===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/innovations.html,v
retrieving revision 1.58
retrieving revision 1.59
diff -u -r1.58 -r1.59
--- www/innovations.html 2017/10/31 01:00:45 1.58
+++ www/innovations.html 2017/11/03 10:59:03 1.59
@@ -11,547 +11,796 @@
-
-This is a list of software and ideas developed or maintained by the OpenBSD
-project, sorted in order of approximate introduction. Some of them are
-explained in detail in our research papers.
-
-
+ This is a list of software and ideas developed or maintained by the OpenBSD
+ project, sorted in order of approximate introduction. Some of them are
+ explained in detail in our research papers.
+
-Programs and subsystems
+Concepts
-- ypbind(8),
- ypset(8),
- ypcat(1),
- ypmatch(1),
- ypwhich(1),
- and libc support: Started by Theo de Raadt.
- Imported April 26, 1993 and first released with NetBSD 0.9.
-
- ypserv(8):
- Started by Mats O. Jansson in 1994.
- Imported October 23, 1995 and first released with OpenBSD 2.0.
-
- mopd(8):
- Started by Mats O. Jansson in 1993.
- Imported September 21, 1996 and first released with OpenBSD 2.0.
-
- AnonCVS:
- Designed and implemented by Chuck Cranor and Theo de Raadt in 1995
- (paper,
- slides)
-
- aucat(1):
- Started by Kenneth Stailey.
- Imported January 2, 1997 and first released with OpenBSD 2.1.
- Now maintained by Alexandre Ratchov.
-
- OpenSSH
- including ssh(1),
- scp(1),
- sftp(1),
- ssh-add(1),
- ssh-agent(1),
- ssh-keygen(1),
- sshd(8),
- sftp-server(8):
- Started by Aaron Campbell, Bob Beck, Dug Song, Markus Friedl,
- Niels Provos, and Theo de Raadt
- as a fork of SSH 1.2.12 by Tatu Ylonen.
- Imported September 26, 1999 and first released with OpenBSD 2.6.
- Now maintained by Markus Friedl, Damien Miller, Darren Tucker, and
- Theo de Raadt.
-
- mg(1):
- Started by Dave Conroy in November 1986.
- Imported February 25, 2000 and first released with OpenBSD 2.7.
- Now maintained by Mark Lumsden.
-
- m4(1):
- Originally implemented by Ozan Yigit and Richard A. O'Keefe for 4.3BSD-Reno.
- Considerably extended and maintained by Marc Espie since 1999.
-
- pf(4),
- pfctl(8),
- pflogd(8),
- authpf(8),
- ftp-proxy(8):
- Started by Daniel Hartmeier
- as a replacement for the non-free ipf by Darren Reed.
- Imported June 24, 2001 and first released with OpenBSD 3.0.
- Now maintained by Henning Brauer.
-
- systrace(4),
- systrace(1):
- Started by Niels Provos.
- Imported June 4, 2002 and first released with OpenBSD 3.2.
- Deleted after OpenBSD 5.9 because
- pledge(2) is even better.
-
- spamd(8):
- Written by Bob Beck. Imported December 21, 2002 and first released with OpenBSD 3.3.
-
- dc(1):
- Written and maintained by Otto Moerbeek.
- Imported September 19, 2003 and first released with OpenBSD 3.5.
-
- bc(1):
- Written and maintained by Otto Moerbeek.
- Imported September 25, 2003 and first released with OpenBSD 3.5.
-
- sensorsd(8):
- Started by Henning Brauer.
- Imported September 24, 2003 and first released with OpenBSD 3.5.
- Reworked by Constantine A. Murenin.
-
- pkg_add(1):
- Written and maintained by Marc Espie.
- Imported October 16, 2003 and first released with OpenBSD 3.5.
-
- carp(4):
- Written by Mickey Shalayeff, Markus Friedl, Marco Pfatschbacher,
- and Ryan McBride.
- Imported October 17, 2003 and first released with OpenBSD 3.5.
-
- OpenBGPD
- including bgpd(8)
- and bgpctl(8):
- Written and maintained by Henning Brauer and Claudio Jeker,
- and also maintained by Peter Hessler.
- Imported December 17, 2003 and first released with OpenBSD 3.5.
-
- dhclient(8):
- Started by Ted Lemon and Elliot Poger in 1996.
- Imported January 18, 2004 and first released with OpenBSD 3.5.
- Reworked by Henning Brauer.
- Now maintained by Kenneth Westerback.
-
- dhcpd(8):
- Started by Ted Lemon in 1995.
- Imported April 13, 2004 and first released with OpenBSD 3.6.
- Reworked by Henning Brauer.
- Now maintained by Kenneth Westerback.
-
- hotplugd(8):
- Started by Alexander Yurchenko.
- Imported May 30, 2004 and first released with OpenBSD 3.6.
-
- OpenNTPD
- including ntpd(8)
- and ntpctl(8):
- Written and maintained by Henning Brauer.
- Imported May 31, 2004 and first released with OpenBSD 3.6.
- Portable version maintained by Brent Cook.
-
- dpb(1):
- Started by Nikolay Sturm on August 10, 2004; first available for OpenBSD 3.6.
- Rewritten and maintained by Marc Espie since August 20, 2010.
-
- ospfd(8),
- ospfctl(8):
- Started by Esben Norby and Claudio Jeker.
- Imported January 28, 2005 and first released with OpenBSD 3.7.
-
- ifstated(8):
- Started by Marco Pfatschbacher and Ryan McBride.
- Imported January 23, 2004 and first released with OpenBSD 3.8.
-
- bioctl(8):
- Started by Marco Peereboom.
- Imported March 29, 2005 and first released with OpenBSD 3.8.
-
- hostapd(8):
- Written and maintained by Reyk Floeter.
- Imported May 26, 2005 and first released with OpenBSD 3.8.
-
- watchdogd(8):
- Started by Marc Balmer.
- Imported August 8, 2005 and first released with OpenBSD 3.8.
-
- sdiff(1):
- Written by Ray Lai.
- Imported December 27, 2005 and first released with OpenBSD 3.9.
-
- dvmrpd(8),
- dvmrpctl(8):
- Started by Esben Norby.
