OpenBSD security features
Encyclopedia
The OpenBSD
operating system
is noted for its security
focus and for the development of a number of security features.
functions in the C programming language. There are two common alternatives, strncpy and strncat, but they can be difficult to understand and easy to misuse, so OpenBSD developers Todd C. Miller and Theo de Raadt
designed the strlcpy and strlcat functions. These functions are logical and easier to use, making it harder for programmers to accidentally leave buffers unterminated or allow them to be overflowed. They have been adopted by the NetBSD and FreeBSD projects but have not been accepted by the GNU C library
, the maintainer of which, Ulrich Drepper, vehemently opposes their incorporation on the grounds that programmers using them will cease to worry about the root issues inspiring their use, which may still be exploitable in a different way.
On OpenBSD, the linker has been changed to issue a warning when unsafe functions, such as strcpy, strcat or another string manipulation function that is often a cause of errors, sprintf
, are found. All occurrences of these functions in the OpenBSD source tree have been replaced. In addition, a static bounds checker
is included in OpenBSD in an attempt to find other common programming mistakes at compile time. Other security-related APIs
developed by the OpenBSD project are issetugid and arc4random.
s or integer overflow
s.
Developed by Hiroaki Etoh, ProPolice is a GCC
extension for protecting applications from stack-smashing attacks
. In order to make this possible, it performs a number of operations: local stack variables are reordered to place buffers after pointers, protecting them from corruption in case of a buffer overflow; pointers from function arguments are also placed before local buffers; and a canary value placed after local buffers which, when the function exits, can sometimes be used to detect buffer overflows. ProPolice chooses whether or not to protect a buffer based on automatic heuristics which judge how vulnerable it is, reducing the performance overhead of the protection. It was integrated into the OpenBSD GCC in December 2002, and first made available in version 3.3; it was applied to the kernel in release 3.4. The extension works on all the CPU architectures supported by OpenBSD and is activated by default, so any C code compiled will be protected without user intervention.
In May 2004, OpenBSD on the SPARC
platform received further stack protection in the form of StackGhost. This makes use of features of the SPARC architecture to help prevent exploitation of buffer overflows. Support for SPARC64 was added to -current in March 2005.
OpenBSD 3.4 introduced W^X
(W xor X), a memory management scheme to ensure that memory is either writable or executable, but never both, and providing another layer of protection against buffer overflows. While this is relatively easy to implement on a platform like AMD64, which has hardware support for the NX bit
, OpenBSD is one of the few OSes to support this on the generic i386 platform, which lacks built in per-page execute controls.
During the development cycle of the 3.8 release, changes were made to the malloc
memory management functions. In traditional Unix operating systems, malloc allocates more memory by extending the Unix data segment, a practice that has made it difficult to implement strong protection against security problems. The malloc implementation now in OpenBSD makes use of the mmap
system call, which was modified so that it returns random memory addresses and ensures that different areas are not mapped next to each other. In addition, allocation of small blocks in shared areas are now randomized and the free function was changed to return memory to the kernel immediately rather than leaving it mapped into the process. A number of additional, optional checks were also added to aid in development. These features make program bugs easier to detect and harder to exploit: instead of memory being corrupted or an invalid access being ignored, they often result in a segmentation fault
and abortion of the process. This has brought to light several issues with software running on OpenBSD 3.8, particularly with programs reading beyond the start or end of a buffer, a type of bug that would previously not be detected directly but can now cause an error. These abilities took more than three years to implement without considerable performance loss and are similar in goals to that of the Electric Fence
malloc debugging library by Bruce Perens
.
