, you need the malware to run on your system first and try to exploit that.  And that malware is typically called a virus.  So in a nutshell, you still need a virus.  It's a lot like medicine: Spectre and friends simply make it that the "immune system" of the processor is not as good as it should be, allowing a virus to do more damage.



> As I remember, this was discovered in processors of Intel and AMD, I think.


And many others, including PowerPC.  There is a whole slew of security problems that are related to speculative execution and caches.  Obviously, Intel has the most such problems.  That's not a reflection of Intel being the worst CPUs, but of it getting the most attention from security researchers, because it is also the most common platform out there.  But other processor families also have some of the same problems, some more, some less.  And different processor families have had different amounts of fixes applied to these problems; sometimes the fixes are in CPU firmware, sometimes in OS changes.  There is a huge number of posts on this forum about these topics.

The real problem is that you are asking the wrong question: How much can you trust FreeBSD?  Well, somewhat.  Clearly, it has done some work to limit the impact from these security openings.  Other OSes have done different amounts, and I really don't feel like starting a mud-slinging war to discuss which OS is better or worse.  The real issue is not whether one OS is particularly better than the other.  But because all these security vulnerabilities need an exploit (a virus) to use them, the issue is whether your particular installation is secure against intrusion or not.  If you run your computers like some military and intelligence agencies do (with absolutely no connection between the computer and the outside world, known as an "air gap"), then your computer will be perfectly secure, in spite of all Spectre, Meltdown, and *BSD.  If you put your computer on the world-wide internet without NAT, packet filtering, firewall, and with the root password being "password" or "12345", then you are completely screwed, independent of Spectre and Meltdown.

In practice, what you need to think about is: Which operating system or distribution or installation will enable *YOU* to configure *YOUR* system to be maximally secure, and how much work do you want to invest in this (versus just accepting that there is an acceptable level of risk and living with it).  In and of itself, the choice of FreeBSD makes only a minor difference in that.


----------



## ralphbsz (Jan 14, 2019)

OpenBSD advertises a similar statistic.

Today, there are large companies that have all or a large part of their compute environment outside of a corporate firewall, and that's mostly using Linux.  This is not something uncommon. If you read the Usenix magazine (it's called ;login! or some similar random characters around the word "login"), there were a few articles about that a year of two ago.

With good management and clear objectives, most systems can be made secure, including Linux and Windows.  With stupidity, no system will ever be secure.


----------



## Deleted member 30996 (Jan 14, 2019)

P15C15 said:


> In fact, not viruses. But a fail in the processors. As I remember, this was discovered in processors of Intel and AMD, I think.
> I read a post were it says that such fails can be used to *skip the restrictions of security*, and access wit no problems to the core of the system.



That depends on what security restrictions you have in place.

Do you surf the web with Scripting enabled?


----------

