[ISN] OpenBSD Gets Harder to Crack

From: InfoSec News (isnat_private)
Date: Wed Jun 04 2003 - 00:35:51 PDT

  • Next message: InfoSec News: "RE: [ISN] This computer security column is banned in Canada"

    http://www.eweek.com/article2/0,3959,1111894,00.asp
    
    By Timothy Dyck
    June 2, 2003 
    
    On the security field, nothing is quite as revealing—or as taxing—as
    the passage of time.
    
    By that measure in particular, the OpenBSD development team's OpenBSD
    operating system stands out. The latest OpenBSD 3.3 release, which
    started shipping early last month, arrives with even stronger attack
    defenses coupled with an amazing record of just a single remotely
    exploitable vulnerability in more than seven years, the best security
    track record for any general-purpose operating system around.
    
    eWEEK Labs has used past versions of OpenBSD for a number of years in
    our lab for network firewalls as well as in OpenHack security tests
    and have come to trust the product's rock-solid reliability and
    secure-out-of-the-box configuration. It's free to download or $40 for
    a CD version.
    
    This release improves the package's already-powerful network filtering
    features with the addition of bandwidth preallocation, selective
    traffic prioritization and load balancing.
    
    For network firewall or router deployments, OpenBSD provides a secure,
    easy-to-configure option, while still supporting the deployment of
    general-purpose network server applications such as The Apache
    Software Foundation's HTTP Server or Internet Software Consortium's
    BIND (Berkeley Internet Name Domain) name server. (Apache 1.3.27 and
    BIND 9.2.2 are installed on OpenBSD 3.3 by default.)
    
    Although OpenBSD has a generous set of prebuilt software packages
    available for it (installing KDE, or K Desktop Environment, 3.1 was
    very straightforward), it is not well-supported by commercial server
    software vendors the way Linux, Windows or Solaris is. It also doesn't
    support more than one CPU per server.
    
    Keeping an OpenBSD system up-to-date is also very demanding for system
    administrators. Configuration files in /etc need to be manually
    migrated during version upgrades (which ship every six months), and
    security patches are released only in source code form. A binary patch
    distribution tool would make it much easier to deploy OpenBSD systems
    in larger numbers.
    
    Overflow Attack Protection
    
    OpenBSD 3.3 enables by default ProPolice, an application buffer
    overflow protection mechanism developed by IBM Research. To get this
    protection, users need to compile applications with the
    ProPolice-equipped GNU Compiler Collection compiler that comes with
    OpenBSD or use just the already-protected applications that ship with
    OpenBSD.
    
    OpenBSD 3.3 adds page-level memory permissions (on SPARC, Alpha and
    PA-RISC CPUs) that mark each memory page as either writable or
    executable (but not both at once), to make it harder for an attacker
    to write attack code into a memory location and execute it.
    
    Unfortunately, this feature isn't provided on x86 or PowerPC chips
    yet, although it's planned for the OpenBSD 3.4 release.
    
    The OpenBSD project has made a decision against
    trusted-operating-system-style mandatory access controls that place
    kernel-enforced limits on what particular processes or users can do.  
    "People who use such things build systems which cannot be administered
    later," said Theo de Raadt, OpenBSD project leader, in Calgary,
    Alberta. "I am holding the fort against such complexity."
    
    However, while mandatory access controls do make systems harder to
    administer, we've found the approach a very powerful defense in tests
    and would welcome the option to use these techniques with OpenBSD.
    
    OpenBSD's excellent packet filter, pf, is a big attraction of the
    platform because it provides such comprehensive firewall features
    coupled with a concise yet simple configuration file format.
    
    This release updates pf with traffic-shaping features that let
    administrators devote a set amount of bandwidth or a relative
    percentage of bandwidth to particular types of traffic or particular
    users. It also lets administrators prioritize selected types of
    traffic.
    
    West Coast Technical Director Timothy Dyck is at
    timothy_dyckat_private
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Jun 04 2003 - 02:41:37 PDT