into the core operating system. To this end, a number of low-level features are provided, including a source of strong pseudo random number
s; built-in cryptographic hash functions and transforms; and support for cryptographic hardware
. These abilities are used throughout OpenBSD, including the bcrypt
password-hashing algorithm derived from Bruce Schneier
's Blowfish
block cipher
, which takes advantage of the slow Blowfish key schedule
to make password-checking inherently CPU-intensive, so that password-cracking attempts are slower and more difficult. To protect sensitive information such as password
s and passphrases from leaking on to disk where they can persist for many years, OpenBSD supports encryption of the swap partition. The swap space is split up into many small regions that are each assigned their own encryption key: as soon as the data in a region is no longer required, OpenBSD securely deletes it by discarding the encryption key. This feature is enabled by default in OpenBSD 3.9 and later. The network stack also makes heavy use of randomization to increase security and reduce the predictability of various values that may be of use to an attacker, including TCP
Initial Sequence Numbers and timestamps, and ephemeral source ports. A number of features to increase network resilience and availability, including countermeasures for problems with ICMP
and software for redundancy, such as CARP
and pfsync
, are also included. In userland
, the project was perhaps the first to disable the plain-text telnet
daemon in favor of the encrypted SSH
daemon and features other integrated cryptographic software, including IPsec
and Kerberos.
has some security modifications. The server
and some of the default applications are patched for privilege separation
and other enhancements, and OpenBSD provides an "aperture" driver to limit X's access to memory. However, after recent work on X security flaws by Loïc Duflot, Theo de Raadt commented that the aperture driver was merely "the best we can do" and that X "violates all the security models you will hear of in a university class." He went on to castigate X developers for "taking their time at solving this > 10 year old problem." Recently, a VESA
kernel driver has been developed, which permits X to run, albeit more slowly, without the use of the aperture driverhttp://marc.info/?l=openbsd-cvs&m=116483366219125&w=2.
, privilege revocation
, chroot
ing and randomized loading of libraries also play a role in increasing the security of the system. Many of these have been applied to the OpenBSD versions of common programs such as tcpdump
and Apache, and to the BSD Authentication
system. OpenBSD also supports sandboxing
of untrusted applications using the Systrace
facility, a framework allowing interposition of system call
s for fine-grained restriction of processes. Systrace supports interactive generation of policies, and other features designed to allow privilege elevation.
OpenBSD
OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...
operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
is noted for its security
Computer insecurity
Computer insecurity refers to the concept that a computer system is always vulnerable to attack, and that this fact creates a constant battle between those looking to improve security, and those looking to circumvent security.-Security and systems design:...
focus and for the development of a number of security features.
API and build changes
Bugs and security flaws are often caused by programmer error. A common source of error is the misuse of the strcpy and strcat stringString (computer science)
In formal languages, which are used in mathematical logic and theoretical computer science, a string is a finite sequence of symbols that are chosen from a set or alphabet....
functions in the C programming language. There are two common alternatives, strncpy and strncat, but they can be difficult to understand and easy to misuse, so OpenBSD developers Todd C. Miller and Theo de Raadt
Theo de Raadt
Theo de Raadt , born May 19, 1968 in Pretoria, South Africa, is a software engineer who lives in Calgary, Alberta, Canada. He is the founder and leader of the OpenBSD and OpenSSH projects, and was a founding member of the NetBSD project.- Childhood :...
designed the strlcpy and strlcat functions. These functions are logical and easier to use, making it harder for programmers to accidentally leave buffers unterminated or allow them to be overflowed. They have been adopted by the NetBSD and FreeBSD projects but have not been accepted by the GNU C library
GNU C Library
The GNU C Library, commonly known as glibc, is the C standard library released by the GNU Project. Originally written by the Free Software Foundation for the GNU operating system, the library's development has been overseen by a committee since 2001, with Ulrich Drepper from Red Hat as the lead...
, the maintainer of which, Ulrich Drepper, vehemently opposes their incorporation on the grounds that programmers using them will cease to worry about the root issues inspiring their use, which may still be exploitable in a different way.
On OpenBSD, the linker has been changed to issue a warning when unsafe functions, such as strcpy, strcat or another string manipulation function that is often a cause of errors, sprintf
Printf
Printf format string refers to a control parameter used by a class of functions typically associated with some types of programming languages. The format string specifies a method for rendering an arbitrary number of varied data type parameter into a string...
