OpenBSD security features

The OpenBSD operating system is known for its focus on computer security and the development of a variety of security features.

Programming interfaces and API changes

The commonly used in the programming language C string functions strcpy and strcat are often used incorrectly, which can lead to errors and security vulnerabilities. The existing alternatives strncpy and strncat are not ideal, which is why the OpenBSD developers Todd C. Miller and Theo de Raadt have created the strlcpy and strlcat functions. These are designed for higher security and provide a more consistent replacement for strncat and strncpy. They make it harder programmers, undermined buffer and thus can be vulnerable to buffer overflows. These functions were assumed by the Net- and FreeBSD projects but not accepted for the GNU C library. Their maintainer Ulrich Drepper vehemently opposes their integration, with the argument that memcpy is an equivalent solution for the problems. The OpenBSD linker was changed to output a warning if unsafe functions like strcpy or strcat be used. This also applies to other functions that manipulate strings and often cause problems - sprintf for example. All occurrences of such functions have been replaced in the OpenBSD source code. Furthermore, the Directive was introduced to patch each occurrence in the package management system. In addition, in a static OpenBSD software testing is included, which is trying to find other common programming errors already at compile time. More towards developed by the OpenBSD project on security programming interfaces are issetugid and arc4random.

Memory protection

OpenBSD includes some techniques that help to protect the operating system from attacks by buffer overflows and overflows, integer variables.

ProPolice is a technology developed by Hiroaki Etoh expansion of the GCC, which protects programs against attacks on the stack (stack - smashing ) through expanded memory protection. To make this possible, it makes a number of changes: local stack variables are rearranged so that buffers are placed for pointers - this protects them in the event of a buffer overflow from corruption. Pointer to function arguments are placed in front of local buffers; a canary value is set according to local buffers: As soon as the function ends, the Canary can be used to determine buffer overflows. ProPolice automatically decides, based on a heuristic which analyzes the vulnerability of a buffer, if this buffer is protected. ProPolice was taken in December 2002 in the GCC OpenBSD and made available with version 3.3 first. The protection is applied to the kernel since OpenBSD 3.4. The extension works on all architectures supported by OpenBSD, and is enabled by default. Thus, each C program is protected without user intervention.

In May 2004, OpenBSD received on the Sparc architecture further stack protection by StackGhost. This helps with functions of the Sparc architecture to prevent exploitation of buffer overflow. Support for 64- bit Sparc was added in March 2005.

In OpenBSD 3.4 W ^ X (short for WriteEnable xor eXecutable ) has been introduced. It is a memory management, which ensures that memory either only read or only executable, but never both. This provides an extra layer of protection against buffer overflow. Although this could be relatively easily implemented on a platform such as amd64, provides hardware support for the NX bit, OpenBSD is one of the few operating systems that it supports on the ordinary i386 architecture.

During the development phase for version 3.8 changes to the memory management functions malloc have been made. In traditional Unix operating systems malloc memory reserved by expanding the Unix data segment. This approach has hampered the realization of a strong protection against security problems. The current malloc implementation in OpenBSD uses the mmap system call. This was modified to use random memory addresses and while ensuring that no two areas are adjacent. In addition, the reservation of small blocks within common areas was randomly arranged. The free function was changed to immediately return memory to the kernel, instead of leaving him in the illustrated process. A variety of other optional tests has been added. These capabilities simplify finding bugs, making their use more difficult: Instead of memory corruption or unauthorized access Ignore errors often cause a protection violation ( SIGSEGV ) - and thus the completion of the process. This has brought some problems in OpenBSD 3.8 to light, which had previously been ignored. Specifically, programs that read about the beginning or the end of a buffer addition, now cause errors. To make this possible without significant loss of speed, required more than three years to complete. Are tracked similar aims as the Electric Fence malloc library bugfix by Bruce Perens.

Cryptography and randomization

One of the goals of the OpenBSD project is to integrate as much as possible cryptographic software and functions in the operating system. To this end, a lot of system-related capabilities are provided: a strong pseudo-random number generator, integrated cryptographic hash functions and transformations, and support for cryptographic hardware accelerators. These abilities can be found on many levels heavy use: one is the derived from Bruce Schneier's Blowfish block cipher password hash algorithm. This takes advantage of the slow Blowfish key initialization, so password so that queries attempts to crack the password by brute force, more difficult (because slower) are very CPU -heavy and. The network protocol stack makes heavy use of randomization to reduce the predictability of some interesting for attackers values ​​and thus to increase the security. This includes the ISN and timestamp fields and the port number of volatile TCP source ports. OpenBSD also includes a variety of functions to improve network robustness, and availability. These include countermeasures against problems with ICMP and software redundancy, as CARP and pfsync. The project was probably the first, which disabled the plaintext telnet daemon in favor of the encrypted SSH daemons and other cryptographic software measures - such as IPsec and Kerberos - recorded.

Network and Server

Packet Filter

OpenBSD has its own firewall solution called Packet Filter ( PF short ), which has enhanced security features in addition to the functions of a normal firewall, for example, a antispoof rule that checks for packages on whether the specified sender IP address is logical ( consistent with the network interface of the arrival ), or the packet scrubbing, the TCP packets that have invalid flag combinations (eg, SYN FIN ) discards, fragmented corrected packages and packages that can possibly bring the host to crash intercept.

In addition, PF leaves you with (compared to iptables) to configure easy to read rules:

( pass | block [ drop | return | return-icmp | return icmp6 | return- rst] | match) [ in | out ] [ log] [ quick ] [on ] [on rdomain ] [ inet | inet6 ] [ proto ( tcp | udp | icmp | icmp6 ) ] ( [from [port ] [ os ] | to [port ] ] | all ) [flags / ] [ icmp-type code | icmp6 -type code ] [ probability ] [user ] [ nat -to | rdr -to ] The following rules block all packets from hosts that are allowed to consign any emails, and allow for all others: