OpenBSD security features: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 10:31, 23 September 2019 edit Monkbot (talk \| contribs) Bots 3,695,952 edits m →Other features: Task 16: replaced (1×) / removed (0×) deprecated \|dead-url= and \|deadurl= with \|url-status=; Tag: AWB ← Previous edit		Latest revision as of 16:56, 19 May 2025 edit undo 95.57.10.252 (talk) No edit summary Tags: Mobile edit Mobile web edit
(32 intermediate revisions by 15 users not shown)
Line 1: {{Short description\|Security features as used in OpenBSD operating system}} {{Use mdy dates\|date=June 2016}} {{Missing information\|[[LibreSSL]] and the project's tendency to reduce software complexity\|talksection=Suggestions for Improvement\|date=May 2025}} {{Update\|reason=OpenBSD 7.7 was released with new security features (see [https://www.openbsd.org/77.html release notes] and [https://www.openbsd.org/innovations.html updated list of innovations])\|date=April 2025}} The ~~'''~~[[OpenBSD]]~~'''~~ [[operating system]] focuses on [[computer security\|security]] and the development of ~~'''~~security features~~'''~~.{{r\|Korff-Hope-and-Potter-2005}}{{r\|Lucas-2013\|p=xxvii}}{{r\|Palmer-and-Nazario-2004}} According to author Michael W. Lucas, OpenBSD "is widely regarded as the most secure operating system available anywhere, under any licensing terms."{{r\|Lucas-2013\|p=xxix}} == API and build changes == Bugs and security flaws are often caused by programmer error. A common source of error is the misuse of the <code>[[strcpy]]</code> and <code>[[strcat]]</code> [[String (computer science)\|string]] functions in the [[C programming language\|C]] programming language. There are two common alternatives, <code>[[strncpy]]</code> and <code>[[strncat]]</code>, but they can also be difficult to understand and easy to misuse,<ref>{{Cite web\|url=http://man.openbsd.org/OpenBSD-~~5.9~~current/man3/strncpy.3\|title=strncpy – copy part of a string to another\|website=OpenBSD manual pages\|access-date=~~May 26, 2016~~2021-05-14}}</ref><ref>{{Cite web\|url=http://man.openbsd.org/OpenBSD-~~5.9~~current/man3/strncat.3\|title=strncat – concatenate a string with part of another\|website=OpenBSD manual pages\|access-date=~~May 26, 2016~~2021-05-14}}</ref> so OpenBSD developers [[Todd C. Miller]] and [[Theo de Raadt]] designed the <code>[[strlcpy]]</code> and <code>[[strlcat]]</code> functions.<ref>{{Cite web\|url=http://man.openbsd.org/OpenBSD-~~5.9~~current/man3/strlcat.3\|title=strlcpy, strlcat – size-bounded string copying and concatenation\|website=OpenBSD manual pages\|access-date=~~May 26, 2016~~2021-05-14}}</ref> These functions are intended to make it harder for programmers to accidentally leave buffers unterminated or allow them to be overflowed.<ref>{{cite conference \|url=http://www.usenix.org/events/usenix99/millert.html \|title=strlcpy and strlcat - Consistent, Safe, String Copy and Concatenation \|last1=Miller \|first1=Todd C. \|last2=de Raadt \|first2=Theo \|author-link2=Theo de Raadt \|date=June 6, 1999 \|conference=[[USENIX]] Annual Technical Conference \|___location=Monterey, California \|~~accessdate~~access-date=May 26, 2016}}</ref> They have been adopted by the NetBSD and FreeBSD projects but not by the [[GNU C Library]].<ref>{{cite mailing list \|url=https://www.sourceware.org/ml/libc-alpha/2000-08/msg00053.html \|title=Re: PATCH: safe string copy and concatenation \|date=August 8, 2000 \|~~accessdate~~access-date=May 26, 2016 \|mailing-list=libc-alpha@sources.redhat.com \|last=Drepper \|first=Ulrich}}</ref> On OpenBSD, the [[Linker (computing)\|linker]] has been changed to issue a warning when [[C standard library#Buffer overflow vulnerabilities\|unsafe string manipulation functions]], such as <code>strcpy</code>, <code>strcat</code>, or <code>[[sprintf]]</code>, are found. All occurrences of these functions in the OpenBSD source tree have been replaced.{{citation needed\|reason=This is probably in their FAQ, or at least on the mailing lists (probably tech@)\|date=May 2016}} In addition, a [[Static code analysis\|static bounds checker]] is included in OpenBSD in an attempt to find other common programming mistakes at compile time.<ref>{{cite mailing list \|url=https://marc.info/?l=openbsd-cvs&m=105665219927976 \|title=CVS: cvs.openbsd.org: src \|date=June 26, 2003 \|~~accessdate~~access-date=March 31, 2013 \|mailing-list=openbsd-cvs \|last=Madhavapeddy \|first=Anil }}</ref> Other security-related [[Application programming interface\|APIs]] developed by the OpenBSD project include <code>issetugid</code><ref>{{Cite web\|url=http://man.openbsd.org/OpenBSD-~~5.9~~current/man2/issetugid.2\|title=issetugid – is current executable running setuid or setgid\|website=OpenBSD manual pages\|access-date=~~May 26, 2016~~2021-05-14}}</ref> and <code>[[RC4#RC4-based random number generators\|arc4random]]</code>.<ref>{{Cite web\|url=http://man.openbsd.org/OpenBSD-~~5.9~~current/man3/arc4random.3\|title=arc4random, arc4random_buf, arc4random_uniform – random number generator\|website=OpenBSD manual pages\|access-date=~~May 26, 2016~~2021-05-14}}</ref> == Kernel randomization == In a June 2017 email, Theo de Raadt stated that a problem with stable systems was that they could be running for months at a time. Although there is considerable randomization within the kernel, some key addresses ~~remains~~remain the same. The project in progress modifies the [[Linker (computing)\|linker]] so that on every boot, the kernel is relinked, as well as all other randomizations. This differs from kernel [[ASLR]]; in the email he states that "As a result, every new kernel is unique. The relative offsets between functions and data are unique ... [The current] change is scaffolding to ensure you boot a newly-linked kernel upon every reboot ... so that a new random kernel can be linked together ... On a fast machine it takes less than a second ... A reboot runs the new kernel, and yet another kernel is built for the next boot. The internal deltas between functions inside the kernel are not where an attacker expects them to be, so he'll need better info leaks".<ref>[https://marc.info/?l=openbsd-tech&m=149732026405941 email 2017-06-13]</ref> == Memory protection == Line 16 ⟶ 19: Developed by Hiroaki Etoh, [[ProPolice]] is a [[GNU Compiler Collection\|GCC]] extension designed to protect applications from [[Stack buffer overflow\|stack-smashing attacks]].<ref>{{Cite web\|url=http://www.research.ibm.com/trl/projects/security/ssp/\|title=GCC extension for protecting applications from stack-smashing attacks\|publisher=[[IBM Research]]\|archive-url=https://web.archive.org/web/20140604021923/http://www.research.ibm.com/trl/projects/security/ssp/\|archive-date=June 4, 2014\|access-date=May 26, 2016}}</ref> It does this through a number of operations: local stack variables are reordered to place buffers after pointers, protecting them from corruption in case of a buffer overflow; pointers from function arguments are also placed before local buffers; and a [[Buffer overflow protection#Canaries\|canary]] value is placed after local buffers which, when the function exits, can sometimes be used to detect buffer overflows. ProPolice chooses whether or not to protect a buffer based on automatic heuristics which judge how vulnerable it is, reducing the performance overhead of the protection.{{Vague\|date=May 2016}} It was integrated in OpenBSD's version GCC in December 2002, and first made available in OpenBSD 3.3;<ref>{{Cite web\|url=https://www.openbsd.org/33.html\|title=OpenBSD 3.3\|website=OpenBSD\|access-date=May 28, 2016\|quote=Integration of the ProPolice stack protection technology [...] into the system compiler.}}</ref> it was applied to the kernel in release 3.4.<ref>{{Cite web\|url=https://www.openbsd.org/34.html\|title=OpenBSD 3.4\|website=OpenBSD\|access-date=May 28, 2016\|quote=ProPolice stack protection has been enabled in the kernel as well.}}</ref> The extension works on all the CPU architectures supported by OpenBSD and is enabled by default, so any C code compiled will be protected without user intervention.<ref>{{Cite web\|url=http://man.openbsd.org/OpenBSD-current/man1/gcc-local.1\|title=gcc-local – local modifications to gcc\|website=OpenBSD manual pages\|access-date=May 28, 2016\|quote=gcc comes with the 'ProPolice' stack protection extension, which is enabled by default.}}</ref> In May 2004, OpenBSD on the [[SPARC]] platform received further stack protection in the form of [[Stack-smashing protection#StackGhost (hardware-based)\|StackGhost]]. This makes use of features of the SPARC architecture to help prevent exploitation of buffer overflows.<ref>{{cite conference \|url=https://www.usenix.org/legacy/publications/library/proceedings/sec01/frantzen.html \|title=StackGhost: Hardware Facilitated Stack Protection \|last1=Frantzen \|first1=Mike \|last2=Shuey \|first2=Mike \|date=August 13, 2001 \|conference=10th [[USENIX]] Security Symposium \|___location=Washington, D.C. \|~~accessdate~~access-date=May 26, 2016}}</ref> Support for SPARC64 was added to {{mono\|-current}} in March 2005. OpenBSD 3.4 introduced [[W^X]], a memory management scheme to ensure that memory is either writable or executable, but never both, which provides another layer of protection against buffer overflows. While this is relatively easy to implement on a platform like [[x86-64]], which has hardware support for the [[NX bit]], OpenBSD is one of the few OSes to support this on the generic i386 platform,<ref>{{Cite web\|url=http://www.openbsd.org/58.html\|title=OpenBSD 5.8\|website=OpenBSD\|access-date=May 28, 2016\|quote=Support for the NX (No-eXecute) bit on i386, resulting in much better W^X enforcement in userland for hardware that has this feature.}}</ref> which lacks built in per-page execute controls. Line 23 ⟶ 26: == Cryptography and randomization == One of the goals of the OpenBSD project is the integration of facilities and software for [[strong cryptography]] into the core operating system. To this end, a number of low-level features are provided, including a source of strong [[pseudorandom number generator\|pseudo random numbers]];<ref>{{cite conference \|url= https://www.usenix.org/legacy/publications/library/proceedings/usenix99/deraadt.html \|title = Cryptography in OpenBSD: An Overview \|first1= Theo \|last1= de Raadt \|author-link1= Theo de Raadt \|first2= Niklas \|last2= Hallqvist \|first3= Artur \|last3= Grabowski \|first4= Angelos D. \|last4= Keromytis \|first5= Niels \|last5= Provos \|~~authorlink5~~author-link5= Niels Provos\|date= June 6, 1999 \|conference= [[USENIX]] Annual Technical Conference \|___location= Monterey, California \|~~accessdate~~access-date= January 30, 2005}}</ref> built-in [[cryptographic hash functions]] and transforms; and support for cryptographic hardware ([[OpenBSD Cryptographic Framework]]). These abilities are used throughout OpenBSD, including the [[bcrypt]] password-hashing algorithm<ref>{{cite conference \|url=https://www.usenix.org/legacy/events/usenix99/provos.html \|title=A Future-Adaptable Password Scheme \|last1=Provos \|first1=Niels \|author-link1=Niels Provos \|last2=Mazières \|first2=David \|date=June 6, 1999 \|___location=Monterey, California \|conference=[[USENIX]] Annual Technical Conference \|~~accessdate~~access-date=May 26, 2016}}</ref> derived from [[Bruce Schneier]]'s [[Blowfish (cipher)\|Blowfish]] [[block cipher]], which takes advantage of the CPU-intensive Blowfish [[key schedule]], making [[brute-force attacks]] less practical. In OpenBSD 5.3, support for [[full disk encryption]] was introduced,<ref>{{cite web\|title=OpenBSD 5.3\|url=http://www.openbsd.org/53.html\|website=OpenBSD\|access-date=May 26, 2016}}</ref> but enabling it during the installation of OpenBSD had required manual intervention from the user by exiting the installer and entering some commands. Starting from OpenBSD 7.3, the installer supports enabling full disk encryption using a guided procedure, not requiring manual intervention anymore.<ref>{{cite web \|title=OpenBSD 7.3 \|url=https://www.openbsd.org/73.html \|website=www.openbsd.org \|access-date=19 April 2023}}</ref><ref>{{cite web \|title=Initial support for guided disk encryption in the installer \|url=https://undeadly.org/cgi?action=article;sid=20230308063109 \|website=undeadly.org \|access-date=19 April 2023}}</ref> To protect sensitive information such as [[password]]s from leaking on to disk, where they can persist for many years, OpenBSD supports encryption of the swap partition. The swap space is split up into many small regions that are each assigned their own encryption key: as soon as the data in a region is no longer required, OpenBSD securely deletes it by discarding the encryption key.<ref>{{cite conference \|url=https://www.usenix.org/legacy/publications/library/proceedings/sec2000/provos.html \|title=Encrypting Virtual Memory \|last1=Provos \|first1=Niels \|author-link1=Niels Provos \|date=August 14, 2000 \|___location=Denver, Colorado \|conference=9th [[USENIX]] Security Symposium \|accessdate=April 9, 2006 }}</ref> This feature is enabled by default in OpenBSD 3.9 and later. To protect sensitive information such as [[password]]s from leaking on to disk, where they can persist for many years, OpenBSD supports encryption of swap space. The swap space is split up into many small regions that are each assigned their own encryption key, which is generated randomly and automatically with no input from the user, held entirely in memory, and never written to disk except when [[hibernation (computing)\|hibernating]]; as soon as the data in a region is no longer required, OpenBSD discards its encryption key, effectively transforming the data in that region into useless garbage.<ref>{{cite conference \|url=https://www.usenix.org/legacy/publications/library/proceedings/sec2000/provos.html \|title=Encrypting Virtual Memory \|last1=Provos \|first1=Niels \|author-link1=Niels Provos \|date=August 14, 2000 \|___location=Denver, Colorado \|conference=9th [[USENIX]] Security Symposium \|access-date=April 9, 2006 }}</ref> Toggling this feature can be done using a single ''sysctl'' configuration option, and doesn't require any prior setup, disk partitioning, or partition-related settings to be done/changed; furthermore, there is no choice of encryption parameters (such as the algorithm or key length to use), as strong parameters are always used. There is no harm and no loss of functionality with this feature, because the encryption keys used to access swapped processes are only lost when the computer crashes (e.g. power loss), after which all operating systems discard the previous contents of the memory and swap anyway, and because [[hibernation (computing)\|hibernation]] continues to work as usual with this feature. This feature is enabled by default in OpenBSD 3.8 (released in November 2005) and later; OpenBSD, as of 2022, remains the only prominent operating system to have swap encrypted by default independently of disk encryption and its user-provided password. ([[Microsoft Windows\|Windows]] requires{{citation needed\|date=September 2023}} toggling a configuration setting that is not presented in its user-facing ''Control Panel'' and ''Settings'' apps, and other operating systems, including [[macOS]]{{citation needed\|date=September 2023}}, [[FreeBSD]],<ref>{{cite web \|title=Chapter 20. Storage — 20.14. Encrypting Swap \|url=https://docs.freebsd.org/en/books/handbook/disks/#swap-encrypting \|website=FreeBSD Documentation Portal \|access-date=27 September 2023 \|language=en}}</ref> and every [[Linux kernel\|Linux]]-based operating system{{citation needed\|date=September 2023}}, rely on the existing disk encryption features to encrypt the swap, which often (a) need to be enabled by the user manually, (b) require setup (if disk encryption wasn't chosen during the operating system's installation) which is not as trivial to do as toggling swap encryption on OpenBSD, and (c) use the user-provided password, which users need to remember and could be weak/guessable or even extracted out of the users.) The [[network stack]] also makes heavy use of randomization to increase security and reduce the predictability of various values that may be of use to an attacker, including [[Transmission Control Protocol\|TCP]] initial sequence numbers and timestamps, and ephemeral source ports.<ref>{{Cite web\|url=http://www.securityfocus.com/columnists/361\|title=OpenBSD's network stack\|last=Biancuzzi\|first=Federico\|date=October 12, 2005\|publisher=[[SecurityFocus]]\|access-date=December 10, 2005}}</ref> A number of features to increase network resilience and availability, including countermeasures for problems with [[Internet Control Message Protocol\|ICMP]] and software for redundancy, such as [[Common Address Redundancy Protocol\|CARP]] and [[pfsync]], are also included. The project was the first to disable the plain-text [[telnet]] daemon in favor of the encrypted [[Secure shell\|SSH]] daemon, in 1999,<ref>{{cite web \|date=10 