, are found. All occurrences of these functions in the OpenBSD source tree have been replaced. In addition, a static bounds checker
Static code analysis
Static program analysis is the analysis of computer software that is performed without actually executing programs built from that software In most cases the analysis is performed on some version of the source code and in the other cases some form of the object code...
is included in OpenBSD in an attempt to find other common programming mistakes at compile time. Other security-related APIs
Application programming interface
An application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...
developed by the OpenBSD project are issetugid and arc4random.
Memory protection
OpenBSD integrates several technologies to help protect the operating system from attacks such as buffer overflowBuffer overflow
In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
s or integer overflow
Integer overflow
In computer programming, an integer overflow occurs when an arithmetic operation attempts to create a numeric value that is too large to be represented within the available storage space. For instance, adding 1 to the largest value that can be represented constitutes an integer overflow...
s.
Developed by Hiroaki Etoh, ProPolice is a GCC
GNU Compiler Collection
The GNU Compiler Collection is a compiler system produced by the GNU Project supporting various programming languages. GCC is a key component of the GNU toolchain...
extension for protecting applications from stack-smashing attacks
Stack buffer overflow
In software, a stack buffer overflow occurs when a program writes to a memory address on the program's call stack outside of the intended data structure; usually a fixed length buffer....
. In order to make this possible, it performs a number of operations: local stack variables are reordered to place buffers after pointers, protecting them from corruption in case of a buffer overflow; pointers from function arguments are also placed before local buffers; and a canary value placed after local buffers which, when the function exits, can sometimes be used to detect buffer overflows. ProPolice chooses whether or not to protect a buffer based on automatic heuristics which judge how vulnerable it is, reducing the performance overhead of the protection. It was integrated into the OpenBSD GCC in December 2002, and first made available in version 3.3; it was applied to the kernel in release 3.4. The extension works on all the CPU architectures supported by OpenBSD and is activated by default, so any C code compiled will be protected without user intervention.
In May 2004, OpenBSD on the SPARC
SPARC
SPARC is a RISC instruction set architecture developed by Sun Microsystems and introduced in mid-1987....
platform received further stack protection in the form of StackGhost. This makes use of features of the SPARC architecture to help prevent exploitation of buffer overflows. Support for SPARC64 was added to -current in March 2005.
OpenBSD 3.4 introduced W^X
W^X
W^X is the name of a security feature present in the OpenBSD operating system. It is a memory protection policy whereby every page in a process' address space is either writable or executable, but not both simultaneously...
(W xor X), a memory management scheme to ensure that memory is either writable or executable, but never both, and providing another layer of protection against buffer overflows. While this is relatively easy to implement on a platform like AMD64, which has hardware support for the NX bit
NX bit
The NX bit, which stands for No eXecute, is a technology used in CPUs to segregate areas of memory for use by either storage of processor instructions or for storage of data, a feature normally only found in Harvard architecture processors...
, OpenBSD is one of the few OSes to support this on the generic i386 platform, which lacks built in per-page execute controls.
Malloc
C dynamic memory allocation refers to performing dynamic memory allocation in the C via a group of functions in the C standard library, namely malloc, realloc, calloc and free....
memory management functions. In traditional Unix operating systems, malloc allocates more memory by extending the Unix data segment, a practice that has made it difficult to implement strong protection against security problems. The malloc implementation now in OpenBSD makes use of the mmap
Mmap
In computing, mmap is a POSIX-compliant Unix system call that maps files or devices into memory. It is a method of memory-mapped file I/O. It naturally implements demand paging, because initially file contents are not entirely read from disk and do not use physical RAM at all...
