Content deleted Content added
Undid revision 1214254210 by Braincricket (talk): Not vandalism—OpenBSD makes learning security unnecessary and eliminates the need to work for further security by being secure by default. This is the point of the sentence (I wrote this). Maybe my phrasing isn't clear enough? |
|||
Line 7:
== API and build changes ==
Bugs and security flaws are often caused by programmer error. A common source of error is the misuse of the <code>[[strcpy]]</code> and <code>[[strcat]]</code> [[String (computer science)|string]] functions in the [[C programming language|C]] programming language. There are two common alternatives, <code>[[strncpy]]</code> and <code>[[strncat]]</code>, but they can also be difficult to understand and easy to misuse,<ref>{{Cite web|url=http://man.openbsd.org/OpenBSD-current/man3/strncpy.3|title=strncpy – copy part of a string to another|website=OpenBSD manual pages|access-date=2021-05-14}}</ref><ref>{{Cite web|url=http://man.openbsd.org/OpenBSD-current/man3/strncat.3|title=strncat – concatenate a string with part of another|website=OpenBSD manual pages|access-date=2021-05-14}}</ref> so OpenBSD developers [[Todd C. Miller]] and [[Theo de Raadt]] designed the <code>[[strlcpy]]</code> and <code>[[strlcat]]</code> functions.<ref>{{Cite web|url=http://man.openbsd.org/OpenBSD-current/man3/strlcat.3|title=strlcpy, strlcat – size-bounded string copying and concatenation|website=OpenBSD manual pages|access-date=2021-05-14}}</ref> These functions are intended to make it harder for programmers to accidentally leave buffers unterminated or allow them to be overflowed.<ref>{{cite conference |url=http://www.usenix.org/events/usenix99/millert.html |title=strlcpy and strlcat - Consistent, Safe, String Copy and Concatenation |last1=Miller |first1=Todd C. |last2=de Raadt |first2=Theo |author-link2=Theo de Raadt |date=June 6, 1999 |conference=[[USENIX]] Annual Technical Conference |___location=Monterey, California |access-date=May 26, 2016}}</ref> They have been adopted by the NetBSD and FreeBSD projects but not by the [[GNU C Library]].<ref>{{cite mailing list |url=https://www.sourceware.org/ml/libc-alpha/2000-08/msg00053.html |title=Re: PATCH: safe string copy and concatenation |date=August 8, 2000 |access-date=May 26, 2016 |mailing-list=libc-alpha@sources.redhat.com |last=Drepper |first=Ulrich}}</ref>
On OpenBSD, the [[Linker (computing)|linker]] has been changed to issue a warning when [[C standard library#Buffer overflow vulnerabilities|unsafe string manipulation functions]], such as <code>strcpy</code>, <code>strcat</code>, or <code>[[sprintf]]</code>, are found. All occurrences of these functions in the OpenBSD source tree have been replaced.{{citation needed|reason=This is probably in their FAQ, or at least on the mailing lists (probably tech@)|date=May 2016}} In addition, a [[Static code analysis|static bounds checker]] is included in OpenBSD in an attempt to find other common programming mistakes at compile time.<ref>{{cite mailing list |url=https://marc.info/?l=openbsd-cvs&m=105665219927976 |title=CVS: cvs.openbsd.org: src |date=June 26, 2003 |access-date=March 31, 2013 |mailing-list=openbsd-cvs |last=Madhavapeddy |first=Anil }}</ref> Other security-related [[Application programming interface|APIs]] developed by the OpenBSD project include <code>issetugid</code><ref>{{Cite web|url=http://man.openbsd.org/OpenBSD-current/man2/issetugid.2|title=issetugid – is current executable running setuid or setgid|website=OpenBSD manual pages|access-date=2021-05-14}}</ref> and <code>[[RC4#RC4-based random number generators|arc4random]]</code>.<ref>{{Cite web|url=http://man.openbsd.org/OpenBSD-current/man3/arc4random.3|title=arc4random, arc4random_buf, arc4random_uniform – random number generator|website=OpenBSD manual pages|access-date=2021-05-14}}</ref>
| |||