April 1999 \|first1=Theo \|last1=de Raadt \|author-link1=Theo de Raadt \|title=disable telnet/ftp/login by default, for now \|url=http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/Attic/inetd.conf?rev=1.32&content-type=text/x-cvsweb-markup\|work=OpenBSD}}</ref> and features other integrated cryptographic software such as [[IPsec]]. The telnet daemon was completely removed from OpenBSD in 2005<ref>{{cite web \|url=http://marc.info/?l=openbsd-cvs&m=111700017509177&w=2 \|quote=Removed files: libexec/telnetd \|title=CVS: cvs.openbsd.org: src \|first1=Theo \|last1=de Raadt \|author-link1= Theo de Raadt \|website=OpenBSD-CVS mailing list \|date=25 May 2005}}</ref> before the release of OpenBSD version 3.8. == ~~X11~~ =Signify=== The OpenBSD project had invented their own utility for cryptographic signing and verification of files, <code>signify</code>,<ref name="BSDCan 2015 signify paper">{{cite web \|last1=Unangst \|first1=Ted \|title=signify: Securing OpenBSD From Us To You \|url=https://www.openbsd.org/papers/bsdcan-signify.html \|website=www.openbsd.org \|publisher=BSDCan 2015 (June), Ottawa, Canada \|access-date=12 July 2022 \|ref=bsdcan-signify}}</ref> instead of using existing standards and software such as [[OpenPGP]] and [[GNU Privacy Guard\|GnuPG]]. The creator of the <code>signify</code> utility, Ted Unangst, wrote in 2015, speaking of [[OpenPGP]] and [[GNU Privacy Guard\|GnuPG]]: ''"The concerns I had using an existing tool were complexity, quality, and complexity."''<ref name="BSDCan 2015 signify paper" /> This is in line with the project's longtime tendency to reduce complexity, and [[Vulnerability (computing)#Causes\|in turn, reduce the probability of vulnerabilities]] existing in the software, and help the user understand the software better and make more security-educated decisions. <code>signify</code> is integrated into the base operating system and used for verification of all releases, patches, and packages starting with OpenBSD 5.5.<ref>{{cite web \|title=OpenBSD 5.5 \|url=https://www.openbsd.org/55.html \|website=www.openbsd.org \|access-date=12 July 2022}}</ref><ref>{{cite web \|title=OpenBSD: Innovations \|url=https://www.openbsd.org/innovations.html \|website=www.openbsd.org \|ref=innovations}}</ref> In contrast, other [[Free Software]] operating systems and security-focused software tend to use [[OpenPGP]] for release verification, and as of 2022 continue to do so, including: [[Debian]], a prominent operating system that's also used as a base for other operating systems, including [[Ubuntu]];<ref>{{cite web \|title=Verifying authenticity of Debian images \|url=https://www.debian.org/CD/verify \|website=www.debian.org \|access-date=12 July 2022}}</ref> [[Kali Linux]], a specialized operating system for [[penetration testing]], security research, [[digital forensics]], and [[Reverse engineering#Software\|reverse engineering]];<ref>{{cite web \|title=Download Kali Linux Images Securely {{!}} Kali Linux Documentation \|url=https://www.kali.org/docs/introduction/download-images-securely/ \|website=Kali Linux \|access-date=12 July 2022 \|language=English}}</ref> [[Qubes OS]], a security-focused operating system;<ref>{{cite web \|title=Verifying signatures \|url=https://www.qubes-os.org/security/verifying-signatures/ \|website=Qubes OS \|access-date=12 July 2022 \|language=en}}</ref> [[Tor Browser]], an anonymous Web browser;<ref>{{cite web \|title=How can I verify Tor Browser's signature? {{!}} Tor Project {{!}} Support \|url=https://support.torproject.org/tbb/how-to-verify-signature/ \|website=support.torproject.org \|access-date=12 July 2022}}</ref> [[SecureDrop]], a software package for journalists and whistleblowers to exchange information securely and anonymously over the Internet;<ref>{{cite web \|title=Share and accept documents securely \|url=https://securedrop.org/ \|website=SecureDrop \|publisher=Freedom of the Press Foundation \|access-date=12 July 2022 \|language=en}}</ref> and [[VeraCrypt]], a software program for [[on-the-fly encryption]] and [[full disk encryption]].