- Imported June 1, 2006 and first released with OpenBSD 4.0.
-
- ripd(8),
- ripctl(8):
- Started by Michele Marchetto.
- Imported October 18, 2006 and first released with OpenBSD 4.1.
-
- pkg-config(1):
- Started by Chris Kuethe and Marc Espie.
- Imported November 27, 2006 and first released with OpenBSD 4.1.
- Now maintained by Jasper Lievisse Adriaanse.
-
- relayd(8)
- with relayctl(8):
- Started by Pierre-Yves Ritschard and Reyk Floeter.
- Imported December 16, 2006 and first released with OpenBSD 4.1.
- Now maintained by Reyk Floeter and Sebastian Benoit.
- - cwm(1):
- Started by Marius
- Aamodt Eriksen in 2004.
- Imported April 27, 2007 and first released with OpenBSD 4.2.
- Now maintained by Okan Demirmen.
- Portable version
- maintained by Leah Neukirchen.
-
- ospf6d(8),
- ospf6ctl(8):
- Started by Esben Norby and Claudio Jeker.
- Imported October 8, 2007 and first released with OpenBSD 4.2.
-
- libtool(1):
- Written by Steven Mestdagh and Marc Espie.
- Imported October 28, 2007 and first available for OpenBSD 4.3.
- Now maintained by Marc Espie, Jasper Lievisse Adriaanse,
- and Antoine Jacoutot.
-
- snmpd(8),
- snmpctl(8):
- Started by Reyk Floeter.
- Imported December 5, 2007 and first released with OpenBSD 4.3.
- Maintained by Reyk Floeter and Bret Lambert.
-
- sysmerge(8):
- Written and maintained by Antoine Jacoutot,
- originally forked from mergemaster by Douglas Barton.
- Imported April 22, 2008, first released with OpenBSD 4.4.
-
- ypldap(8):
- Started by Pierre-Yves Ritschard.
- Imported June 26, 2008 and first released with OpenBSD 4.4.
-
- OpenSMTPD
- including smtpd(8),
- smtpctl(8),
- makemap(8):
- Started by Gilles Chehade.
- Imported November 1, 2008 and first released with OpenBSD 4.6.
- Now maintained by Gilles Chehade and Eric Faurot.
-
- tmux,
- tmux(1):
- Started in 2007 and maintained by Nicholas Marriott.
- Imported June 1, 2009, first released with OpenBSD 4.6.
-
- ldpd(8),
- ldpctl(8):
- Started by Michele Marchetto.
- Imported June 1, 2009 and first released with OpenBSD 4.6.
- Now maintained by Claudio Jeker.
-
- mandoc
- including mandoc(1),
- man(1),
- apropos(1),
- makewhatis(8),
- man.cgi(8):
- Started by Kristaps Dzonsons in November 2008.
- Imported April 6, 2009, first released with OpenBSD 4.8.
- Now maintained by Ingo Schwarze.
-
- ldapd(8),
- ldapctl(8):
- Written by Martin Hedenfalk.
- Imported May 31, 2010 and first released with OpenBSD 4.8.
-
- OpenIKED
- including iked(8)
- and ikectl(8):
- Started by Reyk Floeter.
- Imported June 3, 2010 and first released with OpenBSD 4.8.
- Now maintained by Reyk Floeter and Mike Belopuhov.
-
- iscsid(8),
- iscsictl(8):
- Written and maintained by Claudio Jeker.
- Imported September 24, 2010 and first released with OpenBSD 4.9.
-
- rc.d(8),
- rc.subr(8):
- Written and maintained by Robert Nagy and Antoine Jacoutot.
- Imported October 26, 2010 and first released with OpenBSD 4.9.
-
- tftpd(8):
- Written and maintained by David Gwynne.
- Imported March 2, 2012 and first released with OpenBSD 5.2.
-
- npppd(8),
- npppctl(8):
- Started by Internet Initiative Japan Inc.
- Imported January 11, 2010, first released with OpenBSD 5.3.
- Maintained by YASUOKA Masahiko.
-
- ldomd(8),
- ldomctl(8):
- Written and maintained by Mark Kettenis.
- Imported October 26, 2012 and first released with OpenBSD 5.3.
-
- sndiod(8):
- Written and maintained by Alexandre Ratchov.
- Imported November 23, 2012 and first released with OpenBSD 5.3.
-
- cu(1):
- Written and maintained by Nicholas Marriott.
- Imported July 10, 2012 and first released with OpenBSD 5.4.
-
- identd(8):
- Written and maintained by David Gwynne.
- Imported March 18, 2013 and first released with OpenBSD 5.4.
-
- slowcgi(8):
- Written and maintained by Florian Obser.
- Imported May 23, 2013 and first released with OpenBSD 5.4.
-
- signify(1):
- Written and maintained by Ted Unangst.
- Imported December 31, 2013 and first released with OpenBSD 5.5.
-
- htpasswd(1):
- Written and maintained by Florian Obser.
- Imported March 17, 2014 and first released with OpenBSD 5.6.
-
- LibreSSL:
- Started by Ted Unangst, Bob Beck, Joel Sing, Miod Vallat, Philip Guenther,
- and Theo de Raadt on April 13, 2014, as a fork of OpenSSL 1.0.1g.
- First released with OpenBSD 5.6.
- Portable version maintained by Brent Cook.
-
- httpd(8):
- Started by Reyk Floeter.
- Imported July 12, 2014 and first released with OpenBSD 5.6.
- Maintained by Reyk Floeter and Florian Obser.
-
- rcctl(8):
- Written and maintained by Antoine Jacoutot.
- Imported August 19, 2014 and first released with OpenBSD 5.7.
-
- file(1):
- Rewritten from scratch and maintained by Nicholas Marriott.
- Imported April 24, 2015 and first released with OpenBSD 5.8.
-
- doas(1):
- Written and maintained by Ted Unangst.
- Imported July 16, 2015 and first released with OpenBSD 5.8.
-
- radiusd(8):
- Written and maintained by YASUOKA Masahiko.
- Imported July 21, 2015 and first released with OpenBSD 5.8.
-
- eigrpd(8),
- eigrpctl(8):
- Written and maintained by Renato Westphal.
