With security the focus of this year’s Australian Unix Users Group (AUUG) conference, OpenBSD founder and project lead Theo de Raadt was invited to speak on exploit mitigation techniques. In an exclusive interview with Computerworld’s Rodney Gedda, the man behind an operating system that lays claim to only one remote exploit in the default install in seven years, reveals where we are headed – and how far we have to go – in the search for more secure software
OpenBSD’s Theo de Raadt talks software security
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
More interesting than this interview are Theos slides from his presentation at the AUUG04. You can find them here:
http://cvs.openbsd.org/papers/auug04/index.html
Here is an interesting analysis
http://archives.neohapsis.com/archives/dailydave/2004-q3/0245.html
i recommend even reading parts of the interesting analysis linked by xedx. a lot of it cannot easily be refuted. I think th eopenbsd team have been creditted with too much nonce blindly. we need such “analysis” to ensure the sanity of some of the wilder approaches to securing unix-like systems.
in case anyone’s wonderin
http://www.securityfocus.com/archive/1/141901
I love his approach on things. Closed source, open source, doesn’t matter. Both are open just more or less, which is exactly how it is.
Security is something which everyone keeps forgetting about (not as in, not trying to be, but rather not being). The key to it all though is diversity. Unices run a lot of similar apps on top and what we see today is 2 different systems. Unices (I include OSX here) and Windows. Sure we have IOS, QNX and so forth, but the dominance is clearly from the 2 first mentioned.
I hope we get to see more safeaware development soon.
Bottom line:A networked PC(or whatever variant) is as secure as the amount of knowledge of the one(s) who made the OS which
runs on this particular PC and last but not least the knowledge and skill of the one that uses this PC.I think it is very healthy that someone now and than questions some aspects
of OS security features/flaws in a objective way and from a technical point of view.I hope this will continue to be a neverending story.
“In the land of the blind the one-eyed is king or a marketeer”
hope we get to see more safeaware development soon.
I have a DSL router since a few days. That small box is running its own OS, with webserver for Administration.
In other words, other stuff gets more and more computational intelligence. Of course people will use a few OSes but also have a lot of gadgets with advanced OSes on board, including security risks. Thus I doubt it will get easier soon.
Regards,
Marc
We’ve seen in the wild, people who are not running OpenBSD boxes but are making them look like OpenBSD boxes because it will immediately make an attacker say: ‘it’s a waste of my time’.
Ah ah, yeah, sure.
Quentin Garnier.
That “interesting analysis” is a load of crap. 95% of the text is just rants about openBSD and its developers. Obviously someone has a personal grudge against them. At the end of the day, is openBSD a insecure operating system? Not to my knowledge.
I think Theo misses the point about closed versus open source. He points out, rightly, that with code leaks, closed source is no less vulnerable than open source.
But is open source _more_ secure? Theo’s beloved security audits are just applied use of the “many eyes” principle. I suspect that if phrased that way, Theo would say that OSS is more secure, or at least potentially so.
If Theo still thinks it’s all the same, I’d like to know why.
i disagree, some of the point in the analsysi, although heated at times, are valid. and too many people take what theo and the oopenbsd project do at face value. theirs is not always the right way.
in term of holistic security, availability is an essential component… and openbsd does not perform well. i don’t believe theyhave a good balance between ugly hacks and clean performance. (i speak as someone who has had code contributed to openbsd).
Well – as I understand it the security audits are conducted by a core team of developers who know the system intimately. A closed-source OS could theoretically restrict source access to such a team and have similar results.
hasnt anyone noticed this?! its been on the site for quite some time, but it is incorrect on the main page.
The ‘interesting’ analysis is a simple troll if there is any. Ranting in ‘oh, yeah, sure, you suck hahaha’ style is not what I would call interesting (unless you mean it ironically).
In response to xedx’x link. Oh, one can say – why don’t I refute some of the claims with facts? Well, there is nothing to refute there. Its a simple flaming, and as usually, there are no points to refute, only vague ‘haha, you suck’ kind of comments.
One _remote_ hole (if it’d be a crash it doesn’t count, i think) in 8 years in the default install…which is unusable because it disables everything and install nothing.
I’d love to see the possible remote holes in a default debian install (this is, the base system, which as you probably know, has nothing installed). I don’t think it’ll be better than openbsd but I don’t think it’ll be too far from 1. The same for other OSes too.
The lesson here is “a OS with a installer which install nothing and disables everything by default is a secure OS”. Not just openbsd. I know openbsd cares a lot about security, but that “only one remote hole” is not a great advertisement if you think it a second. I bet the openbsd guys have better things to show than those crappy reasons.
It’s called humor and sarcasm, it attracts people’s good humor which increases openness to new ideas/products. This is why you open speeches and sales pitches with a joke, or at least put one in somewhere.