<ref>{{cite web \|title=VeraCrypt - Free Open source disk encryption with strong security for the Paranoid \|url=https://veracrypt.fr/en/Digital%20Signatures.html \|website=veracrypt.fr \|publisher=IDRIX \|access-date=12 July 2022}}</ref> All parts of X11 on OpenBSD are running as the user, except for the X server, which is split between a privilege-stripped X process run as root, and an X process run as the _X11 user.{{citation needed\|reason=Checked by Freenode IRC users, need additional source \|date=October 2017}} == X11 == In X11 on OpenBSD, neither the X server nor X clients normally have any escalated direct memory or hardware privileges: When driving X with the Intel(4) or Radeon(4) drivers, these normally interact with the underlying hardware via the Direct Rendering Management(4) kernel interface only, so that lowlevel memory/hardware access is handled solely by the kernel. Other drivers such as WSFB follow a similar pattern. For this reason, X11 on OpenBSD does not open up lowlevel memory or hardware access to user/root programs as is done on some other systems, and as was done in the past, which then needed the user to escalate the machdep.allowaperture setting from its default zero setting, to an unsecure setting.{{citation needed\|reason=Needs additional verification, discussed on chat forums\|date=October 2017}} OpenBSD's version of the [[X Window System]] (named [[Xenocara]]) has some security modifications. The [[X.Org Server\|server]] and some of the default applications are patched to make use of [[privilege separation]], and OpenBSD provides an "aperture" driver to limit X's access to memory.<ref>{{Cite web\|url=http://man.openbsd.org/OpenBSD-~~5.9~~current/man4/xf86.4\|title=xf86 – X Window System aperture driver\|website=OpenBSD manual pages\|access-date=~~May 26, 2016~~2021-05-14}}</ref> However, after work on X security flaws by Loïc Duflot, Theo de Raadt commented that the aperture driver was merely "the best we can do" and that X "violates all the security models you will hear of in a university class."<ref>{{cite mailing list \|url=https://marc.info/?l=openbsd-misc&m=114738577123893&w=2 \|title=Re: security bug in x86 hardware (thanks to X WIndows) \|date=May 11, 2006 \|~~accessdate~~access-date=May 26, 2016 \|mailing-list=openbsd-misc \|last=de Raadt \|first=Theo \|~~authorlink~~author-link=Theo de Raadt }}</ref> He went on to castigate X developers for "taking their time at solving this > 10-year-old problem." On November 29, 2006, a [[VESA BIOS Extensions\|VESA]] kernel driver was developed that permitted X to run, albeit more slowly, without the use of the aperture driver.<ref>{{cite mailing list \|url=https://marc.info/?l=openbsd-cvs&m=116483366219125&w=2 \|title=CVS: cvs.openbsd.org: XF4 \|date=November 29, 2006 \|~~accessdate~~access-date=May 26, 2016 \|mailing-list=openbsd-cvs \|last=Herrb \|first=Matthieu }}</ref> On February 15, 2014, X was further modified to allow it to run without root privileges.<ref>{{cite mailing list \|url=https://marc.info/?l=openbsd-cvs&;m=139245772023497&w=2 \|title=CVS: cvs.openbsd.org: xenocara \|date=February 15, 2014 \|~~accessdate~~access-date=May 26, 2016 \|mailing-list=openbsd-cvs \|last=Kettenis \|first=Mark}}</ref><ref>{{Cite web\|url=http://undeadly.org/cgi?action=article&sid=20140223112426\|title=Xorg can now run without privilege on OpenBSD\|date=February 22, 2014\|publisher=[[OpenBSD Journal]]\|access-date=May 26, 2016}}</ref> After the discovery of a security vulnerability in X,<ref>{{Cite web\|url=https://www.openbsd.org/errata64.html#p001_xserver\|title=OpenBSD 6.4 Errata\|website=www.openbsd.org\|access-date=2019-05-23}}</ref> OpenBSD doesn't support the running of X as a root user and only supports running X via a display manager as a dedicated <code>_x11</code> user. == Other features == [[Privilege separation]],<ref>{{cite conference \|url=https://www.usenix.org/legacy/publications/library/proceedings/sec03/tech/provos_et_al.html \|title=Preventing Privilege Escalation \|last1=Provos \|first1=Niels \|~~authorlink1~~author-link1=Niels Provos \|last2=Friedl \|first2=Markus \|last3=Honeyman \|first3=Peter \|date=August 4, 2003 \|conference=12th [[USENIX]] Security Symposium \|___location=Washington, D.C. \|~~accessdate~~access-date=May 26, 2016}}</ref> [[privilege revocation (computing)\|privilege revocation]], [[chroot]]ing and randomized loading of libraries also play a role in increasing the security of the system. Many of these have been applied to the OpenBSD versions of common programs such as [[tcpdump]] and [[Apache webserver\|Apache]], and to the [[BSD Authentication]] system. <!-- Mentioned pledge() --> OpenBSD has a history of providing its users with [[Full disclosure (computer security)\|full disclosure]] in relation to various bugs and security breaches detected by the OpenBSD team.<ref>{{cite web \|url=http://bsd.slashdot.org/story/00/12/11/1455210/theo-de-raadt-responds \|title=Theo de Raadt Responds \|last=Miller \|first=Robin \|publisher=[[Slashdot]] \|date=December 11, 2000 \|url-status=live \|~~archiveurl~~archive-url=https://web.archive.org/web/20110728031830/http://bsd.slashdot.org/story/00/12/11/1455210/Theo-de-Raadt-Responds \|~~archivedate~~archive-date=July 28, 2011 \|~~accessdate~~access-date=May 16, 2014 }}</ref> This is exemplified by [[OpenBSD#Slogan\|the project's slogan]]: "Only two remote holes in the default install, in a heck of a long time!" OpenBSD is intended to be secure by default, which includes (but is not limited to) having all non-essential services be disabled by default. This is done not only to not require users to learn how and waste time to secure their computers after installing OpenBSD, but also in hope of making users more aware of security considerations, by requiring them to make conscious decisions to enable features that could reduce their security. <ref>{{cite web \|title=OpenBSD: Security — "Secure by Default" \|url=https://www.openbsd.org/security.html#default \|website=www.openbsd.org \|access-date=27 September 2023}}</ref> ~~In OpenBSD 5.3, support for [[full disk encryption]] was introduced.<ref>{{cite web\|title=OpenBSD 5.3\|url=http://www.openbsd.org/53.html\|website=OpenBSD\|accessdate=May 26, 2016}}</ref>~~ OpenBSD 5.89 ~~introduced~~included support for the then–new <code>pledge</code> [[system call]] (introduced in OpenBSD 5.8 as <code>tame</code> and renamed in 5.9 to <code>pledge</code>) for restricting process capabilities to a minimal subset required for correct operation.<ref>{{cite web\|title=pledge() - a new mitigation mechanism\|url=https://www.openbsd.org/papers/hackfest2015-pledge\|website=OpenBSD\|~~accessdate~~access-date=May 19, 2018}}</ref> If the process is compromised and attempts to perform an unintended behavior, it will be terminated by the kernel. OpenBSD 6.4 introduced the <code>unveil</code> [[system call]] for restricting [[filesystem]] visibility to a minimum level.<ref>{{cite web\|title=unveil — unveil parts of a restricted filesystem view\|url=https://man.openbsd.org/unveil\|website=OpenBSD manual pages\|access-date=2020-05-15}}</ref> <code>pledge</code> and <code>unveil</code> are used together to confine applications, further limiting what they're otherwise permitted to do under the user account they're running as. Since ~~its~~the introduction of <code>pledge</code>, base OpenBSD programs (included [[Out of the box (feature)\|out of the box]] in OpenBSD), applications (handled by their developers), and ports (of applications, handled by the OpenBSD team) have been ~~changed~~updated to ~~support~~be confined with <code>pledge</code>, ~~including~~and/or <code>unveil</code>. Some examples of third-party applications updated with these features (by their developers or in OpenBSD's app ports) include the [[Chromium (web browser)\|Chromium]] and [[Firefox]] [[web browser]]s. == References == Line 54 ⟶ 60: {{cite book \| url = https://books.google.com/books?id=gqKwaHmXp4YC \| ~~last~~last1 = Korff \| ~~first~~first1 = Yanek \| last2 = Hope \| first2 = Paco Line 83 ⟶ 89: {{cite book \| url = https://books.google.com/books?id=bIhtQgAACAAJ \| ~~last~~last1 = Palmer \| ~~first~~first1 = Brandon \| last2 = Nazario \| first2 = Jose Line 97 ⟶ 103: == External links == * [http://tech.yandex.com/events/ruBSD/2013/talks/103/ Exploit Mitigation Techniques: an Update After 10 Years] {{Webarchive\|url=https://web.archive.org/web/20140220032702/http://tech.yandex.com/events/ruBSD/2013/talks/103/ \|date=February 20, 2014 }} * [[Theo de Raadt]]'s email about secure programming: [http://marc.info/?l=openbsd-tech&m=138733933417096&w=2 On the matter of strlcpy/strlcat acceptance by industry]