- Imported October 2, 2015 and first released with OpenBSD 5.9.
-
- rebound(8):
- Written and maintained by Ted Unangst.
- Imported October 15, 2015 and first released with OpenBSD 5.9.
-
- vmm(4),
- vmd(8),
- vmctl(8):
- Written and maintained by Mike Larkin and Reyk Floeter.
- Imported November 13, 2015 and first released with OpenBSD 5.9.
-
- pdisk(8):
- Originally written by Eryk Vershen in 1996-1998,
- rewritten and maintained by Kenneth Westerback since January 11, 2016
- and first released with OpenBSD 5.9.
-
- mknod(8):
- Original version from Version 6 AT&T UNIX (1975),
- last rewritten by Marc Espie on March 5, 2016
- and first released with OpenBSD 6.0.
-
- audioctl(1):
- Originally written by Lennart Augustsson in 1997,
- rewritten and maintained by Alexandre Ratchov since June 21, 2016
- and first released with OpenBSD 6.0.
-
- switchd(8),
- switchctl(8):
- Written and maintained by Reyk Floeter.
- Imported July 19, 2016; released with OpenBSD 6.1.
-
- acme-client(1):
- Written by Kristaps Dzonsons, imported August 31, 2016; released
- with OpenBSD 6.1.
-
- syspatch(8):
- Written and maintained by Antoine Jacoutot.
- Imported September 5, 2016; released with OpenBSD 6.1.
-
- ping(8):
- Restructured to include IPv6 functionality and maintained by Florian Obser.
- The separate
- ping6(8)
- was superseded on September 17, 2016,
- and the new, combined version was released with OpenBSD 6.1.
-
- xenodm(1):
- Cleaned-up fork of
- xdm(1)
- maintained by Matthieu Herrb.
- Imported October 23, 2016; released with OpenBSD 6.1.
-
- ocspcheck(8):
- Written and maintained by Bob Beck.
- Imported January 24, 2017; released with OpenBSD 6.1.
-
- slaacd(8):
- Written and maintained by Florian Obser.
- Imported March 18, 2017; released with OpenBSD 6.2.
+
-
+ ipsec(4):
+ Started by John Ioannidis, Angelos D. Keromytis, Niels Provos, and
+ Niklas Hallqvist, imported February 20, 1997. OpenBSD was the first
+ free operating system to provide an IPSec stack.
+
+ -
+ inet6(4):
+ First complete integration and adoption of IPv6 led by
+ "Itojun" (Dr. Junichiro Hagino) [WIDE/KAME], Craig Metz [NRL], and
+ Angelos D. Keromytis starting Jan 6, 1999.
+ Almost fully operational Jun 6, 1999 during the
+ first OpenBSD hackathon.
+ OpenBSD 2.7.
+
+ -
+ Privilege separation:
+ First implemented by
+ Niels Provos
+ and Markus Friedl in OpenSSH in March 2002, released with OpenBSD 3.2.
+ The concept is now used in many OpenBSD programs, for example
+ bgpd(8),
+ dhclient(8),
+ dhcpd(8),
+ dvmrpd(8),
+ eigrpd(8),
+ file(1),
+ httpd(8),
+ iked(8),
+ ldapd(8),
+ ldpd(8),
+ mountd(8),
+ npppd(8),
+ ntpd(8),
+ ospfd(8),
+ ospf6d(8),
+ pflogd(8),
+ radiusd(8),
+ relayd(8),
+ ripd(8),
+ script(1),
+ smtpd(8),
+ syslogd(8),
+ tcpdump(8),
+ tmux(1),
+ xconsole(1),
+ xdm(1),
+ Xserver(1),
+ ypldap(8),
+ pkg_add(1),
+ etc.
+
+ -
+ Privilege revocation:
+ Related to the work on privilege separation, some programs were refactored
+ to drop privileges while holding onto a tricky resource such as a raw socket,
+ reserved port, or modification-locked bpf(4) descriptor,
+ for example
+ ping(8),
+ traceroute(8),
+ etc.
+
+ -
+ Stack protector:
+ Developed since 2001 as "propolice" by Hiroaki Etoh. Integrated, and
+ implemented for additional hardware platforms, by Miod Vallat and Theo
+ de Raadt. OpenBSD 3.3 was the first operating system to enable it
+ systemwide by default.
+
+ -
+ W^X:
+ First used for sparc, sparc64, alpha, and hppa in OpenBSD 3.3.
+ Strictly enforced by default since OpenBSD 6.0: a program can only
+ violate it if the executable is marked with
PT_OPENBSD_WXNEEDED
+ and it is located on a filesystem mounted with the wxallowed
+ mount(8) option.
+
+ -
+ GOT and PLT protection by ld.so:
+ first done as part of the W^X work in OpenBSD 3.3, by Dale Rahn and
+ Theo de Raadt. The GOT and PLT regions are read-only outside of ld.so
+ itself. Extended to the .init/.fini sections (constructors and
+ destructors) in OpenBSD 3.4.
+
+ -
+ ASLR:
+ OpenBSD 3.4 was the first widely used operating system to
+ provide it by default.
+
+ -
+ gcc-local(1)
+ __attribute__((__bounded__)) static analysis annotation
+ and checking mechanism:
+ Started by Anil Madhavapeddy on June 26, 2003
+ and ported to GCC 4 by Nicholas Marriott.
+ First released with OpenBSD 3.4.
+
+ -
+ malloc(3)
+ randomization implemented by Thierry Deval. Guard pages and randomized (delayed) free added by Ted Unangst.
+ Reimplemented by Otto Moerbeek
+ for OpenBSD 4.4.
+
+ -
+ PIE:
+ OpenBSD 5.3 was the first widely used operating system to enable it
+ globally by default, on seven hardware platforms.
+
+ -
+ Random-data memory:
+ the ability to specify that a variable should be initialized at load
+ time with random byte values was implemented in OpenBSD 5.3 by Matthew
+ Dempsky.
+
+ -
+ Stack protector per shared object:
+ using the random-data memory feature, each shared object was given its
+ own stack protector cookie in OpenBSD 5.3 by Matthew Dempsky.
+
+ -
+ Static-PIE:
+ Position-independent static binaries for /bin, /sbin and ramdisks.
+ First released with OpenBSD 5.7.
+
+ -
+ SROP
+ (sigreturn(2)
+ oriented programming) mitigation: Researched by
+ Eric Bosman
+ and Herbert Bos in 2014, implemented by Theo de Raadt in May 2016,
+ enabled by default since OpenBSD 6.0.
+
+ -
+ Library order randomization:
+ In rc(8), re-link
+
libc.so
, libcrypto
, and ld.so
+ on startup, placing the objects in a random order.
+ Theo de Raadt and Robert Peichaer, May 2016,
+ enabled by default since OpenBSD 6.0 and 6.2.
+
+ -
+ Kernel-assisted lazy-binding for W^X safety in multi-threaded programs.
+ A new syscall kbind(2)
+ permits lazy-binding to be W^X safe in multi-threaded programs.
+ Implemented for OpenBSD 5.9 by Philip Guenther in July 2015.
+
+ -
+ Process layouts in memory tightened to remove execute permission from
+ all segmented, non-instruction data and to remove write permission from
+ data that is only modified during loading and relocation.
+ By combining the RELRO (Read-Only after Relocation) design from the
+ GNU project with the original ASLR work from OpenBSD 3.3 and
+ strict lazy-binding work from OpenBSD 5.9, this is applied to not
+ just a subset of programs and libraries but rather to all programs
+ and libraries.
+ Implemented for OpenBSD 6.1 by Philip Guenther in August 2016.
+
+ -
+ Use of fork+exec in privilege separated programs. The
+ strategy is to give each process a fresh & unique address space for
+ ASLR, stack protector -- as protection against address space discovery attacks.
+ Implemented first by
+ Damien Miller (sshd(8) 2004),
+ Claudio Jeker (bgpd(8), 2015),
+ Eric Faurot (smtpd(8), 2016),
+ Rafael Zalamena (various, 2016), and others.
+
+ -
+ trapsleds:
+ Reduction of incidental NOP instructions/sequences in the instruction
+ stream which could be useful potentially for ROP attack methods to
+ innaccurately target gadgets. These NOP sequences are converted into
+ trap sequences where possible. Todd Mortimer and Theo de Raadt, June
+ 2017.
+
+ -
+ Kernel relinking at boot:
+ the .o files of the kernel are relinked in random order from a
+ link-kit, before every reboot. This provides substantial interior
+ randomization in the kernel's text and data segments for layout and
+ relative branches/calls. Basically a unique address space for each
+ kernel boot, similar to the userland fork+exec model described above
+ but for the kernel. Theo de Raadt, June 2017.
+
-Concepts
+Functions
-- ipsec(4):
- Started by John Ioannidis, Angelos D. Keromytis, Niels Provos, and
- Niklas Hallqvist, imported February 20, 1997. OpenBSD was the first
- free operating system to provide an IPSec stack.
-
- inet6(4):
- First complete integration and adoption of IPv6 led by
- "Itojun" (Dr. Junichiro Hagino) [WIDE/KAME], Craig Metz [NRL], and
- Angelos D. Keromytis starting Jan 6, 1999.
- Almost fully operational Jun 6, 1999 during the
- first OpenBSD hackathon.
- OpenBSD 2.7.
-
- Privilege separation:
- First implemented by
- Niels Provos
- and Markus Friedl in OpenSSH in March 2002, released with OpenBSD 3.2.
- The concept is now used in many OpenBSD programs, for example
- bgpd(8),
- dhclient(8),
- dhcpd(8),
- dvmrpd(8),
- eigrpd(8),
- file(1),
- httpd(8),
- iked(8),
- ldapd(8),
- ldpd(8),
- mountd(8),
- npppd(8),
- ntpd(8),
- ospfd(8),
- ospf6d(8),
- pflogd(8),
- radiusd(8),
- relayd(8),
- ripd(8),
- script(1),
- smtpd(8),
- syslogd(8),
- tcpdump(8),
- tmux(1),
- xconsole(1),
- xdm(1),
- Xserver(1),
- ypldap(8),
- pkg_add(1),
- etc.
-
- Privilege revocation:
- Related to the work on privilege separation, some programs were refactored
- to drop privileges while holding onto a tricky resource such as a raw socket,
- reserved port, or modification-locked bpf(4) descriptor,
- for example
- ping(8),
- traceroute(8),
- etc.
-
- Stack protector: Developed since 2001 as "propolice" by Hiroaki Etoh.
- Integrated, and implemented for additional hardware platforms,
- by Miod Vallat and Theo de Raadt. OpenBSD 3.3 was the first operating
- system to enable it systemwide by default.
-
- W^X: First used for sparc, sparc64, alpha, and hppa in OpenBSD 3.3.
- Strictly enforced by default since OpenBSD 6.0: a program can only
- violate it if the executable is marked with
PT_OPENBSD_WXNEEDED
- and it is located on a filesystem mounted with the wxallowed
- mount(8) option.
- - GOT and PLT protection by ld.so: first done as part of the W^X
- work in OpenBSD 3.3, by Dale Rahn and Theo de Raadt.
- The GOT and PLT regions are read-only outside of ld.so itself.
- Extended to the .init/.fini sections (constructors and destructors)
- in OpenBSD 3.4.
-
- ASLR: OpenBSD 3.4 was the first widely used operating system to
- provide it by default.
-
- gcc-local(1)
- __attribute__((__bounded__)) static analysis annotation
- and checking mechanism:
- Started by Anil Madhavapeddy on June 26, 2003
- and ported to GCC 4 by Nicholas Marriott.
- First released with OpenBSD 3.4.
-
- malloc(3)
- randomization implemented by Thierry Deval. Guard pages and randomized (delayed) free added by Ted Unangst.
- Reimplemented by Otto Moerbeek
- for OpenBSD 4.4.
-- PIE: OpenBSD 5.3 was the first widely used operating system to enable
- it globally by default, on seven hardware platforms.
-
- Random-data memory: the ability to specify that a variable
- should be initialized at load time with random byte values was
- implemented in OpenBSD 5.3 by Matthew Dempsky.
