OpenBSD security features
The OpenBSD operating system focuses on security and the development of security features.[1][2]:xxvii[3] According to author Michael W. Lucas, OpenBSD "is widely regarded as the most secure operating system available anywhere, under any licensing terms."[2]:xxix
API and build changes
Bugs and security flaws are often caused by programmer error. A common source of error is the misuse of the strcpy
and strcat
string functions in the C programming language. There are two common alternatives, strncpy
and strncat
, but they can be difficult to understand and easy to misuse,[4][5] so OpenBSD developers Todd C. Miller and Theo de Raadt designed the strlcpy
and strlcat
functions.[6] These functions are intended to make it harder for programmers to accidentally leave buffers unterminated or allow them to be overflowed.[7] They have been adopted by the NetBSD and FreeBSD projects but not by the GNU C Library.[8]
On OpenBSD, the linker has been changed to issue a warning when unsafe string manipulation functions, such as strcpy
, strcat
, or sprintf
, are found. All occurrences of these functions in the OpenBSD source tree have been replaced. In addition, a static bounds checker is included in OpenBSD in an attempt to find other common programming mistakes at compile time.[9] Other security-related APIs developed by the OpenBSD project include issetugid
[10] and arc4random
.[11]
Kernel randomization
In a June 2017 email, Theo de Raadt stated that a problem with stable systems was that they could be running for months at a time. Although there is considerable randomization within the kernel, some key addresses remains the same. The project in progress modifies the linker so that on every boot, the kernel is relinked, as well as all other randomizations. This differs from kernel ASLR; in the email he states that "As a result, every new kernel is unique. The relative offsets between functions and data are unique ... [The current] change is scaffolding to ensure you boot a newly-linked kernel upon every reboot ... so that a new random kernel can be linked together ... On a fast machine it takes less than a second ... A reboot runs the new kernel, and yet another kernel is built for the next boot. The internal deltas between functions inside the kernel are not where an attacker expects them to be, so he'll need better info leaks".[12]
Memory protection
OpenBSD integrates several technologies to help protect the operating system from attacks such as buffer overflows or integer overflows.
Developed by Hiroaki Etoh, ProPolice is a GCC extension designed to protect applications from stack-smashing attacks.[13] It does this through a number of operations: local stack variables are reordered to place buffers after pointers, protecting them from corruption in case of a buffer overflow; pointers from function arguments are also placed before local buffers; and a canary value is placed after local buffers which, when the function exits, can sometimes be used to detect buffer overflows. ProPolice chooses whether or not to protect a buffer based on automatic heuristics which judge how vulnerable it is, reducing the performance overhead of the protection. It was integrated in OpenBSD's version GCC in December 2002, and first made available in OpenBSD 3.3;[14] it was applied to the kernel in release 3.4.[15] The extension works on all the CPU architectures supported by OpenBSD and is enabled by default, so any C code compiled will be protected without user intervention.[16]
In May 2004, OpenBSD on the SPARC platform received further stack protection in the form of StackGhost. This makes use of features of the SPARC architecture to help prevent exploitation of buffer overflows.[17] Support for SPARC64 was added to -current in March 2005.
OpenBSD 3.4 introduced W^X, a memory management scheme to ensure that memory is either writable or executable, but never both, which provides another layer of protection against buffer overflows. While this is relatively easy to implement on a platform like x86-64, which has hardware support for the NX bit, OpenBSD is one of the few OSes to support this on the generic i386 platform,[18] which lacks built in per-page execute controls.
During the development cycle of the 3.8 release, changes were made to the malloc
memory management functions. In traditional Unix operating systems, malloc
allocates more memory by extending the Unix data segment, a practice that has made it difficult to implement strong protection against security problems. The malloc
implementation now in OpenBSD makes use of the mmap
system call, which was modified so that it returns random memory addresses and ensures that different areas are not mapped next to each other. In addition, allocation of small blocks in shared areas are now randomized and the free
function was changed to return memory to the kernel immediately rather than leaving it mapped into the process. A number of additional, optional checks were also added to aid in development. These features make program bugs easier to detect and harder to exploit: instead of memory being corrupted or an invalid access being ignored, they often result in a segmentation fault and abortion of the process. This has brought to light several issues with software running on OpenBSD 3.8, particularly with programs reading beyond the start or end of a buffer, a type of bug that would previously not be detected directly but can now cause an error. These abilities took more than three years to implement without considerable performance loss.