system call, which was modified so that it returns random memory addresses and ensures that different areas are not mapped next to each other. In addition, allocation of small blocks in shared areas are now randomized and the free function was changed to return memory to the kernel immediately rather than leaving it mapped into the process. A number of additional, optional checks were also added to aid in development. These features make program bugs easier to detect and harder to exploit: instead of memory being corrupted or an invalid access being ignored, they often result in a segmentation fault
SIGSEGV
On POSIX-compliant platforms, SIGSEGV is the signal sent to a process when it makes an invalid memory reference, or segmentation fault. The symbolic constant for SIGSEGV is defined in the header file signal.h...
and abortion of the process. This has brought to light several issues with software running on OpenBSD 3.8, particularly with programs reading beyond the start or end of a buffer, a type of bug that would previously not be detected directly but can now cause an error. These abilities took more than three years to implement without considerable performance loss and are similar in goals to that of the Electric Fence
Electric Fence
Electric Fence is a memory debugger written by Bruce Perens. It consists of a library which programmers can link into their code to override the C standard library memory management functions...
malloc debugging library by Bruce Perens
Bruce Perens
Bruce Perens is a computer programmer and advocate in the open source community. He created the Open Source Definition and published the first formal announcement and manifesto of open source. He co-founded the Open Source Initiative with Eric S...
.
Cryptography and randomization
One of the goals of the OpenBSD project is the integration of facilities and software for strong cryptographyStrong cryptography
Strong cryptography or cryptographically strong are general terms applied cryptographic systems or components that are considered highly resistant to cryptanalysis....
into the core operating system. To this end, a number of low-level features are provided, including a source of strong pseudo random number
Pseudorandom number generator
A pseudorandom number generator , also known as a deterministic random bit generator , is an algorithm for generating a sequence of numbers that approximates the properties of random numbers...
s; built-in cryptographic hash functions and transforms; and support for cryptographic hardware
Hardware
Hardware is a general term for equipment such as keys, locks, hinges, latches, handles, wire, chains, plumbing supplies, tools, utensils, cutlery and machine parts. Household hardware is typically sold in hardware stores....
. These abilities are used throughout OpenBSD, including the bcrypt
Bcrypt
bcrypt is an adaptive cryptographic hash function for passwords designed by Niels Provos and David Mazières, based on the Blowfish cipher, and presented at USENIX in 1999...
password-hashing algorithm derived from Bruce Schneier
Bruce Schneier
Bruce Schneier is an American cryptographer, computer security specialist, and writer. He is the author of several books on general security topics, computer security and cryptography, and is the founder and chief technology officer of BT Managed Security Solutions, formerly Counterpane Internet...
's Blowfish
Blowfish (cipher)
Blowfish is a keyed, symmetric block cipher, designed in 1993 by Bruce Schneier and included in a large number of cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date...
block cipher
Block cipher
In cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...
, which takes advantage of the slow Blowfish key schedule
Key schedule
[[Image:DES-key-schedule.png|thumbnail|220px|The key schedule of DES [[Image:DES-key-schedule.png|thumbnail|220px|The key schedule of DES [[Image:DES-key-schedule.png|thumbnail|220px|The key schedule of DES ("[[Image:DES-key-schedule.png|thumbnail|220px|The key schedule of DES ("...
to make password-checking inherently CPU-intensive, so that password-cracking attempts are slower and more difficult. To protect sensitive information such as password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
s and passphrases from leaking on to disk where they can persist for many years, OpenBSD supports encryption of the swap partition. The swap space is split up into many small regions that are each assigned their own encryption key: as soon as the data in a region is no longer required, OpenBSD securely deletes it by discarding the encryption key. This feature is enabled by default in OpenBSD 3.9 and later. The network stack also makes heavy use of randomization to increase security and reduce the predictability of various values that may be of use to an attacker, including TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
Initial Sequence Numbers and timestamps, and ephemeral source ports. A number of features to increase network resilience and availability, including countermeasures for problems with ICMP
Internet Control Message Protocol
The Internet Control Message Protocol is one of the core protocols of the Internet Protocol Suite. It is chiefly used by the operating systems of networked computers to send error messages indicating, for example, that a requested service is not available or that a host or router could not be...