-
- Stack protector per shared object: using the random-data memory
- feature, each shared object was given its own stack protector
- cookie in OpenBSD 5.3 by Matthew Dempsky.
-
- Static-PIE: Position-independent static binaries for /bin, /sbin and ramdisks.
- First released with OpenBSD 5.7.
-
- SROP (sigreturn(2)
- oriented programming) mitigation: Researched by
- Eric Bosman
- and Herbert Bos in 2014, implemented by Theo de Raadt in May 2016,
- enabled by default since OpenBSD 6.0.
-
- Library order randomization:
- In rc(8), re-link
-
libc.so
, libcrypto
, and ld.so
- on startup, placing the objects in a random order.
- Theo de Raadt and Robert Peichaer, May 2016,
- enabled by default since OpenBSD 6.0 and 6.2.
- - Kernel-assisted lazy-binding for W^X safety in multi-threaded programs.
- A new syscall kbind(2)
- permits lazy-binding to be W^X safe in multi-threaded programs.
- Implemented for OpenBSD 5.9 by Philip Guenther in July 2015.
-
- Process layouts in memory tightened to remove execute permission from
- all segmented, non-instruction data and to remove write permission from
- data that is only modified during loading and relocation.
- By combining the RELRO (Read-Only after Relocation) design from the
- GNU project with the original ASLR work from OpenBSD 3.3 and
- strict lazy-binding work from OpenBSD 5.9, this is applied to not
- just a subset of programs and libraries but rather to all programs
- and libraries.
- Implemented for OpenBSD 6.1 by Philip Guenther in August 2016.
-
- Use of fork+exec in privilege separated programs. The strategy is to give
- each process a fresh & unique address space for ASLR, stack protector -- as
- protection against address space discovery attacks. Implemented first by
- Damien Miller (sshd(8) 2004),
- Claudio Jeker (bgpd(8), 2015),
- Eric Faurot (smtpd(8), 2016),
- Rafael Zalamena (various, 2016), and others.
-
- trapsleds: Reduction of incidental NOP instructions/sequences in the
- instruction stream which could be useful potentially for ROP attack methods
- to innaccurately target gadgets. These NOP sequences are converted into
- trap sequences where possible. Todd Mortimer and Theo de Raadt, June 2017.
-
- The .o files of the kernel are relinked in random order from a link-kit,
- before every reboot. This provides substantial interior randomization in
- the kernel's text and data segments for layout and relative branches/calls.
- Basically a unique address space for each kernel boot, similar to the userland
- fork+exec model described above but for the kernel. Theo de Raadt, June 2017.
+
-
+ arc4random(3):
+ David Mazieres, December 28, 1996, OpenBSD 2.1
+
+ -
+ bcrypt(3):
+ Implemented by Niels Provos and David Mazieres
+ Imported February 13, 1997 and first released with OpenBSD 2.1.
+
+ -
+ strlcpy(3),
+ strlcat(3):
+ Todd Miller and Theo de Raadt, July 1, 1998, OpenBSD 2.4
+
+ -
+ strtonum(3):
+ Ted Unangst, Todd Miller, and Theo de Raadt, May 3, 2004, OpenBSD 3.6
+
+ -
+ imsg:
+ Message passing API, written by Henning Brauer.
+ In libutil since May 26, 2010, OpenBSD 4.8;
+ used by various daemons before that.
+
+ -
+ timingsafe_bcmp(3):
+ Damien Miller, July 13, 2010, OpenBSD 4.9
+
+ -
+ explicit_bzero(3):
+ Ted Unangst and Matthew Dempsky, January 22, 2014, OpenBSD 5.5
+
+ -
+ ohash:
+ Written and maintained by Marc Espie.
+ In libutil since May 12, 2014, OpenBSD 5.6;
+ used by make(1) and m4(1) before that.
+
+ -
+ asr:
+ Replacement resolver written and maintained by Eric Faurot.
+ Imported April 14, 2012; activated on March 26, 2014, OpenBSD 5.6.
+
+ -
+ reallocarray(3):
+ Theo de Raadt and Ted Unangst, April 22, 2014, OpenBSD 5.6
+
+ -
+ getentropy(2):
+ Matthew Dempsky and Theo de Raadt, June 13, 2014, OpenBSD 5.6
+
+ -
+ sendsyslog(2):
+ Theo de Raadt, July 10, 2014, OpenBSD 5.6
+
+ -
+ timingsafe_memcmp(3):
+ Matthew Dempsky, July 13, 2014, OpenBSD 5.6
+
+ -
+ pledge(2):
+ Theo de Raadt, July 19, 2015, OpenBSD 5.9
+
+ -
+ getpwnam_shadow(3),
+ getpwuid_shadow(3):
+ Ted Unangst and Theo de Raadt, November 18, 2015, OpenBSD 5.9
+
+ -
+ recallocarray(3):
+ Otto Moerbeek, Joel Sing and Theo de Raadt, March 6, 2017, OpenBSD 6.1
+
+ -
+ freezero(3):
+ Otto Moerbeek, April 10, 2017, OpenBSD 6.2
+
-Functions
+Programs and subsystems
+
-- arc4random(3):
- David Mazieres, December 28, 1996, OpenBSD 2.1
-
- bcrypt(3):
- Implemented by Niels Provos and David Mazieres
- Imported February 13, 1997 and first released with OpenBSD 2.1.
-
- strlcpy(3),
- strlcat(3):
- Todd Miller and Theo de Raadt, July 1, 1998, OpenBSD 2.4
-
- strtonum(3):
- Ted Unangst, Todd Miller, and Theo de Raadt, May 3, 2004, OpenBSD 3.6
-
- imsg:
- Message passing API, written by Henning Brauer.
- In libutil since May 26, 2010, OpenBSD 4.8;
- used by various daemons before that.
-
- timingsafe_bcmp(3):
- Damien Miller, July 13, 2010, OpenBSD 4.9
-
- explicit_bzero(3):
- Ted Unangst and Matthew Dempsky, January 22, 2014, OpenBSD 5.5
-
- ohash:
- Written and maintained by Marc Espie.
- In libutil since May 12, 2014, OpenBSD 5.6;
- used by make(1) and m4(1) before that.
-
- asr:
- Replacement resolver written and maintained by Eric Faurot.
