Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD Gets Even More Secure

Posted by CowboyNeal on from the one-tight-daemon dept.

Telent writes "As seen in this post by Theo de Raadt, OpenBSD is getting even more secure, working on smashing script kiddies running buffer overflow exploits dead. Tightening PROT_* according to the POSIX standards and creating a non-executable stack on most architectures are just two of the recent enhancements, most of which are in -current now."

8 of 362 comments (clear)

  1. Re:concrete galoshes by coene · · Score: 5, Insightful

    OpenBSD does not secure by limiting or removing functinality. Instead, it secures through proper programming, working as a team, and tackling issues in sequence.

    I understand your joking, but point the next one towards the right area :)

  2. Re:Why not Windows by the_mad_poster · · Score: 3, Insightful

    It's the difference between love of money and love of your job I suppose. People who are more interested in creating a product that THEY want (BSD developers) are more likely to create a product other people will want. People who are creating a product OTHER people want (as in MS developers making products for their managers' current whims) just won't have the heart for it. Of course... an outright disgust and ditrust of your customers helps create a faulty product as well :\

    --
    Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
  3. Nonexecutable stacks by Sayjack · · Score: 4, Insightful

    A nonexecutable stack is no guarantee of safety. Solaris 2.6 demonstrated this here.

    --

    -- Good judgement comes with experience. -- Experience comes with bad judgement.

    1. Re:Nonexecutable stacks by Anonymous Coward · · Score: 3, Insightful

      A nonexecutable stack is no guarantee of safety.

      Nobody said it was. To quote TdR, "We feel that these 4 technologies together will be a a royal pain in the ass for the typical buffer overflow attacker."

      If you think "royal pain in the ass" constitutes proof, go back to math 101.

  4. VMS by ArchieBunker · · Score: 5, Insightful

    VMS is probably a close second in terms of security. Its C-2 secure right out of the box. Plus most script kiddies would be left scratching their head trying to use it.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  5. Nice, but doesn't address the bigger problem. by matman · · Score: 3, Insightful

    The bigger problem is that the principle of least privilege is not adhered to in world of Unix. Programmers will always write bugs and applications will always have vulnerabilities that can be manipulated. Manipulation of services should only effect the service being manipulated, not the whole system. For example, services should have NO access to anything by default. When you install a service you should set up the specific permissions that it requires (this can be made easy - the app, upon install, can recommend the permissions and you can just say, "okay"). If the app tries to do something that it doesn't normally need to do (like access /home/me/mysecretfile), the system should log an access denied message; the Linux kernel right now can't even audit denied access to files! CHUID permissions to deliver mail to people? A much cleaner mechanism is for the mail server to create the files under its own name and give permission to the user to take ownership of the files.

    Linux, and Unix in general, tends to have pretty limited access controls. Even with ACL support, the distros still need to ship with restrictive settings and manage them. A lot can be done to provide a framework under which compromises can be limited and can be audited. Right now we don't have that. Without detection and reaction, how do you know that your prevention is effective?

  6. Re:linux should have non-exec stack by defualt by Anonymous Coward · · Score: 5, Insightful

    This is plain stupid. The kernel stack has nothing in common with user stack, so trampolines are a special issue there.

    Then, trampolines are not the only way to implement nested functions. Just a neat one.

    And finally, gcc has all the hooks to turn the memory protection back on for the little chunk that wants stack execution.

    Guess what ? gnu-ada uses trampolines, and it works on OpenBSD current...

  7. Different stacks... by wowbagger · · Score: 3, Insightful

    I was thinking about this on my drive into work this morning, and I came to the conclusion that what we need to do is to change the C style stack usage to use two or three stacks.

    Consider: C uses the stack for three types of information: call/return information, parameter passing, and local variable storage. I assert that this is the cause of most of the stack problems in C - you are using the same thing for three different needs.

    Let me discuss each of the three uses in turn. I will use x86 terminology for this discussion because that is the primary architecture used for Linux and because that is what I am most familiar with, but you should be able to generalize my points without much problem.

    First, you have the call/return stack. This needs to the be CPU stack so that normal CALL/RET operations work. The only things that should be stored here are the actual return addresses, as well as possibly register saves (esp. for interrupt routines). However, in a unified stack design it is possible for the bad guys to modify the return address. Thus, even in a non-executable stack environment I can still change the return address to point to a function, say exec().

    Second, you have the parameter passing stack. Ideally the only thing on this stack would be parameters passed down to the function from the caller. However, in a unified stack design, I can modify this stack to contain data - thus I can create a pointer to the string "/bin/bash" on the stack. With this and with the call/return modification above, I can cause the current function to "return" to exec(), with "/bin/bash" as the arg. Boom. Remote shell.

    Third, you have local variable storage. If this space were seperate from the other two stacks, then overflowing a local buffer, while still bad, would not be able to modify the return address nor would it be able to create parameters. Ideally, every subroutine would be given its own sparely mapped local space - thus boundary errors would likely throw a page fault (granted, the cost of setting such a mapping up for each subroutine call would be prohibitive, so it is unlikely to happen without some form of hardware acceleration. Perhaps a low/high limit register could be added to the various index functions, such that an access relative to EBP, ESI, EDI would fault if it went out of range.)

    However, consider just seperating the stack into three areas, widely seperated. ESP would point to the hardware stack. EBP to the local storage area, and ESI to the parameter block (with EDI pointing to "this" for C++). Now, a bad programmer has a buffer in local storage and doesn't range check it. A would-be exploiter still cannot modify the return address nor can he modify the parameter stack. The most he could do would be to hose the local variable storage (granted, that might still allow him to corrupt the local vars for some other function and perhaps get an exploit that way, but it would be even more difficult).

    Granted, to do what I just suggested means throwing out *all* standard libraries, tools, compilers, and so forth - I am not actually suggesting that the x86 family do this! However, for new architectures like Sledgehammer et. al, this might be the time to make such a break.

    --
    www.eFax.com are spammers