Cryptography and randomization
One of the goals of the OpenBSD project is the integration of facilities and software for strong cryptography into the core operating system. To this end, a number of low-level features are provided, including a source of strong pseudo random numbers;[19] built-in cryptographic hash functions and transforms; and support for cryptographic hardware (OpenBSD Cryptographic Framework). These abilities are used throughout OpenBSD, including the bcrypt password-hashing algorithm[20] derived from Bruce Schneier's Blowfish block cipher, which takes advantage of the CPU-intensive Blowfish key schedule, making brute-force attacks less practical.
To protect sensitive information such as passwords from leaking on to disk, where they can persist for many years, OpenBSD supports encryption of the swap partition. The swap space is split up into many small regions that are each assigned their own encryption key: as soon as the data in a region is no longer required, OpenBSD securely deletes it by discarding the encryption key.[21] This feature is enabled by default in OpenBSD 3.9 and later.
The network stack also makes heavy use of randomization to increase security and reduce the predictability of various values that may be of use to an attacker, including TCP initial sequence numbers and timestamps, and ephemeral source ports.[22] A number of features to increase network resilience and availability, including countermeasures for problems with ICMP and software for redundancy, such as CARP and pfsync, are also included. The project was the first to disable the plain-text telnet daemon in favor of the encrypted SSH daemon, in 1999,[23] and features other integrated cryptographic software such as IPsec. The telnet daemon was completely removed from OpenBSD in 2005[24] before the release of OpenBSD version 3.8.
X11
All parts of X11 on OpenBSD are running as the user, except for the X server, which is split between a privilege-stripped X process run as root, and an X process run as the _X11 user.
In X11 on OpenBSD, neither the X server nor X clients normally have any escalated direct memory or hardware privileges: When driving X with the Intel(4) or Radeon(4) drivers, these normally interact with the underlying hardware via the Direct Rendering Management(4) kernel interface only, so that lowlevel memory/hardware access is handled solely by the kernel. Other drivers such as WSFB follow a similar pattern. For this reason, X11 on OpenBSD does not open up lowlevel memory or hardware access to user/root programs as is done on some other systems, and as was done in the past, which then needed the user to escalate the machdep.allowaperture setting from its default zero setting, to an unsecure setting.
OpenBSD's version of the X Window System (named Xenocara) has some security modifications. The server and some of the default applications are patched to make use of privilege separation, and OpenBSD provides an "aperture" driver to limit X's access to memory.[25] However, after work on X security flaws by Loïc Duflot, Theo de Raadt commented that the aperture driver was merely "the best we can do" and that X "violates all the security models you will hear of in a university class."[26] He went on to castigate X developers for "taking their time at solving this > 10-year-old problem." On November 29, 2006, a VESA kernel driver was developed that permitted X to run, albeit more slowly, without the use of the aperture driver.[27]
On February 15, 2014, X was further modified to allow it to run without root privileges.[28][29]
After the discovery of a security vulnerability in X,[30] OpenBSD doesn't support the running of X as a root user and only supports running X via a display manager as a dedicated _x11
user.
Other features
Privilege separation,[31] privilege revocation, chrooting and randomized loading of libraries also play a role in increasing the security of the system. Many of these have been applied to the OpenBSD versions of common programs such as tcpdump and Apache, and to the BSD Authentication system.
OpenBSD has a history of providing its users with full disclosure in relation to various bugs and security breaches detected by the OpenBSD team.[32] This is exemplified by the project's slogan: "Only two remote holes in the default install, in a heck of a long time!"
In OpenBSD 5.3, support for full disk encryption was introduced.[33]
OpenBSD 5.8 introduced the pledge
system call for restricting process capabilities to a minimal subset required for correct operation.[34] If the process is compromised and attempts to perform an unintended behavior, it will be terminated by the kernel. Since its introduction, applications and ports have been changed to support pledge
, including the Chromium web browser.
References
- Korff, Yanek; Hope, Paco; Potter, Bruce (2005). Mastering FreeBSD and OpenBSD security. Sebastopol, California, USA: O'Reilly. ISBN 0-596-00626-8.
- Lucas, Michael W. (2013). Absolute OpenBSD: Unix for the practical paranoid (2nd ed.). San Francisco: No Starch Press. ISBN 978-1-59327-476-4.
- Palmer, Brandon; Nazario, Jose (2004). Secure Architectures with OpenBSD. Boston: Addison-Wesley. ISBN 0-321-19366-0.
- "strncpy – copy part of a string to another". OpenBSD manual pages. Retrieved May 26, 2016.
- "strncat – concatenate a string with part of another". OpenBSD manual pages. Retrieved May 26, 2016.
- "strlcpy, strlcat – size-bounded string copying and concatenation". OpenBSD manual pages. Retrieved May 26, 2016.