- Imported April 14, 2012; activated on March 26, 2014, OpenBSD 5.6.
-
- reallocarray(3):
- Theo de Raadt and Ted Unangst, April 22, 2014, OpenBSD 5.6
-
- getentropy(2):
- Matthew Dempsky and Theo de Raadt, June 13, 2014, OpenBSD 5.6
-
- sendsyslog(2):
- Theo de Raadt, July 10, 2014, OpenBSD 5.6
-
- timingsafe_memcmp(3):
- Matthew Dempsky, July 13, 2014, OpenBSD 5.6
-
- pledge(2):
- Theo de Raadt, July 19, 2015, OpenBSD 5.9
-
- getpwnam_shadow(3),
- getpwuid_shadow(3):
- Ted Unangst and Theo de Raadt, November 18, 2015, OpenBSD 5.9
-
- recallocarray(3):
- Otto Moerbeek, Joel Sing and Theo de Raadt, March 6, 2017, OpenBSD 6.1
-
- freezero(3):
- Otto Moerbeek, April 10, 2017, OpenBSD 6.2
+
-
+ ypbind(8),
+ ypset(8),
+ ypcat(1),
+ ypmatch(1),
+ ypwhich(1),
+ and libc support: Started by Theo de Raadt.
+ Imported April 26, 1993 and first released with NetBSD 0.9.
+
+ -
+ ypserv(8):
+ Started by Mats O. Jansson in 1994.
+ Imported October 23, 1995 and first released with OpenBSD 2.0.
+
+ -
+ mopd(8):
+ Started by Mats O. Jansson in 1993.
+ Imported September 21, 1996 and first released with OpenBSD 2.0.
+
+ -
+ AnonCVS:
+ Designed and implemented by Chuck Cranor and Theo de Raadt in 1995
+ (paper,
+ slides)
+
+ -
+ aucat(1):
+ Started by Kenneth Stailey.
+ Imported January 2, 1997 and first released with OpenBSD 2.1.
+ Now maintained by Alexandre Ratchov.
+
+ -
+ OpenSSH
+ including ssh(1),
+ scp(1),
+ sftp(1),
+ ssh-add(1),
+ ssh-agent(1),
+ ssh-keygen(1),
+ sshd(8),
+ sftp-server(8):
+ Started by Aaron Campbell, Bob Beck, Dug Song, Markus Friedl,
+ Niels Provos, and Theo de Raadt
+ as a fork of SSH 1.2.12 by Tatu Ylonen.
+ Imported September 26, 1999 and first released with OpenBSD 2.6.
+ Now maintained by Markus Friedl, Damien Miller, Darren Tucker, and
+ Theo de Raadt.
+
+ -
+ mg(1):
+ Started by Dave Conroy in November 1986.
+ Imported February 25, 2000 and first released with OpenBSD 2.7.
+ Now maintained by Mark Lumsden.
+
+ -
+ m4(1):
+ Originally implemented by Ozan Yigit and Richard A. O'Keefe for 4.3BSD-Reno.
+ Considerably extended and maintained by Marc Espie since 1999.
+
+ -
+ pf(4),
+ pfctl(8),
+ pflogd(8),
+ authpf(8),
+ ftp-proxy(8):
+ Started by Daniel Hartmeier as a replacement for the non-free ipf by
+ Darren Reed. Imported June 24, 2001 and first released with OpenBSD
+ 3.0. Now maintained by Henning Brauer.
+
+ -
+ systrace(4),
+ systrace(1):
+ Started by Niels Provos.
+ Imported June 4, 2002 and first released with OpenBSD 3.2.
+ Deleted after OpenBSD 5.9 because
+ pledge(2) is even better.
+
+ -
+ spamd(8):
+ Written by Bob Beck. Imported December 21, 2002 and first released with
+ OpenBSD 3.3.
+
+ -
+ dc(1):
+ Written and maintained by Otto Moerbeek.
+ Imported September 19, 2003 and first released with OpenBSD 3.5.
+
+ -
+ bc(1):
+ Written and maintained by Otto Moerbeek.
+ Imported September 25, 2003 and first released with OpenBSD 3.5.
+
+ -
+ sensorsd(8):
+ Started by Henning Brauer.
+ Imported September 24, 2003 and first released with OpenBSD 3.5.
+ Reworked by Constantine A. Murenin.
+
+ -
+ pkg_add(1):
+ Written and maintained by Marc Espie.
+ Imported October 16, 2003 and first released with OpenBSD 3.5.
+
+ -
+ carp(4):
+ Written by Mickey Shalayeff, Markus Friedl, Marco Pfatschbacher,
+ and Ryan McBride.
+ Imported October 17, 2003 and first released with OpenBSD 3.5.
+
+ -
+ OpenBGPD
+ including bgpd(8)
+ and bgpctl(8):
+ Written and maintained by Henning Brauer and Claudio Jeker,
+ and also maintained by Peter Hessler.
+ Imported December 17, 2003 and first released with OpenBSD 3.5.
+
+ -
+ dhclient(8):
+ Started by Ted Lemon and Elliot Poger in 1996.
+ Imported January 18, 2004 and first released with OpenBSD 3.5.
+ Reworked by Henning Brauer.
+ Now maintained by Kenneth Westerback.
+
+ -
+ dhcpd(8):
+ Started by Ted Lemon in 1995.
+ Imported April 13, 2004 and first released with OpenBSD 3.6.
+ Reworked by Henning Brauer.
+ Now maintained by Kenneth Westerback.
+
+ -
+ hotplugd(8):
+ Started by Alexander Yurchenko.
+ Imported May 30, 2004 and first released with OpenBSD 3.6.
+
+ -
+ OpenNTPD
+ including ntpd(8)
+ and ntpctl(8):
+ Written and maintained by Henning Brauer.
+ Imported May 31, 2004 and first released with OpenBSD 3.6.
+ Portable version maintained by Brent Cook.
+
+ -
+ dpb(1):
+ Started by Nikolay Sturm on August 10, 2004; first available for OpenBSD 3.6.
+ Rewritten and maintained by Marc Espie since August 20, 2010.
