Annotation of www/innovations.html, Revision 1.118
1.77 bentley 1: <!doctype html>
2: <html lang=en>
3: <meta charset=utf-8>
4:
1.33 tj 5: <title>OpenBSD: Innovations</title>
1.31 deraadt 6: <meta name="viewport" content="width=device-width, initial-scale=1">
7: <link rel="stylesheet" type="text/css" href="openbsd.css">
1.35 tb 8: <link rel="canonical" href="https://www.openbsd.org/innovations.html">
1.1 schwarze 9:
1.77 bentley 10: <h2 id=OpenBSD>
11: <a href="index.html">
12: <i>Open</i><b>BSD</b></a>
13: Innovations
14: </h2>
1.31 deraadt 15:
16: <hr>
1.32 tj 17: <p>
1.59 job 18: This is a list of software and ideas developed or maintained by the OpenBSD
19: project, sorted in order of approximate introduction. Some of them are
20: explained in detail in our <a href="events.html">research papers</a>.
1.32 tj 21: <hr>
1.1 schwarze 22:
1.59 job 23: <h3>Concepts</h3>
1.1 schwarze 24:
25: <ul>
1.78 deraadt 26: <li><a href="https://man.openbsd.org/ipsec.4">ipsec(4)</a>:
27: Started by John Ioannidis, Angelos D. Keromytis, Niels Provos, and
28: Niklas Hallqvist, imported February 20, 1997. OpenBSD was the first
29: free operating system to provide an IPSec stack.
30: <li><a href="https://man.openbsd.org/inet6.4">inet6(4)</a>:
31: First complete integration and adoption of IPv6 led by
32: "Itojun" (Dr. Junichiro Hagino) [WIDE/KAME], Craig Metz [NRL], and
33: Angelos D. Keromytis starting Jan 6, 1999.
34: Almost fully operational Jun 6, 1999 during the
35: <a href="hackathons.html">first OpenBSD hackathon</a>.
36: OpenBSD 2.7.
37: <li><strong>Privilege separation</strong>:
38: First implemented by
39: <a href="http://www.citi.umich.edu/u/provos/ssh/privsep.html">Niels Provos</a>
40: and Markus Friedl in OpenSSH in March 2002, released with OpenBSD 3.2.
41: The concept is now used in many OpenBSD programs, for example
42: <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>,
43: <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>,
44: <a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>,
45: <a href="https://man.openbsd.org/dvmrpd.8">dvmrpd(8)</a>,
46: <a href="https://man.openbsd.org/eigrpd.8">eigrpd(8)</a>,
47: <a href="https://man.openbsd.org/file.1">file(1)</a>,
48: <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>,
49: <a href="https://man.openbsd.org/iked.8">iked(8)</a>,
50: <a href="https://man.openbsd.org/ldapd.8">ldapd(8)</a>,
51: <a href="https://man.openbsd.org/ldpd.8">ldpd(8)</a>,
52: <a href="https://man.openbsd.org/mountd.8">mountd(8)</a>,
53: <a href="https://man.openbsd.org/npppd.8">npppd(8)</a>,
54: <a href="https://man.openbsd.org/ntpd.8">ntpd(8)</a>,
55: <a href="https://man.openbsd.org/ospfd.8">ospfd(8)</a>,
56: <a href="https://man.openbsd.org/ospf6d.8">ospf6d(8)</a>,
57: <a href="https://man.openbsd.org/pflogd.8">pflogd(8)</a>,
58: <a href="https://man.openbsd.org/radiusd.8">radiusd(8)</a>,
59: <a href="https://man.openbsd.org/relayd.8">relayd(8)</a>,
60: <a href="https://man.openbsd.org/ripd.8">ripd(8)</a>,
61: <a href="https://man.openbsd.org/script.1">script(1)</a>,
62: <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>,
63: <a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>,
64: <a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a>,
65: <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>,
66: <a href="https://man.openbsd.org/xconsole.1">xconsole(1)</a>,
67: <a href="https://man.openbsd.org/xdm.1">xdm(1)</a>,
68: <a href="https://man.openbsd.org/Xserver.1">Xserver(1)</a>,
69: <a href="https://man.openbsd.org/ypldap.8">ypldap(8)</a>,
70: <a href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a>,
71: etc.
72: <li><strong>Privilege revocation</strong>:
73: Related to the work on privilege separation, some programs were refactored
74: to drop privileges while holding onto a tricky resource such as a raw socket,
75: reserved port, or modification-locked bpf(4) descriptor,
76: for example
77: <a href="https://man.openbsd.org/ping.8">ping(8)</a>,
78: <a href="https://man.openbsd.org/traceroute.8">traceroute(8)</a>,
79: etc.
