Hackers Meet Soldiers
by George Peter Staplin and Cameron Laird03/13/2003
OpenBSD is widely recognized as "one of those other OSes"--an operating system available, like Linux, without licensing fee, but with its own character distinct from any other OS. Only recently, though, have people begun to learn that that the US Defense Advanced Research Projects Agency (DARPA) partially funds the Canadian-based OpenBSD project. Why is the US military paying ideology-driven foreign hackers? What's the effect on development of the OS?
Focused on Security
Independent Alberta-based kernel hacker Theo de Raadt is the creator, overseer, and taskmaster of the OpenBSD project. Security has been a consistent strength of his professional career. While centered in Canada, the OpenBSD advanced operating system team De Raadt leads includes members from around the world.
OpenBSD has focused on security, reliability, and quality since its launch over 7 years ago. The team follows such standards as POSIX, ANSI, and most of X/Open. Since 1996, formal audits [see sidebar on security and audits] of the base system's source code have further buttressed its reputation for security. Thousands of companies, including Adobe and Network Security Technologies, Inc., use OpenBSD, although many of them keep their choice private for security reasons.
|
Security and Audits "Security" and "audit" mean something different to OS programmers than they do in civilian life. Security refers to everything done to protect a system. This certainly concerns "AAA" (authentication, authorization, and accounting) as ways to keep "bad guys" from wreaking havoc, but also involves a variety of expedients, from "Are you sure?" buttons to log files, which protect users from their own mistakes. An audit is an attested review of quality and integrity performed by an independent professional. OpenBSD reviewers carefully study individual programs and parts of programs, to verify that nothing can go wrong. "Go wrong" here means, for example, that the program doesn't burn its CPU or launch missiles if a user (perhaps accidentally) enters a longer data-field than expected. |
Military Contracts
DARPA has funded OpenBSD through a program known as Composable High Assurance Trusted Systems (CHATS). The University of Pennsylvania oversees the specific proposal behind this grant, called Portable Open Source Security Elements (POSSE). The grant money has allowed De Raadt to hire former part-time volunteers as full-time employees. This staffing accelerated development and provided time for the team to report on its research by writing academic papers.
De Raadt answered several questions about the contract for this article. He explained that no development serves only government purposes: "Nearly everything that is being developed is going into the OpenBSD source tree. All of what we do is free. Any changes which do not go into our source tree are a result of discarded work: something went wrong, something was not useful, a semantic is flawed, etc."
Among the OpenBSD implementation projects CHATS has at least partially financed are support for
cryptographic hardware, setuid reduction and daemon cleanup, systrace, the stateful
OpenBSD packet filter pf, and, most recently, stack protection. Changes implemented
through CHATS are likely to migrate to other systems as well. The changes are already licensed as
free software, and they follow what De Raadt calls "Unix semantics" for portability. To ensure that
the code is well understood and able to be shared, the implementation team has been writing papers
about its design and implementation.
Summary of Recent Projects
Even without the detail these formal papers provide, it's possible to understand the essence of
the CHATS projects. setuid reductions, for example, increase the precision of
operation as a privileged user. Certain code, known as a "setuid program", must be run with
heightened security privileges. But if a program runs as root or a similarly privileged identity,
any error or exploit has the potential to damage the entire system. Limiting security settings
restricts the scope and likelihood of such damage.
|
Related Reading 
The Complete FreeBSD |
The traditional Unix-like security provisions for networking illustrate this principle. These OSes restrict creation of services on the "lower range" of socket ports, such as port 80 for an HTTP server. This means that the user must have special privileges to create a server on these ports. Apache, for example, starts as a privileged user to create a server socket on port 80. It then changes to run as a less powerful user for safety reasons.
OpenBSD reinforces this precaution by changing Apache's root directory (chroot),
along with its user identity. So even if a cracker accesses the system, she'll be able to reach
only the Apache root directory (typically /var/www), rather than the full filesystem
below /, which would likely be accessible with a less secure implementation of Apache.
systrace
The systrace project also manages the relations between programs and the privileges
they exercise. systrace uses configuration files to specify the system calls a program
may make, and what the system calls--including non-native, emulated calls--may do. This restricts a
cracker's ability to use a program for an unintended purpose. A systrace configuration
file for named, for example, might declare:
native-fsread: filename eq "/etc/named.conf" then permitThis restricts named to reading only the file that it should read; even if
named is compromised somehow, OpenBSD prevents it from being "hijacked" to more
dangerous ends.
systrace expressively and elegantly addresses common security vulnerabilities. We
expect to see many system administrators learn and use it soon. Two recent ONLamp articles address
systrace in detail: Systrace and Creating Systrace Policies.
pf
The pf packet filter is another powerful tool. It provides the ability to limit
port and address access across a network interface, does network translation
(NAT/BINAT/redirection), queuing, and other features vital for a server or firewall. Two ONLamp
articles about securing small networks with OpenBSD discuss how to use pf: Introducing pf and NAT with pf in OpenBSD 3.3.
Stack Protection
The execution stack is a common target for attack by buffer overflows and other means. (A recent
ONLamp article about chroot explored buffer
overflows in more detail.) It's characteristic of common hardware architectures that stack
modification can allow a cracker to execute malicious code. The OpenBSD team has come up with a
combination of defenses that reduces the risk of such exploits. Memory pages and ELF sections have
been marked as non-writable and non-executable where possible; this prevents an attacker from
writing his own code into memory and executing it. The team has also cooperated in development of
ProPolice, a tool originally created by
IBM employee Hiroaki Etoh. At runtime, ProPolice checks return addresses and reorganizes variables
to make them more difficult to overflow.
Summary
These initiatives, CHATS and POSSE, and OpenBSD programming ingenuity have generated a variety of security advances. OpenBSD's liberal license means that the whole world will have the opportunity to use more secure software. The crack prevention provided by the multitiered approach of stack protection, non-writable/non-executable areas of memory, and setuid reduction should make life more difficult for crackers; and, thus, easier for administrators. The proactive security approach that OpenBSD has used for years is now trickling down into other systems, as big players, including Microsoft, recognize the importance of secure coding. You can benefit from OpenBSD's advantages and also support the OpenBSD project by buying a CD. It's also possible, of course, to download OpenBSD freely via FTP.
As has been true for many years, the upcoming annual USENIX conference will include presentation of an OpenBSD security research paper that explains more about an OpenBSD project; in this case, cryptographic hardware. In the meantime, OpenBSD mailing lists are the best way to monitor the details of the OS's security advances.
George Peter Staplin is a student in Utah whose own programming focuses mainly on computer graphics. He works mostly with open-source variants of Unix, including OpenBSD.
Cameron Laird is the vice president of Phaseit, Inc. and frequently writes for the O'Reilly Network and other publications.
Return to the BSD DevCenter.
Showing messages 1 through 2 of 2.
-
The ideal firewall/router OS
2003-03-17 14:12:16 anonymous2 [Reply | View]
Though the server pool at my workplace is roughly a 50/50 mix of RedHat Linux and Windows 2000 Server, I did not hesitate to recommend and implement an OpenBSD x86 based firewall to replace an inflexible, slow older solution. This happily services our 10/100Mbit ethernet fibre link, and chats BGP with the upstream router, so can provide a fully redundant and load balanced internet connection should the need arise for one. The traffic logging and firewalling capabilities of OpenBSD are second to none, and as long as a literate sysadmin is onhand to apply the rare kernel/userland patches and CVSup/make the few ports packages in use, the system is as bulletproof as any could be expected to be.
> the rare kernel/userland patches and CVSup/make
> the few ports packages in use, the system is as
> bulletproof as any could be expected to be.
This is exactly the problem: It's too much hassle for me to track and apply and recompile the packages whenever an exploit is found. I want this stuff to happen (semi- or fully) automatically (optionally, of course). Debian's apt-get provides that, most other Linux distros provide it as well by now.