Slashdot Mirror
OpenBSD 3.2 Readies For Release, pf Matures
An anonymous reader writes "Just over a year ago, OpenBSD creator Theo de Raadt ripped ipfilter out of the OpenBSD code leaving "the world's most secure OS" temporarily without a packet filter. Here's an interesting interview with Daniel Hartmeier, author of pf, the stateful packet filter developed as a replacement. Now just over a year old, it sounds like pf has already become a serious contendor in the world of stateful packet filtering. This interview is of particular relevance with OpenBSD 3.2 to be released on Friday, 11/1."
When they took ipfilter out, OpenBSD didn't have a packet filter. In order to address this issue, pf was written. After pf was written, OpenBSD had a packet filter. There was a time, after ipfilter was removed, but before pf was added, that OpenBSD didn't have a packet filter.
I can't say that I don't give a fuck. I've just run out of fuck to give.
The reasons for ripping IPF out of OpenBSD are documented elsewhere, but what it basically boils down to is a licensing issue. Darren Reed, author of IPF, changed its license to something incompatible with the stated goals of OpenBSD, so it was removed. Daniel (incredibly) came up with a replacement in record time. The 3.2 release boasts a lot of things, besides improvements to PF. These includes things like a nonexec stack, a chrooted apache, a reduction in the number of setuid binaries, and more 'secure' filesystem mount options by default. Theres no sarcasm implied, I'm sure. OpenBSD truly IS among the most secure operating systems in the world.
Its already out there in the source tree... and has been for a while (beginning of october).
.tgzs from:i 386
/usr
You can grab the main
ftp.usa.openbsd.org/pub/OpenBSD/snapshots/
I'm pretty sure you can do this install by getting the floppys (.fs) files and selecting FTP install.
If you have 3.1 (or any other version) you can upgrade the source tree (this is how I did it)
set your cvsroot:
setenv CVSROOT anoncvs@anoncvs.usa.openbsd.org:/cvs
cd
cvs -q get -rOPENBSD_3_2 -P src
You can then follow along here:
http://www.openbsd.org/faq/upgrade-minifaq.html
Make sure you do all the steps,
Be especially sure you do 1.5, 1.8, 3.1.* before you do a make build..
(note: if you are doing it from something earlier than 3.1 you should do the other changes (3.0.* etc. etc.)
-- C
this information is bad, as the 3.2 snapshots are now further ahead in development than the 3.2 release code. there is no supported method for backtracking from -current to -release.
for the impatient, the best method is to check out the 3.2 sources from cvs (as described) and build from source
OpenBSD truly IS among the most secure operating systems in the world.
....
I think its probably fairer to say something like, "OpenBSD truly IS among the most secure Unixes in the world". There are fundamental security flaws with Unixes that run very deep which prevent it from being really really secure. Look at an OS like Z-OS or Eros to see how much further security can go when you break from Unix security flaws like:
- The existence of a filesystem
- Having any individual have much real authority over the system
Be careful. The 3.2 errata hasn't been commited to CVS. So while you're running the 3.2 RELEASE, 3.2 STABLE won't exist until the actual release.
If you really want an early 3.2, you need to port the relevant 3.1 errata to your 3.2 tree.
Excellent interview and responses, a very educational read for anyone who deals with firewalls and packet filtering. It should become part of the pf docs.
He is very modest, but I like the sounds of some of the things he is doing. Here are some solid, specific things pf is doing that I dont think other packet filters are doing, ask your vendor how they are handling these same types of issues.
This is why pf sounds like it will be very good (direct quotes from the article):
Wax on, wax off baby!
only the -current development branch was lacking a packet filter. obviously the stable branch and existing installations still had a functioning packet filter implementation. also note that ipf patches were made against OpenBSD CVS after theo pulled it, provoking a somewhat amusing debate on misc@.
no, there was not. OpenBSD 2.9 included ipf as the packet filter. OpenBSD 3.0 and 3.1 included pf and lacked ipf.
at the other end of this envelope is Bell Labs' Plan 9 which carries the UNIX principle that states "everything is a file" to the logical extreme while distributing privileges sanely, unlike UNIX with its all-powerful root. apparently this system runs a significant portion of the telephone systems in the US, at least. the design principles are sound, anyway; witness Sun's Trusted Solaris and the DARPA-funded TrustedBSD project.
psxndc
The emacs religion: to be saved, control excess.
If you actuaky read the interview, pf appeared in the 3.0 release. Which is about a year ago.
You can grab the main .tgzs from:i 386
ftp.usa.openbsd.org/pub/OpenBSD/snapshots/
Those are snapshots of 3.2-current, not of what will be released as 3.2.
About Debian and OpenBSD, a quote from the latest Debian weekly news :
Debian/OpenBSD ceased. Andreas Schuldei announced that he is discontinuing the effort to combine OpenBSD and Debian. He found out that there are several indications that security in OpenBSD is mostly at the same level as it is in Debian. Since the reason to work on this port was primary to provide a more secure environment for Debian users this port doesn't seem to be worthwhile anymore.
Go to your slashdot preferences, the homepage tab, and on the lower part of the page is "Customize Slashboxes". Enable some of the bsd sites to see their headlines while reading slashdot.
Like Shanep said, OpenBSD Journal (at deadly.org) is a good one.
Got brain?
What a shame. Lets hope the {Net|Free}BSD ports dont follow suit - they are a lot futher along.
Heres the post from the Debian GNU/OpenBSD porter:
---
Subject: status debian/openbsd
From: Andreas Schuldei
Date: Tue, October 22, 2002 4:50 pm
To: debian-bsd
There are several indications that openbsd's security is more or
less up to the level what can be achived with todays debian
gnu/linux.
The kernel code seems to have severe race conditions and the
userspace seems to be bitten by a compareable number of security
incidents as e.g. a stabel debian with a correspondig software
base.
Since my reason for this port is primary to provide a more secure
environment for debian users with the same feel, right now this
port seems not to be worthwhile.
OpenBSD seems to make efforts to change to elf binary format some
time in the future. When this happend and the audit efforts show
further results i will reevaluate the situation.
Everyone who wants to carry on with this port is welcome to take
over.
---
I don't really mind there not being a real GUI-based installer. Although I would appreciate the comfort in having one, I've found OpenBSD installs extremely painless and easy, the installation on my (slightly dated) router box takes no more than 15 minutes. Even as a beginner, a quick read-through of the really excellent FAQ provides all the information you need to get started in no time.
But then, there's this article I stumbled across on Deadly:
G.O.B.I.E, a "Graphical OpenBSD Installer Engine", and I have to say the screenshots look pretty damn slick. They are also working on other cool things. From the web site:
[G.O.B.I.E] wishes to add some value to the product by developing installation modules to known servers such as Bind, Sendmail, Inn Apache..
Among them, you will find help to configure PF(Packet Filter), authpf, altq and some other tools.
We have planed to build a kernel configuration tool too !!!
I think that sounds like an interesting project and (though IMHO not absolutely needed) I would like to see it being officially presented as an alternative to the current installer.
RTFFAQ:
http://www.openbsd.org/faq/faq8.html#wwwsolaris
8.18 - Why does www.openbsd.org run on Solaris?
www.openbsd.org and the main OpenBSD ftp site are hosted at a SunSITE at the University of Alberta, Canada. These sites are hosted on a large Sun system, which has access to lots of storage space and Internet bandwidth. The presence of the SunSITE gives the OpenBSD group access to this bandwidth. This is why the main site runs here. Many of the OpenBSD mirror sites run OpenBSD, but since they do not have guaranteed access to this large amount of bandwidth, the group has chosen to run the main site at the University of Alberta SunSITE.