80: <li><strong>Stack protector</strong>:
81: Developed since 2001 as "propolice" by Hiroaki Etoh. Integrated, and
1.109 miod 82: implemented for additional hardware platforms, by Federico G. Schwindt,
83: Miod Vallat and Theo de Raadt. OpenBSD 3.3 was the first operating
84: system to enable it systemwide by default.
1.78 deraadt 85: <li><strong>W^X</strong>:
86: First used for sparc, sparc64, alpha, and hppa in OpenBSD 3.3.
87: Strictly enforced by default since OpenBSD 6.0: a program can only
88: violate it if the executable is marked with <code>PT_OPENBSD_WXNEEDED</code>
89: and it is located on a filesystem mounted with the <code>wxallowed</code>
90: <a href="https://man.openbsd.org/mount.8">mount(8)</a> option.
91: <li><strong>GOT and PLT protection</strong> by ld.so:
92: first done as part of the W^X work in OpenBSD 3.3, by Dale Rahn and
93: Theo de Raadt. The GOT and PLT regions are read-only outside of ld.so
94: itself. Extended to the .init/.fini sections (constructors and
95: destructors) in OpenBSD 3.4.
96: <li><strong>ASLR</strong>:
97: OpenBSD 3.4 was the first widely used operating system to
98: provide it by default.
99: <li><a href="https://man.openbsd.org/gcc-local.1">gcc-local(1)</a>
100: __attribute__((__bounded__)) static analysis annotation
101: and checking mechanism:
102: Started by Anil Madhavapeddy on June 26, 2003
103: and ported to GCC 4 by Nicholas Marriott.
104: First released with OpenBSD 3.4.
105: <li><a href="https://man.openbsd.org/malloc.3">malloc(3)</a>
106: randomization implemented by Thierry Deval. Guard pages and randomized (delayed) free added by Ted Unangst.
107: Reimplemented by <a href="papers/eurobsdcon2009/otto-malloc.pdf">Otto Moerbeek</a>
108: for OpenBSD 4.4.
109: <li><strong>Position-independent executables (PIE)</strong>:
110: OpenBSD 5.3 was the first widely used operating system to enable it
111: globally by default, on seven hardware platforms.
112: Implemented in November 2008 by
113: <a href="https://www.openbsd.org/papers/nycbsdcon08-pie/">Kurt Miller</a>
114: and enabled by default by
115: <a href="https://www.openbsd.org/papers/asiabsdcon2015-pie-slides.pdf">Pascal Stumpf</a>
116: in August 2012.
117: <li><strong>Random-data memory</strong>:
118: the ability to specify that a variable should be initialized
1.68 deraadt 119: at load time with random byte values (placed into a new ELF
120: <b>.openbsd.randomdata</b> section) was implemented in
121: OpenBSD 5.3 by Matthew Dempsky.
1.78 deraadt 122: <li><strong>Stack protector per shared object</strong>:
123: using the random-data memory feature, each shared object was given its
124: own stack protector cookie in OpenBSD 5.3 by Matthew Dempsky.
125: <li><strong>Static-PIE</strong>:
126: Position-independent static binaries for /bin, /sbin and ramdisks.
127: Implemented for OpenBSD 5.7 by Kurt Miller and Mark Kettenis.
128: <li><strong>SROP</strong>
129: (<a href="https://man.openbsd.org/sigreturn.2">sigreturn(2)</a>
130: oriented programming) mitigation: attacks researched by
1.96 tj 131: <a href="https://www.cs.vu.nl/~herbertb/papers/srop_sp14.pdf">Eric Bosman</a>
1.81 deraadt 132: and Herbert Bos in 2014, solution implemented by Theo de Raadt in May 2016,
1.78 deraadt 133: enabled by default since OpenBSD 6.0.
134: <li><strong>Library order randomization</strong>:
135: In <a href="https://man.openbsd.org/rc.8">rc(8)</a>, re-link
136: <code>libc.so</code>, <code>libcrypto</code>, and <code>ld.so</code>
137: on startup, placing the objects in a random order.
138: Theo de Raadt and Robert Peichaer, May 2016,
139: enabled by default since OpenBSD 6.0 and 6.2.
140: <li>Kernel-assisted lazy-binding for W^X safety in multi-threaded programs.
141: A new syscall <a href="https://man.openbsd.org/kbind.2">kbind(2)</a>
142: permits lazy-binding to be W^X safe in multi-threaded programs.
143: Implemented for OpenBSD 5.9 by Philip Guenther in July 2015.
144: <li>Process layouts in memory tightened to remove execute permission from
145: all segmented, non-instruction data and to remove write permission from
146: data that is only modified during loading and relocation.
