OpenBSD security features
This article is missing information about LibreSSL and the project's tendency to reduce software complexity. (April 2023) |
This article needs to be updated. The reason given is: OpenBSD 7.3 was released with new security features (see release notes, independent news report, and updated list of innovations). (April 2023) |
The OpenBSD operating system focuses on security and the development of security features.[1][2]: xxvii [3] According to author Michael W. Lucas, OpenBSD "is widely regarded as the most secure operating system available anywhere, under any licensing terms."[2]: xxix
API and build changes
Bugs and security flaws are often caused by programmer error. A common source of error is the misuse of the
On OpenBSD, the
Kernel randomization
In a June 2017 email, Theo de Raadt stated that a problem with stable systems was that they could be running for months at a time. Although there is considerable randomization within the kernel, some key addresses remain the same. The project in progress modifies the
Memory protection
OpenBSD integrates several technologies to help protect the operating system from attacks such as buffer overflows or integer overflows.
Developed by Hiroaki Etoh,
In May 2004, OpenBSD on the
OpenBSD 3.4 introduced W^X, a memory management scheme to ensure that memory is either writable or executable, but never both, which provides another layer of protection against buffer overflows. While this is relatively easy to implement on a platform like x86-64, which has hardware support for the NX bit, OpenBSD is one of the few OSes to support this on the generic i386 platform,[18] which lacks built in per-page execute controls.
During the development cycle of the 3.8 release, changes were made to the
Cryptography and randomization
One of the goals of the OpenBSD project is the integration of facilities and software for
In OpenBSD 5.3, support for
To protect sensitive information such as passwords from leaking on to disk, where they can persist for many years, OpenBSD supports encryption of swap space. The swap space is split up into many small regions that are each assigned their own encryption key, which is generated randomly and automatically with no input from the user, held entirely in memory, and never written to disk except when hibernating; as soon as the data in a region is no longer required, OpenBSD discards its encryption key, effectively transforming the data in that region into useless garbage.[24] Toggling this feature can be done using a single sysctl configuration option, and doesn't require any prior setup, disk partitioning, or partition-related settings to be done/changed; furthermore, there is no choice of encryption parameters (such as the algorithm or key length to use), as strong parameters are always used. There is no harm and no loss of functionality with this feature, because the encryption keys used to access swapped processes are only lost when the computer crashes (e.g. power loss), after which all operating systems discard the previous contents of the memory and swap anyway, and because hibernation continues to work as usual with this feature. This feature is enabled by default in OpenBSD 3.8 (released in November 2005) and later; OpenBSD, as of 2022, remains the only prominent operating system to have swap encrypted by default independently of disk encryption and its user-provided password. (Windows requires[citation needed] toggling a configuration setting that is not presented in its user-facing Control Panel and Settings apps, and other operating systems, including macOS[citation needed], FreeBSD,[25] and every Linux-based operating system[citation needed], rely on the existing disk encryption features to encrypt the swap, which often (a) need to be enabled by the user manually, (b) require setup (if disk encryption wasn't chosen during the operating system's installation) which is not as trivial to do as toggling swap encryption on OpenBSD, and (c) use the user-provided password, which users need to remember and could be weak/guessable or even extracted out of the users.)
The
The OpenBSD project had invented their own utility for cryptographic signing and verification of files, signify
,
X11
In X11 on OpenBSD, neither the X server nor X clients normally have any escalated direct memory or hardware privileges: When driving X with the Intel(4) or Radeon(4) drivers, these normally interact with the underlying hardware via the Direct Rendering Management(4) kernel interface only, so that lowlevel memory/hardware access is handled solely by the kernel. Other drivers such as WSFB follow a similar pattern. For this reason, X11 on OpenBSD does not open up lowlevel memory or hardware access to user/root programs as is done on some other systems, and as was done in the past, which then needed the user to escalate the machdep.allowaperture setting from its default zero setting, to an unsecure setting.[citation needed]
OpenBSD's version of the X Window System (named Xenocara) has some security modifications. The server and some of the default applications are patched to make use of privilege separation, and OpenBSD provides an "aperture" driver to limit X's access to memory.[38] However, after work on X security flaws by Loïc Duflot, Theo de Raadt commented that the aperture driver was merely "the best we can do" and that X "violates all the security models you will hear of in a university class."[39] He went on to castigate X developers for "taking their time at solving this > 10-year-old problem." On November 29, 2006, a VESA kernel driver was developed that permitted X to run, albeit more slowly, without the use of the aperture driver.[40]
On February 15, 2014, X was further modified to allow it to run without root privileges.[41][42]
After the discovery of a security vulnerability in X,[43] OpenBSD doesn't support the running of X as a root user and only supports running X via a display manager as a dedicated _x11
user.
Other features
OpenBSD has a history of providing its users with full disclosure in relation to various bugs and security breaches detected by the OpenBSD team.[45] This is exemplified by the project's slogan: "Only two remote holes in the default install, in a heck of a long time!"
OpenBSD is intended to be secure by default, which includes (but is not limited to) having all non-essential services be disabled by default. This is done not only to not require users to learn how and waste time to secure their computers after installing OpenBSD, but also in hope of making users more aware of security considerations, by requiring them to make conscious decisions to enable features that could reduce their security. [46]
OpenBSD 5.9 included support for the then–new pledge
pledge
and unveil
are used together to confine applications, further limiting what they're otherwise permitted to do under the user account they're running as. Since the introduction of pledge
, base OpenBSD programs (included out of the box in OpenBSD), applications (handled by their developers), and ports (of applications, handled by the OpenBSD team) have been updated to be confined with pledge
and/or unveil
. Some examples of third-party applications updated with these features (by their developers or in OpenBSD's app ports) include the Chromium and Firefox web browsersReferences
- ^
Korff, Yanek; Hope, Paco; Potter, Bruce (2005). Mastering FreeBSD and OpenBSD security. Sebastopol, California, USA: O'Reilly. ISBN 0-596-00626-8.
- ^ a b
Lucas, Michael W. (2013). Absolute OpenBSD: Unix for the practical paranoid (2nd ed.). San Francisco: ISBN 978-1-59327-476-4.
- ^
Palmer, Brandon; Nazario, Jose (2004). Secure Architectures with OpenBSD. Boston: ISBN 0-321-19366-0.
- ^ "strncpy – copy part of a string to another". OpenBSD manual pages. Retrieved May 14, 2021.
- ^ "strncat – concatenate a string with part of another". OpenBSD manual pages. Retrieved May 14, 2021.
- ^ "strlcpy, strlcat – size-bounded string copying and concatenation". OpenBSD manual pages. Retrieved May 14, 2021.
- ^ Miller, Todd C.; de Raadt, Theo (June 6, 1999). strlcpy and strlcat - Consistent, Safe, String Copy and Concatenation. USENIX Annual Technical Conference. Monterey, California. Retrieved May 26, 2016.
- ^ Drepper, Ulrich (August 8, 2000). "Re: PATCH: safe string copy and concatenation". [email protected] (Mailing list). Retrieved May 26, 2016.
- ^ Madhavapeddy, Anil (June 26, 2003). "CVS: cvs.openbsd.org: src". openbsd-cvs (Mailing list). Retrieved March 31, 2013.
- ^ "issetugid – is current executable running setuid or setgid". OpenBSD manual pages. Retrieved May 14, 2021.
- ^ "arc4random, arc4random_buf, arc4random_uniform – random number generator". OpenBSD manual pages. Retrieved May 14, 2021.
- ^ email 2017-06-13
- ^ "GCC extension for protecting applications from stack-smashing attacks". IBM Research. Archived from the original on June 4, 2014. Retrieved May 26, 2016.
- ^ "OpenBSD 3.3". OpenBSD. Retrieved May 28, 2016.
Integration of the ProPolice stack protection technology [...] into the system compiler.
- ^ "OpenBSD 3.4". OpenBSD. Retrieved May 28, 2016.
ProPolice stack protection has been enabled in the kernel as well.
- ^ "gcc-local – local modifications to gcc". OpenBSD manual pages. Retrieved May 28, 2016.
gcc comes with the 'ProPolice' stack protection extension, which is enabled by default.
- ^ Frantzen, Mike; Shuey, Mike (August 13, 2001). StackGhost: Hardware Facilitated Stack Protection. 10th USENIX Security Symposium. Washington, D.C. Retrieved May 26, 2016.
- ^ "OpenBSD 5.8". OpenBSD. Retrieved May 28, 2016.
Support for the NX (No-eXecute) bit on i386, resulting in much better W^X enforcement in userland for hardware that has this feature.
