OpenBSD Gets Even More Secure

Telent writes "As seen in this post by Theo de Raadt, OpenBSD is getting even more secure, working on smashing script kiddies running buffer overflow exploits dead. Tightening PROT_* according to the POSIX standards and creating a non-executable stack on most architectures are just two of the recent enhancements, most of which are in -current now."

Because for many, many years...

[leonbrooks]

...Microsoft's goal has been to add more saleable features and more handcuffs for their users. Bill has a moneymaking mania. Then they expect a month of bugfixing to make up for over 100 months of bugmaking.

OpenBSD, on the other hand, probably has 100 months of bugfixing up its collective sleeve. I wonder if they expect that a month of portting applications will make them more popular? (-:

IRL, a month of porting applications would simply mean an order of magnitude more security holes to fix.

Making OpenBSD completely thread-safe in preparation for multi-CPU stuff is probably a steep hill to climb, too. However, the kind of stuff that OpenBSD does well probably means that very few single-CPU OpenBSD machines will be CPU-starved until long after they're disk-I/O or net-bandwidth-saturated. Which means that it makes more sense to cluster than to proliferate CPUs in an already-saturated environment.

Oh joy... over bufferflow

[Woodrose]

Ancient and venerable 24-bit CDC 3150 machine in 1970 solved buffer overflow problems by pre-writing return jump to execover (pass control to data area and bang, you're dumped) instruction throughout user space. When you got the dump, the ASCII interpretation was "ojoy". So you got about thirty pages of blue-bar printout saying "ojoyojoyojoyojoy...".

You can do JIT

[^BR]

You just have to explicitly mprotect(2) the memory where it happen with PROT_EXEC|PROT_WRITE. The fact that on some OSes it can work without doing that is actually a bug in these OSes.

What the change is doing is the right thing, using a minimum privilege way to achieve more security. If some static code actually contain data that look like machine code it could be executed this wont be possible anymore.

Non executable stack by itself was far from enough as most program have some way of putting things on the heap or elsewere for an attacker and he could jump there instead of jumping on the stack. Coding an exploit for OpenBSD will get real tough now, even if there's an actual buffer overflow.

Re:Interresting...(might be OT)

[nuintari]

I'm gonna have to disagree with you on several points here.

1. I have found Open is actually easier to install than Free. Granted, this could be due to my love of purely simple methods, which the Open installer is. net is, in my mind, the hardest of the three, with free being very much in the middle.

2. I fail to see how Open is slwoer and more limited. It is true that Free has the most amazing tcp stack in production today, but Open's is pretty tight, and is plenty efficient in disk I/O and CPU usage. Its also not limited in any way. The stock install has a lot less "stuff" in it than most other OS's, but I consider that a definate bonus. "Ports" in a few extras, and you have an awesome, httpd, ftp, mail, dns, whatever server. In my company, we have dual purpose dns/mx backup OpenBSD machines.

3. While it is true that OpenBSD makes a dandy firewall, and quite frankly, I would use nothing else but OpenBSD for said purpose, that's not all its good for, and this "typecasting" has to stop. Does just fine in any other role too, hell, I have an OpenBSD DESKTOP. DESKTOP!

4. As for an Open box getting owned, not surprising. The final step in a secure OS, is knowing how to maintain it, and miantaining Open is no picnic, once free is up and running it is far easier to lean to patch it. Both are fairly simple once ya get the hang of it, but the free learning curve is much faster. And quite frankly, a lot of businesses deploy tons of freebsd machines, lots of admins know it. Open is a newer project, with a smaller real world footprint.

Just my unspellchecked thoughts. Its almost my birthday, I no longer feel compelled to check my typos out.