and software for redundancy, such as CARP
Common Address Redundancy Protocol
The Common Address Redundancy Protocol or CARP is a protocol which allows multiple hosts on the same local network to share a set of IP addresses. Its primary purpose is to provide failover redundancy, especially when used with firewalls and routers. In some configurations CARP can also provide...
and pfsync
Pfsync
Pfsync is a computer protocol used to synchronize firewall states between machines running Packet Filter for High Availability. It's used along with CARP to make sure a backup firewall has the same information as the main firewall...
, are also included. In userland
Userland
Userland may refer to:* Userland , operating system software that does not belong in the kernel* UserLand Software, a U.S. software company specializing in web applications* Radio UserLand, a computer program to aid maintaining blogs or podcasts...
, the project was perhaps the first to disable the plain-text telnet
TELNET
Telnet is a network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communications facility using a virtual terminal connection...
daemon in favor of the encrypted SSH
Secure Shell
Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
daemon and features other integrated cryptographic software, including IPsec
IPsec
Internet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
and Kerberos.
X11
OpenBSD's version of the X Window SystemX Window System
The X window system is a computer software system and network protocol that provides a basis for graphical user interfaces and rich input device capability for networked computers...
has some security modifications. The server
X.Org Server
X.Org Server refers to the X server release packages stewarded by the X.Org Foundation,which is hosted by freedesktop.org, and grants...
and some of the default applications are patched for privilege separation
Privilege separation
In computer programming and computer security, privilege separation is a technique in which a program is divided into parts which are limited to the specific privileges they require in order to perform a specific task...
and other enhancements, and OpenBSD provides an "aperture" driver to limit X's access to memory. However, after recent work on X security flaws by Loïc Duflot, Theo de Raadt commented that the aperture driver was merely "the best we can do" and that X "violates all the security models you will hear of in a university class." He went on to castigate X developers for "taking their time at solving this > 10 year old problem." Recently, a VESA
VESA BIOS Extensions
VESA BIOS Extensions is a VESA standard, currently at version 3, that defines the interface that can be used by software to access compliant video boards at high resolutions and bit depths...
kernel driver has been developed, which permits X to run, albeit more slowly, without the use of the aperture driverhttp://marc.info/?l=openbsd-cvs&m=116483366219125&w=2.
Other features
Privilege separationPrivilege separation
In computer programming and computer security, privilege separation is a technique in which a program is divided into parts which are limited to the specific privileges they require in order to perform a specific task...
, privilege revocation
Privilege revocation
Privilege revocation is the act of an entity giving up some, or all of, the privileges they possess, or some authority taking those rights away.- Information theory :...
, chroot
Chroot
A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name files outside the designated directory tree. The term "chroot" may refer to the chroot...
ing and randomized loading of libraries also play a role in increasing the security of the system. Many of these have been applied to the OpenBSD versions of common programs such as tcpdump
Tcpdump
tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached...
and Apache, and to the BSD Authentication
BSD Authentication
BSD Authentication, otherwise known as BSD Auth, is an authentication framework and software API employed by some Unix-like operating systems, specifically OpenBSD and BSD/OS, and accompanying system and application software such as OpenSSH and Apache...
system. OpenBSD also supports sandboxing
Sandbox (computer security)
In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites....
of untrusted applications using the Systrace
Systrace
Systrace is a computer security utility which limits an application's access to the system by enforcing access policies for system calls. This can mitigate the effects of buffer overflows and other security vulnerabilities...
facility, a framework allowing interposition of system call
System call
In computing, a system call is how a program requests a service from an operating system's kernel. This may include hardware related services , creating and executing new processes, and communicating with integral kernel services...
s for fine-grained restriction of processes. Systrace supports interactive generation of policies, and other features designed to allow privilege elevation.