- ^ de Raadt, Theo; Hallqvist, Niklas; Grabowski, Artur; Keromytis, Angelos D.; Provos, Niels (June 6, 1999). Cryptography in OpenBSD: An Overview. USENIX Annual Technical Conference. Monterey, California. Retrieved January 30, 2005.
- ^ Provos, Niels; Mazières, David (June 6, 1999). A Future-Adaptable Password Scheme. USENIX Annual Technical Conference. Monterey, California. Retrieved May 26, 2016.
- ^ "OpenBSD 5.3". OpenBSD. Retrieved May 26, 2016.
- ^ "OpenBSD 7.3". www.openbsd.org. Retrieved April 19, 2023.
- ^ "Initial support for guided disk encryption in the installer". undeadly.org. Retrieved April 19, 2023.
- ^ Provos, Niels (August 14, 2000). Encrypting Virtual Memory. 9th USENIX Security Symposium. Denver, Colorado. Retrieved April 9, 2006.
- ^ "Chapter 20. Storage — 20.14. Encrypting Swap". FreeBSD Documentation Portal. Retrieved September 27, 2023.
- ^ Biancuzzi, Federico (October 12, 2005). "OpenBSD's network stack". SecurityFocus. Retrieved December 10, 2005.
- ^ de Raadt, Theo (April 10, 1999). "disable telnet/ftp/login by default, for now". OpenBSD.
- ^ de Raadt, Theo (May 25, 2005). "CVS: cvs.openbsd.org: src". OpenBSD-CVS mailing list.
Removed files: libexec/telnetd
- ^ a b Unangst, Ted. "signify: Securing OpenBSD From Us To You". www.openbsd.org. BSDCan 2015 (June), Ottawa, Canada. Retrieved July 12, 2022.
- ^ "OpenBSD 5.5". www.openbsd.org. Retrieved July 12, 2022.
- ^ "OpenBSD: Innovations". www.openbsd.org.
- ^ "Verifying authenticity of Debian images". www.debian.org. Retrieved July 12, 2022.
- ^ "Download Kali Linux Images Securely | Kali Linux Documentation". Kali Linux. Retrieved July 12, 2022.
- ^ "Verifying signatures". Qubes OS. Retrieved July 12, 2022.
- ^ "How can I verify Tor Browser's signature? | Tor Project | Support". support.torproject.org. Retrieved July 12, 2022.
- ^ "Share and accept documents securely". SecureDrop. Freedom of the Press Foundation. Retrieved July 12, 2022.
- ^ "VeraCrypt - Free Open source disk encryption with strong security for the Paranoid". veracrypt.fr. IDRIX. Retrieved July 12, 2022.
- ^ "xf86 – X Window System aperture driver". OpenBSD manual pages. Retrieved May 14, 2021.
- ^ de Raadt, Theo (May 11, 2006). "Re: security bug in x86 hardware (thanks to X WIndows)". openbsd-misc (Mailing list). Retrieved May 26, 2016.
- ^ Herrb, Matthieu (November 29, 2006). "CVS: cvs.openbsd.org: XF4". openbsd-cvs (Mailing list). Retrieved May 26, 2016.
- ^ Kettenis, Mark (February 15, 2014). "CVS: cvs.openbsd.org: xenocara". openbsd-cvs (Mailing list). Retrieved May 26, 2016.
- ^ "Xorg can now run without privilege on OpenBSD". OpenBSD Journal. February 22, 2014. Retrieved May 26, 2016.
- ^ "OpenBSD 6.4 Errata". www.openbsd.org. Retrieved May 23, 2019.
- ^ Provos, Niels; Friedl, Markus; Honeyman, Peter (August 4, 2003). Preventing Privilege Escalation. 12th USENIX Security Symposium. Washington, D.C. Retrieved May 26, 2016.
- ^ Miller, Robin (December 11, 2000). "Theo de Raadt Responds". Slashdot. Archived from the original on July 28, 2011. Retrieved May 16, 2014.
- ^ "OpenBSD: Security — "Secure by Default"". www.openbsd.org. Retrieved September 27, 2023.
- ^ "pledge() - a new mitigation mechanism". OpenBSD. Retrieved May 19, 2018.
- ^ "unveil — unveil parts of a restricted filesystem view". OpenBSD manual pages. Retrieved May 15, 2020.
External links
- Exploit Mitigation Techniques: an Update After 10 Years Archived February 20, 2014, at the Wayback Machine
- Theo de Raadt's email about secure programming: On the matter of strlcpy/strlcat acceptance by industry