+
+ -
+ ospfd(8),
+ ospfctl(8):
+ Started by Esben Norby and Claudio Jeker.
+ Imported January 28, 2005 and first released with OpenBSD 3.7.
+
+ -
+ ifstated(8):
+ Started by Marco Pfatschbacher and Ryan McBride.
+ Imported January 23, 2004 and first released with OpenBSD 3.8.
+
+ -
+ bioctl(8):
+ Started by Marco Peereboom.
+ Imported March 29, 2005 and first released with OpenBSD 3.8.
+
+ -
+ hostapd(8):
+ Written and maintained by Reyk Floeter.
+ Imported May 26, 2005 and first released with OpenBSD 3.8.
+
+ -
+ watchdogd(8):
+ Started by Marc Balmer.
+ Imported August 8, 2005 and first released with OpenBSD 3.8.
+
+ -
+ sdiff(1):
+ Written by Ray Lai.
+ Imported December 27, 2005 and first released with OpenBSD 3.9.
+
+ -
+ dvmrpd(8),
+ dvmrpctl(8):
+ Started by Esben Norby.
+ Imported June 1, 2006 and first released with OpenBSD 4.0.
+
+ -
+ ripd(8),
+ ripctl(8):
+ Started by Michele Marchetto.
+ Imported October 18, 2006 and first released with OpenBSD 4.1.
+
+ -
+ pkg-config(1):
+ Started by Chris Kuethe and Marc Espie.
+ Imported November 27, 2006 and first released with OpenBSD 4.1.
+ Now maintained by Jasper Lievisse Adriaanse.
+
+ -
+ relayd(8)
+ with relayctl(8):
+ Started by Pierre-Yves Ritschard and Reyk Floeter.
+ Imported December 16, 2006 and first released with OpenBSD 4.1.
+ Now maintained by Reyk Floeter and Sebastian Benoit.
+
+ -
+ cwm(1):
+ Started by Marius
+ Aamodt Eriksen in 2004.
+ Imported April 27, 2007 and first released with OpenBSD 4.2.
+ Now maintained by Okan Demirmen.
+ Portable version
+ maintained by Leah Neukirchen.
+
+ -
+ ospf6d(8),
+ ospf6ctl(8):
+ Started by Esben Norby and Claudio Jeker.
+ Imported October 8, 2007 and first released with OpenBSD 4.2.
+
+ -
+ libtool(1):
+ Written by Steven Mestdagh and Marc Espie.
+ Imported October 28, 2007 and first available for OpenBSD 4.3.
+ Now maintained by Marc Espie, Jasper Lievisse Adriaanse,
+ and Antoine Jacoutot.
+
+ -
+ snmpd(8),
+ snmpctl(8):
+ Started by Reyk Floeter.
+ Imported December 5, 2007 and first released with OpenBSD 4.3.
+ Maintained by Reyk Floeter and Bret Lambert.
+
+ -
+ sysmerge(8):
+ Written and maintained by Antoine Jacoutot,
+ originally forked from mergemaster by Douglas Barton.
+ Imported April 22, 2008, first released with OpenBSD 4.4.
+
+ -
+ ypldap(8):
+ Started by Pierre-Yves Ritschard.
+ Imported June 26, 2008 and first released with OpenBSD 4.4.
+
+ -
+ OpenSMTPD
+ including smtpd(8),
+ smtpctl(8),
+ makemap(8):
+ Started by Gilles Chehade.
+ Imported November 1, 2008 and first released with OpenBSD 4.6.
+ Now maintained by Gilles Chehade and Eric Faurot.
+
+ -
+ tmux,
+ tmux(1):
+ Started in 2007 and maintained by Nicholas Marriott.
+ Imported June 1, 2009, first released with OpenBSD 4.6.
+
+ -
+ ldpd(8),
+ ldpctl(8):
+ Started by Michele Marchetto.
+ Imported June 1, 2009 and first released with OpenBSD 4.6.
+ Now maintained by Claudio Jeker.
+
+ -
+ mandoc
+ including mandoc(1),
+ man(1),
+ apropos(1),
+ makewhatis(8),
+ man.cgi(8):
+ Started by Kristaps Dzonsons in November 2008.
+ Imported April 6, 2009, first released with OpenBSD 4.8.
+ Now maintained by Ingo Schwarze.
+
+ -
+ ldapd(8),
+ ldapctl(8):
+ Written by Martin Hedenfalk.
+ Imported May 31, 2010 and first released with OpenBSD 4.8.
+
+ -
+ OpenIKED
+ including iked(8)
+ and ikectl(8):
+ Started by Reyk Floeter.
+ Imported June 3, 2010 and first released with OpenBSD 4.8.
+ Now maintained by Reyk Floeter and Mike Belopuhov.
+
+ -
+ iscsid(8),
+ iscsictl(8):
+ Written and maintained by Claudio Jeker.
+ Imported September 24, 2010 and first released with OpenBSD 4.9.
+
+ -
+ rc.d(8),
+ rc.subr(8):
+ Written and maintained by Robert Nagy and Antoine Jacoutot.
+ Imported October 26, 2010 and first released with OpenBSD 4.9.
+
+ -
+ tftpd(8):
+ Written and maintained by David Gwynne.
+ Imported March 2, 2012 and first released with OpenBSD 5.2.
+
+ -
+ npppd(8),
+ npppctl(8):
+ Started by Internet Initiative Japan Inc.
+ Imported January 11, 2010, first released with OpenBSD 5.3.
+ Maintained by YASUOKA Masahiko.
+
+ -
+ ldomd(8),
+ ldomctl(8):
+ Written and maintained by Mark Kettenis.
+ Imported October 26, 2012 and first released with OpenBSD 5.3.
+
+ -
+ sndiod(8):
+ Written and maintained by Alexandre Ratchov.
+ Imported November 23, 2012 and first released with OpenBSD 5.3.
+
+ -
+ cu(1):
+ Written and maintained by Nicholas Marriott.
+ Imported July 10, 2012 and first released with OpenBSD 5.4.
+
+ -
+ identd(8):
+ Written and maintained by David Gwynne.
+ Imported March 18, 2013 and first released with OpenBSD 5.4.
+
+ -
+ slowcgi(8):
+ Written and maintained by Florian Obser.
