OpenBSD Gets Harder to Crack

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,1111894,00.asp

By Timothy Dyck
June 2, 2003 

On the security field, nothing is quite as revealing—or as taxing—as
the passage of time.

By that measure in particular, the OpenBSD development team's OpenBSD
operating system stands out. The latest OpenBSD 3.3 release, which
started shipping early last month, arrives with even stronger attack
defenses coupled with an amazing record of just a single remotely
exploitable vulnerability in more than seven years, the best security
track record for any general-purpose operating system around.

eWEEK Labs has used past versions of OpenBSD for a number of years in
our lab for network firewalls as well as in OpenHack security tests
and have come to trust the product's rock-solid reliability and
secure-out-of-the-box configuration. It's free to download or $40 for
a CD version.

This release improves the package's already-powerful network filtering
features with the addition of bandwidth preallocation, selective
traffic prioritization and load balancing.

For network firewall or router deployments, OpenBSD provides a secure,
easy-to-configure option, while still supporting the deployment of
general-purpose network server applications such as The Apache
Software Foundation's HTTP Server or Internet Software Consortium's
BIND (Berkeley Internet Name Domain) name server. (Apache 1.3.27 and
BIND 9.2.2 are installed on OpenBSD 3.3 by default.)

Although OpenBSD has a generous set of prebuilt software packages
available for it (installing KDE, or K Desktop Environment, 3.1 was
very straightforward), it is not well-supported by commercial server
software vendors the way Linux, Windows or Solaris is. It also doesn't
support more than one CPU per server.

Keeping an OpenBSD system up-to-date is also very demanding for system
administrators. Configuration files in /etc need to be manually
migrated during version upgrades (which ship every six months), and
security patches are released only in source code form. A binary patch
distribution tool would make it much easier to deploy OpenBSD systems
in larger numbers.

Overflow Attack Protection

OpenBSD 3.3 enables by default ProPolice, an application buffer
overflow protection mechanism developed by IBM Research. To get this
protection, users need to compile applications with the
ProPolice-equipped GNU Compiler Collection compiler that comes with
OpenBSD or use just the already-protected applications that ship with
OpenBSD.

OpenBSD 3.3 adds page-level memory permissions (on SPARC, Alpha and
PA-RISC CPUs) that mark each memory page as either writable or
executable (but not both at once), to make it harder for an attacker
to write attack code into a memory location and execute it.

Unfortunately, this feature isn't provided on x86 or PowerPC chips
yet, although it's planned for the OpenBSD 3.4 release.

The OpenBSD project has made a decision against
trusted-operating-system-style mandatory access controls that place
kernel-enforced limits on what particular processes or users can do.  
"People who use such things build systems which cannot be administered
later," said Theo de Raadt, OpenBSD project leader, in Calgary,
Alberta. "I am holding the fort against such complexity."

However, while mandatory access controls do make systems harder to
administer, we've found the approach a very powerful defense in tests
and would welcome the option to use these techniques with OpenBSD.

OpenBSD's excellent packet filter, pf, is a big attraction of the
platform because it provides such comprehensive firewall features
coupled with a concise yet simple configuration file format.

This release updates pf with traffic-shaping features that let
administrators devote a set amount of bandwidth or a relative
percentage of bandwidth to particular types of traffic or particular
users. It also lets administrators prioritize selected types of
traffic.

West Coast Technical Director Timothy Dyck is at
timothy_dyck () ziffdavis com.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.