- Miller, Todd C.; de Raadt, Theo (June 6, 1999). strlcpy and strlcat - Consistent, Safe, String Copy and Concatenation. USENIX Annual Technical Conference. Monterey, California. Retrieved May 26, 2016.
- Drepper, Ulrich (August 8, 2000). "Re: PATCH: safe string copy and concatenation". [email protected] (Mailing list). Retrieved May 26, 2016.
- Madhavapeddy, Anil (June 26, 2003). "CVS: cvs.openbsd.org: src". openbsd-cvs (Mailing list). Retrieved March 31, 2013.
- "issetugid – is current executable running setuid or setgid". OpenBSD manual pages. Retrieved May 26, 2016.
- "arc4random, arc4random_buf, arc4random_uniform – random number generator". OpenBSD manual pages. Retrieved May 26, 2016.
- email 2017-06-13
- "GCC extension for protecting applications from stack-smashing attacks". IBM Research. Archived from the original on June 4, 2014. Retrieved May 26, 2016.
- "OpenBSD 3.3". OpenBSD. Retrieved May 28, 2016.
Integration of the ProPolice stack protection technology [...] into the system compiler.
- "OpenBSD 3.4". OpenBSD. Retrieved May 28, 2016.
ProPolice stack protection has been enabled in the kernel as well.
- "gcc-local – local modifications to gcc". OpenBSD manual pages. Retrieved May 28, 2016.
gcc comes with the 'ProPolice' stack protection extension, which is enabled by default.
- Frantzen, Mike; Shuey, Mike (August 13, 2001). StackGhost: Hardware Facilitated Stack Protection. 10th USENIX Security Symposium. Washington, D.C. Retrieved May 26, 2016.
- "OpenBSD 5.8". OpenBSD. Retrieved May 28, 2016.
Support for the NX (No-eXecute) bit on i386, resulting in much better W^X enforcement in userland for hardware that has this feature.
- de Raadt, Theo; Hallqvist, Niklas; Grabowski, Artur; Keromytis, Angelos D.; Provos, Niels (June 6, 1999). Cryptography in OpenBSD: An Overview. USENIX Annual Technical Conference. Monterey, California. Retrieved January 30, 2005.
- Provos, Niels; Mazières, David (June 6, 1999). A Future-Adaptable Password Scheme. USENIX Annual Technical Conference. Monterey, California. Retrieved May 26, 2016.
- Provos, Niels (August 14, 2000). Encrypting Virtual Memory. 9th USENIX Security Symposium. Denver, Colorado. Retrieved April 9, 2006.
- Biancuzzi, Federico (October 12, 2005). "OpenBSD's network stack". SecurityFocus. Retrieved December 10, 2005.
- de Raadt, Theo (April 10, 1999). "disable telnet/ftp/login by default, for now". OpenBSD.
- de Raadt, Theo (May 25, 2005). "CVS: cvs.openbsd.org: src". OpenBSD-CVS mailing list.
Removed files: libexec/telnetd
- "xf86 – X Window System aperture driver". OpenBSD manual pages. Retrieved May 26, 2016.
- de Raadt, Theo (May 11, 2006). "Re: security bug in x86 hardware (thanks to X WIndows)". openbsd-misc (Mailing list). Retrieved May 26, 2016.
- Herrb, Matthieu (November 29, 2006). "CVS: cvs.openbsd.org: XF4". openbsd-cvs (Mailing list). Retrieved May 26, 2016.
- Kettenis, Mark (February 15, 2014). "CVS: cvs.openbsd.org: xenocara". openbsd-cvs (Mailing list). Retrieved May 26, 2016.
- "Xorg can now run without privilege on OpenBSD". OpenBSD Journal. February 22, 2014. Retrieved May 26, 2016.
- "OpenBSD 6.4 Errata". www.openbsd.org. Retrieved May 23, 2019.
- Provos, Niels; Friedl, Markus; Honeyman, Peter (August 4, 2003). Preventing Privilege Escalation. 12th USENIX Security Symposium. Washington, D.C. Retrieved May 26, 2016.
- Miller, Robin (December 11, 2000). "Theo de Raadt Responds". Slashdot. Archived from the original on July 28, 2011. Retrieved May 16, 2014.
- "OpenBSD 5.3". OpenBSD. Retrieved May 26, 2016.
- "pledge() - a new mitigation mechanism". OpenBSD. Retrieved May 19, 2018.
External links
- Exploit Mitigation Techniques: an Update After 10 Years
- Theo de Raadt's email about secure programming: On the matter of strlcpy/strlcat acceptance by industry