OpenBSD security features
API and build changes
Bugs and security flaws are often caused by programmer error. A common source of error is the misuse of the strcpy and strcat string functions in the C programming language. There are two common alternatives, strncpy and strncat, but they can be difficult to understand and easy to misuse, so OpenBSD developers Todd C. Miller and Theo de Raadt designed the strlcpy and strlcat functions. These functions are logical and easier to use, making it harder for programmers to accidentally leave buffers unterminated or allow them to be overflowed. They have been adopted by the NetBSD and FreeBSD projects but have not been accepted by the GNU C library, the maintainer of which, Ulrich Drepper, vehemently opposes their incorporation on the grounds that programmers using them will cease to worry about the root issues inspiring their use, which may still be exploitable in a different way.
On OpenBSD, the linker has been changed to issue a warning when unsafe functions, such as strcpy, strcat or another string manipulation function that is often a cause of errors, sprintf, are found. All occurrences of these functions in the OpenBSD source tree have been replaced. In addition, a static bounds checker is included in OpenBSD in an attempt to find other common programming mistakes at compile time. Other security-related APIs developed by the OpenBSD project are issetugid and arc4random.
Developed by Hiroaki Etoh, ProPolice is a GCC extension for protecting applications from stack-smashing attacks. In order to make this possible, it performs a number of operations: local stack variables are reordered to place buffers after pointers, protecting them from corruption in case of a buffer overflow; pointers from function arguments are also placed before local buffers; and a canary value placed after local buffers which, when the function exits, can sometimes be used to detect buffer overflows. ProPolice chooses whether or not to protect a buffer based on automatic heuristics which judge how vulnerable it is, reducing the performance overhead of the protection. It was integrated into the OpenBSD GCC in December 2002, and first made available in version 3.3; it was applied to the kernel in release 3.4. The extension works on all the CPU architectures supported by OpenBSD and is activated by default, so any C code compiled will be protected without user intervention.
In May 2004, OpenBSD on the SPARC platform received further stack protection in the form of StackGhost. This makes use of features of the SPARC architecture to help prevent exploitation of buffer overflows. Support for SPARC64 was added to -current in March 2005.
OpenBSD 3.4 introduced W^X (W xor X), a memory management scheme to ensure that memory is either writable or executable, but never both, and providing another layer of protection against buffer overflows. While this is relatively easy to implement on a platform like AMD64, which has hardware support for the NX bit, OpenBSD is one of the few OSes to support this on the generic i386 platform, which lacks built in per-page execute controls.
During the development cycle of the 3.8 release, changes were made to the malloc memory management functions. In traditional Unix operating systems, malloc allocates more memory by extending the Unix data segment, a practice that has made it difficult to implement strong protection against security problems. The malloc implementation now in OpenBSD makes use of the mmap system call, which was modified so that it returns random memory addresses and ensures that different areas are not mapped next to each other. In addition, allocation of small blocks in shared areas are now randomized and the free function was changed to return memory to the kernel immediately rather than leaving it mapped into the process. A number of additional, optional checks were also added to aid in development. These features make program bugs easier to detect and harder to exploit: instead of memory being corrupted or an invalid access being ignored, they often result in a segmentation fault and abortion of the process. This has brought to light several issues with software running on OpenBSD 3.8, particularly with programs reading beyond the start or end of a buffer, a type of bug that would previously not be detected directly but can now cause an error. These abilities took more than three years to implement without considerable performance loss and are similar in goals to that of the Electric Fence malloc debugging library by Bruce Perens.
Cryptography and randomization
One of the goals of the OpenBSD project is the integration of facilities and software for strong cryptography into the core operating system. To this end, a number of low-level features are provided, including a source of strong pseudo random numbers; built-in cryptographic hash functions and transforms; and support for cryptographic hardware (OpenBSD Cryptographic Framework). These abilities are used throughout OpenBSD, including the bcrypt password-hashing algorithm derived from Bruce Schneier's Blowfish block cipher, which takes advantage of the slow Blowfish key schedule to make password-checking inherently CPU-intensive, so that password-cracking attempts are slower and more difficult. To protect sensitive information such as passwords and passphrases from leaking on to disk where they can persist for many years, OpenBSD supports encryption of the swap partition. The swap space is split up into many small regions that are each assigned their own encryption key: as soon as the data in a region is no longer required, OpenBSD securely deletes it by discarding the encryption key. This feature is enabled by default in OpenBSD 3.9 and later. The network stack also makes heavy use of randomization to increase security and reduce the predictability of various values that may be of use to an attacker, including TCP Initial Sequence Numbers and timestamps, and ephemeral source ports. A number of features to increase network resilience and availability, including countermeasures for problems with ICMP and software for redundancy, such as CARP and pfsync, are also included. In userland, the project was perhaps the first to disable the plain-text telnet daemon in favor of the encrypted SSH daemon and features other integrated cryptographic software, including IPsec and Kerberos.
OpenBSD's version of the X Window System has some security modifications. The server and some of the default applications are patched for privilege separation and other enhancements, and OpenBSD provides an "aperture" driver to limit X's access to memory. However, after recent work on X security flaws by Loïc Duflot, Theo de Raadt commented that the aperture driver was merely "the best we can do" and that X "violates all the security models you will hear of in a university class." He went on to castigate X developers for "taking their time at solving this > 10 year old problem." Recently, a VESA kernel driver has been developed, which permits X to run, albeit more slowly, without the use of the aperture driver.
Privilege separation, privilege revocation, chrooting and randomized loading of libraries also play a role in increasing the security of the system. Many of these have been applied to the OpenBSD versions of common programs such as tcpdump and Apache, and to the BSD Authentication system. OpenBSD also supports sandboxing of untrusted applications using the Systrace facility, a framework allowing interposition of system calls for fine-grained restriction of processes. Systrace supports interactive generation of policies, and other features designed to allow privilege elevation.
Notes and references
- Man pages: strncpy and strncat.
- Man pages: strlcpy and strlcat.
- Miller, Todd C. and Theo de Raadt. strlcpy and strlcat - consistent, safe, string copy and concatenation. Proceedings of the 1999 USENIX Annual Technical Conference, June 6-11, 1999, pp. 175–178.
- Drepper, Ulrich. Mail to libc-alpha: Re: PATCH: safe string copy and concetation(sic), August 8, 2000. Visited December 9, 2005.
- Madhavapeddy, Anil. Mail to openbsd-cvs: CVS: cvs.openbsd.org: src, June 6, 2003. Accessed March 31, 2013.
- Man pages: issetugid and arc4random.
- ProPolice site: here.
- Frantzen, Mike and Mike Shuey. StackGhost: Hardware Facilitated Stack Protection. Proceedings of the 10th USENIX Security Symposium, August 13–17, 2001, pp. 55–66.
- de Raadt, Theo, Niklas Hallqvist, Artur Grabowski, Angelos D. Keromytis, Niels Provos. Cryptography in OpenBSD: An overview (PDF), June 1999. Visited January 30, 2005.
- Niels Provos and David Mazières. A Future-Adaptable Password Scheme. Proceedings of the USENIX '99, Freenix Track, June 1999. Accessed April 9, 2006.
- Niels Provos Encrypting Virtual Memory. Proceedings of the 9th USENIX Security Symposium, August 2000. Accessed April 9, 2006.
- SecurityFocus. Federico Biancuzzi, OpenBSD's network stack, October 12, 2005. Accessed December 10, 2005.
- OpenBSD's xf86(4) man page.
- de Raadt, Theo. Mail to openbsd-misc: Re: security bug in x86 hardware (thanks to X WIndows), November 5, 2006. Visited December 7, 2006.
- Niels Provos, Markus Friedl and Peter Honeyman. Preventing Privilege Escalation. Proceedings of the 12th USENIX Security Symposium, August 2003. Accessed April 9, 2006.
- Niels Provos. Improving Host Security with System Call Policies. Proceedings of the 12th USENIX Security Symposium, August 2003. Accessed April 9, 2006.