And what's up with that "the most secure os" sarcasm? OpenBSD *is* secure.
.. 2 things:
This definition depends on what you call "secure".
Theo calls an OS with a very limited, trusted set of applications "secure" - however, running secure applications with root privileges has nothing to do with OS level security. That's application level security.
I'd call an OS secure, if you can only hack it by exploiting a bug inside the OS kernel. That means, there is no way of gaining 'root' privileges or something like that by hacking into some highly privileged daemon, provided that the system is configured properly.
To achieve this level of security, it is neccessary to have fine grained privilege and compartmentalization controls instead of the superuser/world distinction built into the OS kernel - and that's still missing in OpenBSD.
What means "secure"?
"[...] Put another way, "secure system" means safe enough to protect some real world information from some real world adversary that the information owner and/or user care about. [...]"
- SE Linux FAQ, NSA
-----
There are mainly two types of secure Operating Systems.
a) Everything up to the C2 level of security
b) Everything from B1 up to A1 (never ever reached by any OS)
The difference is information labeling.
You only get a B1 security certificate, if your OS has mandatory access controls. It must be able to automatically prevent users from mixing secret data with public data. This is often called a "Trusted OS".
Most people don't need information labeling/mandatory access control, because all their data has the same level of sensivity.
TCSEC C2 does not say much about how the OS has to handle privileges, so a C2-level OS can still be very insecure, but it can also be very secure - almost impenetrable - and it still can't ever become certified at B1 or above, because it simply can't handle multiple levels of sensivity.
-----
Let's look at NON-Trusted-OSs first, because most people don't need a Trusted OS:
OpenBSD lacks an uninterceptable audit trail and access control lists as required by TCSEC C2. It distinguishes between world and root privileges.
VMS has an audit trail, access control lists, and a privilege model.
AS/400s have an audit trail, access control lists, a privilege model, an object-based security model with type enforcement and hardware-supported pointer-in-memory-protection because of the single level storage address space, but that does not matter much (think about it as something which is similar to protect-mode on an x86, but based on objects and pointer to objects instead of segments and segment descriptors).
VMS is clearly superior to OpenBSD, mainly because of the privilege model. If a process does not have many privileges, then an attacker can't gain many privileges by hacking it. Simple, isn't it?
An AS/400 is (VMS users listen carefully) clearly superior to both, OpenBSD and VMS. It has a superset of the security features of VMS, and additionally it has object-based protection. Therefore, you can't write to a program object, and you can't execute a data file or things like that.
Now let's look at Trusted OSs:
SE-VMS has an audit trail, access control lists, a privilege model, information labeling and compartment mode.
Solaris with Argus Pitbull has an audit trail, access control lists, fine grained privilege controls plus inheritance rules (proxy privilege sets and so on), a trusted computing base, information labeling and compartment mode (mandatory access controls).
Both are clearly superior to the non-trusted OSs mentioned above, because applications can be totally separated from each other by putting them in separate compartments.
If someone hacks into an application in compartment A, then he/she still can't access an application in compartment B, so he/she is locked down into a jail.
Solaris with Pitbull is clearly superior to VMS, because of the much more sophisticated privilege model. It's more fine-grained and it has inheritance controls, so certain applications will only gain their privileges if they can inherit those privileges from another process. By default, executing another application always drops all privileges.
-----
What I'd like to say is
1. What about "OpenBSD is the world's most secure OS"? It has a pretty good verified kernel, but it's security mechanisms are simply not powerful enough. A bug-free kernel does not help alot, when you have to run things as root, because the kernel does not have appropriate security mechanisms like privilege controls or compartment mode...
2. What about "Unix can't be secure"? I get really bored by VMS users comparing Standard-Linux with VMS; maybe compare the most secure setup of either Operating System and then let's talk about security again.
HERE is TCSEC B3 certified Unix (Linux-compatible, too).
regards,
octogen