It is nice to hear someone talk about putting quality
code out there. Microsoft really sucks!
openbsd has less devs and less users than other major OS-es so it has less eyes and as ppl are cosidering it has less bugs… “more eyes less bugs” argument definitely in this case… but…
i think security is much more about commitment _to_ security from the devs and their indenpendence from marketing, selling and other commercial deps….
i’m quite sure MS security guys would tell us the same story… but even if that is the true i don’t find any sympathy for them :0)
the great thing about free software is that ppl who are really interested and committed to security as an issue can join any of the free software projects….
you can’t better code because of money you get for it.. you can better live from it.. that’s why some ppl who don’t live best life on earth code much better than ppl who has big money from coding…. biggest respect for them….
The source code doesn’t make a difference. You can get the source code for anything today and an attacker can find vulnerabilities. The fact of the matter is, there is no more closed source there is just limited open source.
Very good point! Open source isn’t any more secure than closed source. Its the quality of the code that matters.
The real problem lies not with software producing companies, but with educational institutions. Every single C class starts by using strcopy and other absolutely useless and depreciated functions. All under the same “but kids need to learn how to this first, THEN we’ll teach them to write secure code”-motto. Which is of course a bad idea .. Teaching people bad habits only so they can get rid of them later is a VERY bad idea.
I think it’s about time educational institutions started taking their responsabilities a bit more serious.
The ‘interesting’ analysis is a simple troll if there is any.
It was a post to Dave Aitel’s mailing list, which is full of exploit developers rather than self-proclaimed security gurus. Aitel’s list is higher quality than Full Disclosure and many others.
I’d love to see the possible remote holes in a default debian install (this is, the base system, which as you probably know, has nothing installed).
Why not compare to a Debian derivative with an emphasis on security i.e. Adamantix linux.
I know openbsd cares a lot about security, but that “only one remote hole” is not a great advertisement if you think it a second.
This only applies to –Current. Older installs of OpenBSD that are unpatched have several holes. And you are right, once you enable daemons, that figure may not apply.
He points out, rightly, that with code leaks, closed source is no less vulnerable than open source.
Especially since closed source can be reverse engineered.
http://www.rootkit.com/uploads/orig00000850.jpg
Those of you who thinks OpenBSD is overrated:
When was the last time you’ve seen a working remote exploit (except DoS) against the base OpenBSD system? (incl. apache, sendmail, bind, etc.)
The protection in OpenBSD ‘just works’.
lays claim to only one remote exploit in the default install in seven years
Just to clarify, this is pre-authentication remote vulnerabilities in the default install (i.e. with some services disabling) of –Current. A remote is of course not necessarily a remote root due to principle of least privilege e.g. jails and user level. Local and DoS vulns were not considered in this figure, however are a factor in the wild.
Several OS are adding “stackguard” type mechanisms, even Server 2003 has a version (albeit a defeatable one). It will be nice once all OS are immune to stack overflows.
I have nothing against OpenBSD, and I’ve used it in the past. You can get a system up in running in minutes via net install. Linux (e.g. Adamantix, Hardened Gentoo) may be worth investigating as well.
When was the last time you’ve seen a working remote exploit (except DoS) against the base OpenBSD system? (incl. apache, sendmail, bind, etc.)
Um, I thought some of those were disabled in the default install. And the 15 bits of entropy can be brute forced if you have a valid remote e.g. for proftpd or other. Granted if you jailed the app, it may be less of an issue. It certainly eliminates the bottom tier of blackhats i.e. script kiddies.
This issue has been beaten to death on Full Disclosure, Daily Dave, and other lists. Older installs of OpenBSD have multiple remotes. This is not even debateable.
Are the vendors paying attention? No, they’re not. That’s all the Linuxes, all the commercial Unixes, and Microsoft. Now, there are exceptions. There are vendors who are starting to learn a bit. There are a few Linux variants that have some copycat – that’s the wrong word for me to use but I’m going to be honest.
Theo, that’s a damned lie and you know it. You didn’t invent stack randomization and jails.
Um, I thought some of those were disabled in the default install.
Yes, they are. That’s why I said ‘base OpenBSD’ instead of default install. I haven’t seen any non-DoS remote exploit against the base system since 3.4, the release in which the i386 stuff were completed.
I truly hope most distros will adopt this thinking, we should default to security and we could strive to make it easy. Like defaulting to always using SSL in evolution to check mails, to default to using SSL for your IM client, to use Propolice, to use PaX or exec-shield. To make it easy to encrypt your mails, because now it takes a lot of work and 99% of users can’t figure it out, and the list goes on forever.. e.g. why isn’t my harddrive encrypted, and why does the current schemes not take into account that I could be a moron – security is something you learn but the least we could do was give the user a solid foundation… it’s to damn hard, so much work, so many guides to read.. it should just work, and it doesn’t.
Security these days is important and it’s to damn hard to enable it, and there’s so much room for improvement it’s just not funny. Why don’t we consider it a problem?
It boggles my mind to see all this security advisors being posted every day, looking at where the industry was 5 years ago we haven’t moved much in the right direction.
Why isn’t anyone going over, say the Linux kernel and throwing away old code, there’s bound to be lots in there we don’t need anymore – it’s just begging to be exploited in some way or form.
It’s sad really, here we are – more CPU power than what NASA used to send man to the moon, and we can’t spare a fraction for that extra bounds check?