BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


Hackers Meet Soldiers

by George Peter Staplin and Cameron Laird
03/13/2003

OpenBSD is widely recognized as "one of those other OSes"--an operating system available, like Linux, without licensing fee, but with its own character distinct from any other OS. Only recently, though, have people begun to learn that that the US Defense Advanced Research Projects Agency (DARPA) partially funds the Canadian-based OpenBSD project. Why is the US military paying ideology-driven foreign hackers? What's the effect on development of the OS?

Focused on Security

Independent Alberta-based kernel hacker Theo de Raadt is the creator, overseer, and taskmaster of the OpenBSD project. Security has been a consistent strength of his professional career. While centered in Canada, the OpenBSD advanced operating system team De Raadt leads includes members from around the world.

OpenBSD has focused on security, reliability, and quality since its launch over 7 years ago. The team follows such standards as POSIX, ANSI, and most of X/Open. Since 1996, formal audits [see sidebar on security and audits] of the base system's source code have further buttressed its reputation for security. Thousands of companies, including Adobe and Network Security Technologies, Inc., use OpenBSD, although many of them keep their choice private for security reasons.

Security and Audits

"Security" and "audit" mean something different to OS programmers than they do in civilian life. Security refers to everything done to protect a system. This certainly concerns "AAA" (authentication, authorization, and accounting) as ways to keep "bad guys" from wreaking havoc, but also involves a variety of expedients, from "Are you sure?" buttons to log files, which protect users from their own mistakes.

An audit is an attested review of quality and integrity performed by an independent professional. OpenBSD reviewers carefully study individual programs and parts of programs, to verify that nothing can go wrong. "Go wrong" here means, for example, that the program doesn't burn its CPU or launch missiles if a user (perhaps accidentally) enters a longer data-field than expected.

Military Contracts

DARPA has funded OpenBSD through a program known as Composable High Assurance Trusted Systems (CHATS). The University of Pennsylvania oversees the specific proposal behind this grant, called Portable Open Source Security Elements (POSSE). The grant money has allowed De Raadt to hire former part-time volunteers as full-time employees. This staffing accelerated development and provided time for the team to report on its research by writing academic papers.

De Raadt answered several questions about the contract for this article. He explained that no development serves only government purposes: "Nearly everything that is being developed is going into the OpenBSD source tree. All of what we do is free. Any changes which do not go into our source tree are a result of discarded work: something went wrong, something was not useful, a semantic is flawed, etc."

Among the OpenBSD implementation projects CHATS has at least partially financed are support for cryptographic hardware, setuid reduction and daemon cleanup, systrace, the stateful OpenBSD packet filter pf, and, most recently, stack protection. Changes implemented through CHATS are likely to migrate to other systems as well. The changes are already licensed as free software, and they follow what De Raadt calls "Unix semantics" for portability. To ensure that the code is well understood and able to be shared, the implementation team has been writing papers about its design and implementation.

Summary of Recent Projects

Even without the detail these formal papers provide, it's possible to understand the essence of the CHATS projects. setuid reductions, for example, increase the precision of operation as a privileged user. Certain code, known as a "setuid program", must be run with heightened security privileges. But if a program runs as root or a similarly privileged identity, any error or exploit has the potential to damage the entire system. Limiting security settings restricts the scope and likelihood of such damage.

Related Reading

The Complete FreeBSD
Documentation from the Source
By Greg Lehey

The traditional Unix-like security provisions for networking illustrate this principle. These OSes restrict creation of services on the "lower range" of socket ports, such as port 80 for an HTTP server. This means that the user must have special privileges to create a server on these ports. Apache, for example, starts as a privileged user to create a server socket on port 80. It then changes to run as a less powerful user for safety reasons.

OpenBSD reinforces this precaution by changing Apache's root directory (chroot), along with its user identity. So even if a cracker accesses the system, she'll be able to reach only the Apache root directory (typically /var/www), rather than the full filesystem below /, which would likely be accessible with a less secure implementation of Apache.

systrace

The systrace project also manages the relations between programs and the privileges they exercise. systrace uses configuration files to specify the system calls a program may make, and what the system calls--including non-native, emulated calls--may do. This restricts a cracker's ability to use a program for an unintended purpose. A systrace configuration file for named, for example, might declare:

native-fsread: filename eq "/etc/named.conf" then permit

This restricts named to reading only the file that it should read; even if named is compromised somehow, OpenBSD prevents it from being "hijacked" to more dangerous ends.

systrace expressively and elegantly addresses common security vulnerabilities. We expect to see many system administrators learn and use it soon. Two recent ONLamp articles address systrace in detail: Systrace and Creating Systrace Policies.

pf

The pf packet filter is another powerful tool. It provides the ability to limit port and address access across a network interface, does network translation (NAT/BINAT/redirection), queuing, and other features vital for a server or firewall. Two ONLamp articles about securing small networks with OpenBSD discuss how to use pf: Introducing pf and NAT with pf in OpenBSD 3.3.

Stack Protection

The execution stack is a common target for attack by buffer overflows and other means. (A recent ONLamp article about chroot explored buffer overflows in more detail.) It's characteristic of common hardware architectures that stack modification can allow a cracker to execute malicious code. The OpenBSD team has come up with a combination of defenses that reduces the risk of such exploits. Memory pages and ELF sections have been marked as non-writable and non-executable where possible; this prevents an attacker from writing his own code into memory and executing it. The team has also cooperated in development of ProPolice, a tool originally created by IBM employee Hiroaki Etoh. At runtime, ProPolice checks return addresses and reorganizes variables to make them more difficult to overflow.

Summary

These initiatives, CHATS and POSSE, and OpenBSD programming ingenuity have generated a variety of security advances. OpenBSD's liberal license means that the whole world will have the opportunity to use more secure software. The crack prevention provided by the multitiered approach of stack protection, non-writable/non-executable areas of memory, and setuid reduction should make life more difficult for crackers; and, thus, easier for administrators. The proactive security approach that OpenBSD has used for years is now trickling down into other systems, as big players, including Microsoft, recognize the importance of secure coding. You can benefit from OpenBSD's advantages and also support the OpenBSD project by buying a CD. It's also possible, of course, to download OpenBSD freely via FTP.

As has been true for many years, the upcoming annual USENIX conference will include presentation of an OpenBSD security research paper that explains more about an OpenBSD project; in this case, cryptographic hardware. In the meantime, OpenBSD mailing lists are the best way to monitor the details of the OS's security advances.

George Peter Staplin is a student in Utah whose own programming focuses mainly on computer graphics. He works mostly with open-source variants of Unix, including OpenBSD.

Cameron Laird is the vice president of Phaseit, Inc. and frequently writes for the O'Reilly Network and other publications.


Return to the BSD DevCenter.



Sponsored by: