Content deleted Content added
m →Other features: Task 16: replaced (1×) / removed (0×) deprecated |dead-url= and |deadurl= with |url-status=; |
m Task 18 (cosmetic): eval 33 templates: hyphenate params (19×); |
||
Line 4:
== API and build changes ==
Bugs and security flaws are often caused by programmer error. A common source of error is the misuse of the <code>[[strcpy]]</code> and <code>[[strcat]]</code> [[String (computer science)|string]] functions in the [[C programming language|C]] programming language. There are two common alternatives, <code>[[strncpy]]</code> and <code>[[strncat]]</code>, but they can be difficult to understand and easy to misuse,<ref>{{Cite web|url=http://man.openbsd.org/OpenBSD-5.9/man3/strncpy.3|title=strncpy – copy part of a string to another|website=OpenBSD manual pages|access-date=May 26, 2016}}</ref><ref>{{Cite web|url=http://man.openbsd.org/OpenBSD-5.9/man3/strncat.3|title=strncat – concatenate a string with part of another|website=OpenBSD manual pages|access-date=May 26, 2016}}</ref> so OpenBSD developers [[Todd C. Miller]] and [[Theo de Raadt]] designed the <code>[[strlcpy]]</code> and <code>[[strlcat]]</code> functions.<ref>{{Cite web|url=http://man.openbsd.org/OpenBSD-5.9/man3/strlcat.3|title=strlcpy, strlcat – size-bounded string copying and concatenation|website=OpenBSD manual pages|access-date=May 26, 2016}}</ref> These functions are intended to make it harder for programmers to accidentally leave buffers unterminated or allow them to be overflowed.<ref>{{cite conference |url=http://www.usenix.org/events/usenix99/millert.html |title=strlcpy and strlcat - Consistent, Safe, String Copy and Concatenation |last1=Miller |first1=Todd C. |last2=de Raadt |first2=Theo |author-link2=Theo de Raadt |date=June 6, 1999 |conference=[[USENIX]] Annual Technical Conference |___location=Monterey, California |
On OpenBSD, the [[Linker (computing)|linker]] has been changed to issue a warning when [[C standard library#Buffer overflow vulnerabilities|unsafe string manipulation functions]], such as <code>strcpy</code>, <code>strcat</code>, or <code>[[sprintf]]</code>, are found. All occurrences of these functions in the OpenBSD source tree have been replaced.{{citation needed|reason=This is probably in their FAQ, or at least on the mailing lists (probably tech@)|date=May 2016}} In addition, a [[Static code analysis|static bounds checker]] is included in OpenBSD in an attempt to find other common programming mistakes at compile time.<ref>{{cite mailing list |url=https://marc.info/?l=openbsd-cvs&m=105665219927976 |title=CVS: cvs.openbsd.org: src |date=June 26, 2003 |
== Kernel randomization ==
Line 16:
Developed by Hiroaki Etoh, [[ProPolice]] is a [[GNU Compiler Collection|GCC]] extension designed to protect applications from [[Stack buffer overflow|stack-smashing attacks]].<ref>{{Cite web|url=http://www.research.ibm.com/trl/projects/security/ssp/|title=GCC extension for protecting applications from stack-smashing attacks|publisher=[[IBM Research]]|archive-url=https://web.archive.org/web/20140604021923/http://www.research.ibm.com/trl/projects/security/ssp/|archive-date=June 4, 2014|access-date=May 26, 2016}}</ref> It does this through a number of operations: local stack variables are reordered to place buffers after pointers, protecting them from corruption in case of a buffer overflow; pointers from function arguments are also placed before local buffers; and a [[Buffer overflow protection#Canaries|canary]] value is placed after local buffers which, when the function exits, can sometimes be used to detect buffer overflows. ProPolice chooses whether or not to protect a buffer based on automatic heuristics which judge how vulnerable it is, reducing the performance overhead of the protection.{{Vague|date=May 2016}} It was integrated in OpenBSD's version GCC in December 2002, and first made available in OpenBSD 3.3;<ref>{{Cite web|url=https://www.openbsd.org/33.html|title=OpenBSD 3.3|website=OpenBSD|access-date=May 28, 2016|quote=Integration of the ProPolice stack protection technology [...] into the system compiler.}}</ref> it was applied to the kernel in release 3.4.<ref>{{Cite web|url=https://www.openbsd.org/34.html|title=OpenBSD 3.4|website=OpenBSD|access-date=May 28, 2016|quote=ProPolice stack protection has been enabled in the kernel as well.}}</ref> The extension works on all the CPU architectures supported by OpenBSD and is enabled by default, so any C code compiled will be protected without user intervention.<ref>{{Cite web|url=http://man.openbsd.org/OpenBSD-current/man1/gcc-local.1|title=gcc-local – local modifications to gcc|website=OpenBSD manual pages|access-date=May 28, 2016|quote=gcc comes with the 'ProPolice' stack protection extension, which is enabled by default.}}</ref>
In May 2004, OpenBSD on the [[SPARC]] platform received further stack protection in the form of [[Stack-smashing protection#StackGhost (hardware-based)|StackGhost]]. This makes use of features of the SPARC architecture to help prevent exploitation of buffer overflows.<ref>{{cite conference |url=https://www.usenix.org/legacy/publications/library/proceedings/sec01/frantzen.html |title=StackGhost: Hardware Facilitated Stack Protection |last1=Frantzen |first1=Mike |last2=Shuey |first2=Mike |date=August 13, 2001 |conference=10th [[USENIX]] Security Symposium |___location=Washington, D.C. |
OpenBSD 3.4 introduced [[W^X]], a memory management scheme to ensure that memory is either writable or executable, but never both, which provides another layer of protection against buffer overflows. While this is relatively easy to implement on a platform like [[x86-64]], which has hardware support for the [[NX bit]], OpenBSD is one of the few OSes to support this on the generic i386 platform,<ref>{{Cite web|url=http://www.openbsd.org/58.html|title=OpenBSD 5.8|website=OpenBSD|access-date=May 28, 2016|quote=Support for the NX (No-eXecute) bit on i386, resulting in much better W^X enforcement in userland for hardware that has this feature.}}</ref> which lacks built in per-page execute controls.
Line 23:
== Cryptography and randomization ==
One of the goals of the OpenBSD project is the integration of facilities and software for [[strong cryptography]] into the core operating system. To this end, a number of low-level features are provided, including a source of strong [[pseudorandom number generator|pseudo random numbers]];<ref>{{cite conference |url= https://www.usenix.org/legacy/publications/library/proceedings/usenix99/deraadt.html |title = Cryptography in OpenBSD: An Overview |first1= Theo |last1= de Raadt |author-link1= Theo de Raadt |first2= Niklas |last2= Hallqvist |first3= Artur |last3= Grabowski |first4= Angelos D. |last4= Keromytis |first5= Niels |last5= Provos |
To protect sensitive information such as [[password]]s from leaking on to disk, where they can persist for many years, OpenBSD supports encryption of the swap partition. The swap space is split up into many small regions that are each assigned their own encryption key: as soon as the data in a region is no longer required, OpenBSD securely deletes it by discarding the encryption key.<ref>{{cite conference |url=https://www.usenix.org/legacy/publications/library/proceedings/sec2000/provos.html |title=Encrypting Virtual Memory |last1=Provos |first1=Niels |author-link1=Niels Provos |date=August 14, 2000 |___location=Denver, Colorado |conference=9th [[USENIX]] Security Symposium |
The [[network stack]] also makes heavy use of randomization to increase security and reduce the predictability of various values that may be of use to an attacker, including [[Transmission Control Protocol|TCP]] initial sequence numbers and timestamps, and ephemeral source ports.<ref>{{Cite web|url=http://www.securityfocus.com/columnists/361|title=OpenBSD's network stack|last=Biancuzzi|first=Federico|date=October 12, 2005|publisher=[[SecurityFocus]]|access-date=December 10, 2005}}</ref> A number of features to increase network resilience and availability, including countermeasures for problems with [[Internet Control Message Protocol|ICMP]] and software for redundancy, such as [[Common Address Redundancy Protocol|CARP]] and [[pfsync]], are also included. The project was the first to disable the plain-text [[telnet]] daemon in favor of the encrypted [[Secure shell|SSH]] daemon, in 1999,<ref>{{cite web |date=10 April 1999 |first1=Theo |last1=de Raadt |author-link1=Theo de Raadt |title=disable telnet/ftp/login by default, for now |url=http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/Attic/inetd.conf?rev=1.32&content-type=text/x-cvsweb-markup|work=OpenBSD}}</ref> and features other integrated cryptographic software such as [[IPsec]]. The telnet daemon was completely removed from OpenBSD in 2005<ref>{{cite web |url=http://marc.info/?l=openbsd-cvs&m=111700017509177&w=2 |quote=Removed files: libexec/telnetd |title=CVS: cvs.openbsd.org: src |first1=Theo |last1=de Raadt |author-link1= Theo de Raadt |website=OpenBSD-CVS mailing list |date=25 May 2005}}</ref> before the release of OpenBSD version 3.8.
Line 34:
In X11 on OpenBSD, neither the X server nor X clients normally have any escalated direct memory or hardware privileges: When driving X with the Intel(4) or Radeon(4) drivers, these normally interact with the underlying hardware via the Direct Rendering Management(4) kernel interface only, so that lowlevel memory/hardware access is handled solely by the kernel. Other drivers such as WSFB follow a similar pattern. For this reason, X11 on OpenBSD does not open up lowlevel memory or hardware access to user/root programs as is done on some other systems, and as was done in the past, which then needed the user to escalate the machdep.allowaperture setting from its default zero setting, to an unsecure setting.{{citation needed|reason=Needs additional verification, discussed on chat forums|date=October 2017}}
OpenBSD's version of the [[X Window System]] (named [[Xenocara]]) has some security modifications. The [[X.Org Server|server]] and some of the default applications are patched to make use of [[privilege separation]], and OpenBSD provides an "aperture" driver to limit X's access to memory.<ref>{{Cite web|url=http://man.openbsd.org/OpenBSD-5.9/man4/xf86.4|title=xf86 – X Window System aperture driver|website=OpenBSD manual pages|access-date=May 26, 2016}}</ref> However, after work on X security flaws by Loïc Duflot, Theo de Raadt commented that the aperture driver was merely "the best we can do" and that X "violates all the security models you will hear of in a university class."<ref>{{cite mailing list |url=https://marc.info/?l=openbsd-misc&m=114738577123893&w=2 |title=Re: security bug in x86 hardware (thanks to X WIndows) |date=May 11, 2006 |
On February 15, 2014, X was further modified to allow it to run without root privileges.<ref>{{cite mailing list |url=https://marc.info/?l=openbsd-cvs&;m=139245772023497&w=2 |title=CVS: cvs.openbsd.org: xenocara |date=February 15, 2014 |
After the discovery of a security vulnerability in X,<ref>{{Cite web|url=https://www.openbsd.org/errata64.html#p001_xserver|title=OpenBSD 6.4 Errata|website=www.openbsd.org|access-date=2019-05-23}}</ref> OpenBSD doesn't support the running of X as a root user and only supports running X via a display manager as a dedicated <code>_x11</code> user.
== Other features ==
[[Privilege separation]],<ref>{{cite conference |url=https://www.usenix.org/legacy/publications/library/proceedings/sec03/tech/provos_et_al.html |title=Preventing Privilege Escalation |last1=Provos |first1=Niels |
OpenBSD has a history of providing its users with [[Full disclosure (computer security)|full disclosure]] in relation to various bugs and security breaches detected by the OpenBSD team.<ref>{{cite web |url=http://bsd.slashdot.org/story/00/12/11/1455210/theo-de-raadt-responds |title=Theo de Raadt Responds |last=Miller |first=Robin |publisher=[[Slashdot]] |date=December 11, 2000 |url-status=live |
In OpenBSD 5.3, support for [[full disk encryption]] was introduced.<ref>{{cite web|title=OpenBSD 5.3|url=http://www.openbsd.org/53.html|website=OpenBSD|
OpenBSD 5.8 introduced the <code>pledge</code> [[system call]] for restricting process capabilities to a minimal subset required for correct operation.<ref>{{cite web|title=pledge() - a new mitigation mechanism|url=https://www.openbsd.org/papers/hackfest2015-pledge|website=OpenBSD|
== References ==
| |||