147: By combining the RELRO (Read-Only after Relocation) design from the
148: GNU project with the original ASLR work from OpenBSD 3.3 and
149: strict lazy-binding work from OpenBSD 5.9, this is applied to not
150: just a subset of programs and libraries but rather to all programs
151: and libraries.
152: Implemented for OpenBSD 6.1 by Philip Guenther in August 2016.
153: <li>Use of <strong>fork+exec in privilege separated programs</strong>. The
154: strategy is to give each process a fresh & unique address space for
155: ASLR, stack protector -- as protection against address space discovery attacks.
156: Implemented first by
157: Damien Miller (<a href="https://man.openbsd.org/sshd.8">sshd(8)</a> 2004),
158: Claudio Jeker (<a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>, 2015),
159: Eric Faurot (<a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>, 2016),
160: Rafael Zalamena (various, 2016), and others.
161: <li><strong>trapsleds</strong>:
162: Reduction of incidental NOP instructions/sequences in the instruction
163: stream which could be useful potentially for ROP attack methods to
164: innaccurately target gadgets. These NOP sequences are converted into
165: trap sequences where possible. Todd Mortimer and Theo de Raadt, June
166: 2017.
1.81 deraadt 167: <li><strong>Kernel relinking at boot</strong>:
1.78 deraadt 168: the .o files of the kernel are relinked in random order from a
169: link-kit, before every reboot. This provides substantial interior
170: randomization in the kernel's text and data segments for layout and
171: relative branches/calls. Basically a unique address space for each
172: kernel boot, similar to the userland fork+exec model described above
173: but for the kernel. Theo de Raadt, June 2017.
1.89 deraadt 174: <li>Rearranged i386/amd64 register allocator order in
1.61 deraadt 175: <a href="https://man.openbsd.org/clang.1">clang(1)</a>
176: to reduce polymorphic RET instructions:
177: Todd Mortimer, November 20, 2017.
1.89 deraadt 178: <li>Reencoding of i386/amd64 instruction sequences to avoid
1.72 mortimer 179: embedded polymorphic RET instructions. Enhancements to
180: <a href="https://man.openbsd.org/clang.1">clang(1)</a>
181: Todd Mortimer, April 28, 2018 and onwards.
1.81 deraadt 182: <li><b>MAP_STACK</b> addition to
1.64 deraadt 183: <a href="https://man.openbsd.org/mmap.2">mmap(2)</a>
184: allows opportunistic verification that the stack-register
185: points at stack memory, therefore catching pivots to non-stack
186: memory (sometimes used in ROP attacks).
187: Theo de Raadt, April 12, 2018.
1.78 deraadt 188: <li><b>RETGUARD</b> is a replacement for the <b>stack-protector</b>
189: which uses a per-function random cookie (located in the read-only ELF
190: <b>.openbsd.randomdata</b> section) to consistency-check the
1.89 deraadt 191: return address on the stack. Implemented for amd64 and arm64
192: by Todd Mortimer in OpenBSD 6.4, for mips64 in OpenBSD 6.7, and
1.98 deraadt 193: powerpc/powerpc64 in OpenBSD 6.9. amd64 system call stubs also
194: protected in OpenBSD 7.3.
1.81 deraadt 195: <li><b>MAP_CONCEAL</b> addition to
1.76 otto 196: <a href="https://man.openbsd.org/mmap.2">mmap(2)</a>
197: disallows memory pages to be written to core dumps, preventing
198: accidental exposure of private information.
199: Theo de Raadt, Mark Kettenis and Scott Soule Cheloha,
200: February 2, 2019.
1.79 deraadt 201: <li>Similar to the opportunistic verification in <b>MAP_STACK</b>,
202: system-calls can no longer be performed from PROT_WRITE memory.
203: Theo de Raadt, June 2, 2019.
1.85 deraadt 204: <li>System calls may only be performed from selected code regions
1.117 deraadt 205: (main program, ld.so, libc.so, and sigtramp). The libc.so region
206: is setup by <a href="https://man.openbsd.org/msyscall.2">msyscall(2)</a>.
207: Theo de Raadt, November 28, 2019.<br>
208: This mechanism was removed because later work on immutable memory +
209: pinned system calls was even better.
1.97 deraadt 210: <li>Permissions (RWX, MAP_STACK, etc) on address space regions can be
211: made immutable, so that <a href="https://man.openbsd.org/mmap.2">mmap(2)</a>,
212: <a href="https://man.openbsd.org/mprotect.2">mprotect(2)</a> or
213: <a href="https://man.openbsd.org/munmap.2">munmap(2)</a> fail with
214: EPERM. Most of the program static address space is now automatically
215: immutable (main program, ld.so, main stack, load-time shared libraries,
216: and dlopen()'d libraries mapped without RTLD_NODELETE). Programmers
217: can request non-immutable static data using the "openbsd.mutable" section,
218: or manually bring immutability to (page aligned heap objects) using
219: <a href="https://man.openbsd.org/mimmutable.2">mimmutable(2)</a>.