+ Imported May 23, 2013 and first released with OpenBSD 5.4.
+
+ -
+ signify(1):
+ Written and maintained by Ted Unangst.
+ Imported December 31, 2013 and first released with OpenBSD 5.5.
+
+ -
+ htpasswd(1):
+ Written and maintained by Florian Obser.
+ Imported March 17, 2014 and first released with OpenBSD 5.6.
+
+ -
+ LibreSSL:
+ Started by Ted Unangst, Bob Beck, Joel Sing, Miod Vallat, Philip Guenther,
+ and Theo de Raadt on April 13, 2014, as a fork of OpenSSL 1.0.1g.
+ First released with OpenBSD 5.6.
+ Portable version maintained by Brent Cook.
+
+ -
+ httpd(8):
+ Started by Reyk Floeter.
+ Imported July 12, 2014 and first released with OpenBSD 5.6.
+ Maintained by Reyk Floeter and Florian Obser.
+
+ -
+ rcctl(8):
+ Written and maintained by Antoine Jacoutot.
+ Imported August 19, 2014 and first released with OpenBSD 5.7.
+
+ -
+ file(1):
+ Rewritten from scratch and maintained by Nicholas Marriott.
+ Imported April 24, 2015 and first released with OpenBSD 5.8.
+
+ -
+ doas(1):
+ Written and maintained by Ted Unangst.
+ Imported July 16, 2015 and first released with OpenBSD 5.8.
+
+ -
+ radiusd(8):
+ Written and maintained by YASUOKA Masahiko.
+ Imported July 21, 2015 and first released with OpenBSD 5.8.
+
+ -
+ eigrpd(8),
+ eigrpctl(8):
+ Written and maintained by Renato Westphal.
+ Imported October 2, 2015 and first released with OpenBSD 5.9.
+
+ -
+ rebound(8):
+ Written and maintained by Ted Unangst.
+ Imported October 15, 2015 and first released with OpenBSD 5.9.
+
+ -
+ vmm(4),
+ vmd(8),
+ vmctl(8):
+ Written and maintained by Mike Larkin and Reyk Floeter.
+ Imported November 13, 2015 and first released with OpenBSD 5.9.
+
+ -
+ pdisk(8):
+ Originally written by Eryk Vershen in 1996-1998,
+ rewritten and maintained by Kenneth Westerback since January 11, 2016
+ and first released with OpenBSD 5.9.
+
+ -
+ mknod(8):
+ Original version from Version 6 AT&T UNIX (1975),
+ last rewritten by Marc Espie on March 5, 2016
+ and first released with OpenBSD 6.0.
+
+ -
+ audioctl(1):
+ Originally written by Lennart Augustsson in 1997,
+ rewritten and maintained by Alexandre Ratchov since June 21, 2016
+ and first released with OpenBSD 6.0.
+
+ -
+ switchd(8),
+ switchctl(8):
+ Written and maintained by Reyk Floeter.
+ Imported July 19, 2016; released with OpenBSD 6.1.
+
+ -
+ acme-client(1):
+ Written by Kristaps Dzonsons, imported August 31, 2016; released
+ with OpenBSD 6.1.
+
+ -
+ syspatch(8):
+ Written and maintained by Antoine Jacoutot.
+ Imported September 5, 2016; released with OpenBSD 6.1.
+
+ -
+ ping(8):
+ Restructured to include IPv6 functionality and maintained by Florian Obser.
+ The separate
+ ping6(8)
+ was superseded on September 17, 2016,
+ and the new, combined version was released with OpenBSD 6.1.
+
+ -
+ xenodm(1):
+ Cleaned-up fork of
+ xdm(1)
+ maintained by Matthieu Herrb.
+ Imported October 23, 2016; released with OpenBSD 6.1.
+
+ -
+ ocspcheck(8):
+ Written and maintained by Bob Beck.
+ Imported January 24, 2017; released with OpenBSD 6.1.
+
+ -
+ slaacd(8):
+ Written and maintained by Florian Obser.
+ Imported March 18, 2017; released with OpenBSD 6.2.
+
Projects maintained by OpenBSD developers outside OpenBSD
-- sudo:
- Started by Bob Coggeshall and Cliff Spencer around 1980.
- Imported November 18, 1999, first released with OpenBSD 2.7.
- Now maintained by Todd Miller.
-
- femail:
- Written and maintained by Henning Brauer.
- Started in 2005, port available since September 22, 2005.
-
- midish:
- Written and maintained by Alexandre Ratchov.
- Started in 2003, port available since November 4, 2005.
-
- fdm:
- Written and maintained by Nicholas Marriott.
- Started in 2006, port available since January 18, 2007.
-
- toad:
- Written and maintained by Antoine Jacoutot.
- Started in 2013, port available since October 8, 2013.
-
- portroach:
- Written and maintained by Jasper Lievisse Adriaanse,
- originally forked from FreeBSD's portscout.
- Started in 2014, port available since September 5, 2014.
-
- cvs2gitdump:
- Written and maintained by YASUOKA Masahiko.
- Started in 2012, port available since August 1, 2016.
+
-
+ sudo:
+ Started by Bob Coggeshall and Cliff Spencer around 1980.
+ Imported November 18, 1999, first released with OpenBSD 2.7.
+ Now maintained by Todd Miller.
+
+ -
+ femail:
+ Written and maintained by Henning Brauer.
+ Started in 2005, port available since September 22, 2005.
+
+ -
+ midish:
+ Written and maintained by Alexandre Ratchov.
+ Started in 2003, port available since November 4, 2005.
+
+ -
+ fdm:
+ Written and maintained by Nicholas Marriott.
+ Started in 2006, port available since January 18, 2007.
+
+ -
+ toad:
+ Written and maintained by Antoine Jacoutot.
+ Started in 2013, port available since October 8, 2013.
+
+ -
+ portroach:
+ Written and maintained by Jasper Lievisse Adriaanse,
+ originally forked from FreeBSD's portscout.
+ Started in 2014, port available since September 5, 2014.
+
+ -
+ cvs2gitdump:
+ Written and maintained by YASUOKA Masahiko.
+ Started in 2012, port available since August 1, 2016.
+