Hackers Meet Soldiersby George Peter Staplin and Cameron Laird
OpenBSD is widely recognized as "one of those other OSes"--an operating system available, like Linux, without licensing fee, but with its own character distinct from any other OS. Only recently, though, have people begun to learn that that the US Defense Advanced Research Projects Agency (DARPA) partially funds the Canadian-based OpenBSD project. Why is the US military paying ideology-driven foreign hackers? What's the effect on development of the OS?
Focused on Security
Independent Alberta-based kernel hacker Theo de Raadt is the creator, overseer, and taskmaster of the OpenBSD project. Security has been a consistent strength of his professional career. While centered in Canada, the OpenBSD advanced operating system team De Raadt leads includes members from around the world.
OpenBSD has focused on security, reliability, and quality since its launch over 7 years ago. The team follows such standards as POSIX, ANSI, and most of X/Open. Since 1996, formal audits [see sidebar on security and audits] of the base system's source code have further buttressed its reputation for security. Thousands of companies, including Adobe and Network Security Technologies, Inc., use OpenBSD, although many of them keep their choice private for security reasons.
Security and Audits
"Security" and "audit" mean something different to OS programmers than they do in civilian life. Security refers to everything done to protect a system. This certainly concerns "AAA" (authentication, authorization, and accounting) as ways to keep "bad guys" from wreaking havoc, but also involves a variety of expedients, from "Are you sure?" buttons to log files, which protect users from their own mistakes.
An audit is an attested review of quality and integrity performed by an independent professional. OpenBSD reviewers carefully study individual programs and parts of programs, to verify that nothing can go wrong. "Go wrong" here means, for example, that the program doesn't burn its CPU or launch missiles if a user (perhaps accidentally) enters a longer data-field than expected.
DARPA has funded OpenBSD through a program known as Composable High Assurance Trusted Systems (CHATS). The University of Pennsylvania oversees the specific proposal behind this grant, called Portable Open Source Security Elements (POSSE). The grant money has allowed De Raadt to hire former part-time volunteers as full-time employees. This staffing accelerated development and provided time for the team to report on its research by writing academic papers.
De Raadt answered several questions about the contract for this article. He explained that no development serves only government purposes: "Nearly everything that is being developed is going into the OpenBSD source tree. All of what we do is free. Any changes which do not go into our source tree are a result of discarded work: something went wrong, something was not useful, a semantic is flawed, etc."
Among the OpenBSD implementation projects CHATS has at least partially financed are support for
setuid reduction and daemon cleanup, systrace, the stateful
OpenBSD packet filter
pf, and, most recently, stack protection. Changes implemented
through CHATS are likely to migrate to other systems as well. The changes are already licensed as
free software, and they follow what De Raadt calls "Unix semantics" for portability. To ensure that
the code is well understood and able to be shared, the implementation team has been writing papers
about its design and implementation.
Summary of Recent Projects
Even without the detail these formal papers provide, it's possible to understand the essence of
the CHATS projects.
setuid reductions, for example, increase the precision of
operation as a privileged user. Certain code, known as a "setuid program", must be run with
heightened security privileges. But if a program runs as root or a similarly privileged identity,
any error or exploit has the potential to damage the entire system. Limiting security settings
restricts the scope and likelihood of such damage.
The traditional Unix-like security provisions for networking illustrate this principle. These OSes restrict creation of services on the "lower range" of socket ports, such as port 80 for an HTTP server. This means that the user must have special privileges to create a server on these ports. Apache, for example, starts as a privileged user to create a server socket on port 80. It then changes to run as a less powerful user for safety reasons.
OpenBSD reinforces this precaution by changing Apache's root directory (
along with its user identity. So even if a cracker accesses the system, she'll be able to reach
only the Apache root directory (typically
/var/www), rather than the full filesystem
/, which would likely be accessible with a less secure implementation of Apache.
systrace project also manages the relations between programs and the privileges
systrace uses configuration files to specify the system calls a program
may make, and what the system calls--including non-native, emulated calls--may do. This restricts a
cracker's ability to use a program for an unintended purpose. A
named, for example, might declare:
native-fsread: filename eq "/etc/named.conf" then permit
named to reading only the file that it should read; even if
named is compromised somehow, OpenBSD prevents it from being "hijacked" to more
systrace expressively and elegantly addresses common security vulnerabilities. We
expect to see many system administrators learn and use it soon. Two recent ONLamp articles address
systrace in detail: Systrace and Creating Systrace Policies.
pf packet filter is another powerful tool. It provides the ability to limit
port and address access across a network interface, does network translation
(NAT/BINAT/redirection), queuing, and other features vital for a server or firewall. Two ONLamp
articles about securing small networks with OpenBSD discuss how to use
pf and NAT with
pf in OpenBSD 3.3.
The execution stack is a common target for attack by buffer overflows and other means. (A recent
ONLamp article about
chroot explored buffer
overflows in more detail.) It's characteristic of common hardware architectures that stack
modification can allow a cracker to execute malicious code. The OpenBSD team has come up with a
combination of defenses that reduces the risk of such exploits. Memory pages and ELF sections have
been marked as non-writable and non-executable where possible; this prevents an attacker from
writing his own code into memory and executing it. The team has also cooperated in development of
ProPolice, a tool originally created by
IBM employee Hiroaki Etoh. At runtime, ProPolice checks return addresses and reorganizes variables
to make them more difficult to overflow.
These initiatives, CHATS and POSSE, and OpenBSD programming ingenuity have generated a variety of security advances. OpenBSD's liberal license means that the whole world will have the opportunity to use more secure software. The crack prevention provided by the multitiered approach of stack protection, non-writable/non-executable areas of memory, and setuid reduction should make life more difficult for crackers; and, thus, easier for administrators. The proactive security approach that OpenBSD has used for years is now trickling down into other systems, as big players, including Microsoft, recognize the importance of secure coding. You can benefit from OpenBSD's advantages and also support the OpenBSD project by buying a CD. It's also possible, of course, to download OpenBSD freely via FTP.
As has been true for many years, the upcoming annual USENIX conference will include presentation of an OpenBSD security research paper that explains more about an OpenBSD project; in this case, cryptographic hardware. In the meantime, OpenBSD mailing lists are the best way to monitor the details of the OS's security advances.
George Peter Staplin is a student in Utah whose own programming focuses mainly on computer graphics. He works mostly with open-source variants of Unix, including OpenBSD.
Return to the BSD DevCenter.