1.99 deraadt 220: Theo de Raadt, Dec 4, 2022.
221: <li>sshd random relinking at boot. Theo de Raadt. Jan 18, 2023.
1.103 deraadt 222: <li>Some architectures now have non-readable code ("xonly"), both from
1.101 op 223: the perspective of userland reading its own memory, or the kernel
1.103 deraadt 224: trying to read memory in a system call. Many sloppy practices in
1.99 deraadt 225: userland code had to be repaired to allow this. The linker option
1.107 deraadt 226: <b>--execute-only</b> is enabled by default. In order of
1.110 deraadt 227: development: arm64, riscv64, hppa, amd64,
1.107 deraadt 228: powerpc64, powerpc (G5 only), octeon.
1.111 deraadt 229: sparc64 (sun4u only, unfinished).
1.99 deraadt 230: Mark Kettenis, Theo de Raadt, Visa Hankala, Miod Vallat,
1.103 deraadt 231: Dave Voutila, George Koehler in kernel and base, and
232: Theo Buehler, Robert Nagy, Christian Weisgerber in ports.
1.102 deraadt 233: Dec 2022 - Feb 2023, still ongoing.
1.104 deraadt 234: <li>On all architectures which lack hardware-enforcement of xonly,
1.105 deraadt 235: system calls are now prevented from reading (via copyin/copyinst)
236: inside the program's main text, ld.so text, sigtramp text, or
237: libc.so text.
1.104 deraadt 238: Theo de Raadt, Jan 2023.
1.105 deraadt 239: <li>Architectures which lack xonly mmu-enforcement can still benefit
240: from switching to --execute-only binaries if the cpu generates
241: different traps for instruction-fetch versus data-fetch. The
1.108 op 242: VM system will not allow memory to be read before it was
1.105 deraadt 243: executed which is valuable together with library relinking.
1.111 deraadt 244: Architectures switched over include loongson.
1.105 deraadt 245: Theo de Raadt, Feb 2023.
1.115 deraadt 246: <li>ld.so and crt0 register the location of the
247: <a href="https://man.openbsd.org/execve.2">execve(2)</a>
248: libc syscall stub with the kernel using
249: <a href="https://man.openbsd.org/pinsyscall.2">pinsyscall(2)</a>,
250: after which the kernel only accepts an execve call from that
251: specific location. Theo de Raadt, Feb 2023. Made redundant by
252: <a href="https://man.openbsd.org/pinsyscalls.2">pinsyscalls(2)</a>
253: which handles all system calls.
1.112 deraadt 254: <li>Mandatory enforcement of indirect branch targets (BTI on arm64,
255: IBT on Intel amd64), unless a linker flag (-Wl,-z,nobtcfi) requests
256: no enforcement.
1.115 deraadt 257: <li>The kernel and ld.so register the precise entry location of
258: every system call used by a program, as described in the
259: new ELF section <b>.openbsd.syscalls</b> inside ld.so and
260: libc.so. ld.so uses the new syscall
261: <a href="https://man.openbsd.org/pinsyscalls.2">pinsyscalls(2)</a>
1.116 deraadt 262: to tell the kernel the precise entry location of system calls in libc.so.
263: Since all syscall entries are now known to the kernel, the
264: pininsyscall(SYS_execve) interface becomes redundant.
1.117 deraadt 265: <a href="https://man.openbsd.org/msyscall.2">msyscall(2)</a> mechanism
266: also becomes redundant (and is removed a bit later), because immutable
267: memory + pinsyscalls together are cheaper and more effective targetting.
1.116 deraadt 268: Theo de Raadt, Jan 2024.
1.17 mlarkin 269: </ul>
1.1 schwarze 270:
1.59 job 271: <h3>Functions</h3>
1.1 schwarze 272:
273: <ul>
1.78 deraadt 274: <li><a href="https://man.openbsd.org/issetugid.2">issetugid(2)</a>:
275: Theo de Raadt, August 25, 1996, OpenBSD 2.0
276: <li><a href="https://man.openbsd.org/arc4random.3">arc4random(3)</a>:
277: David Mazieres, December 28, 1996, OpenBSD 2.1
278: <li><a href="https://man.openbsd.org/bcrypt.3">bcrypt(3)</a>:
279: Implemented by <a href="https://www.usenix.org/legacy/events/usenix99/provos/provos_html/node1.html">Niels Provos and David Mazieres</a>
280: Imported February 13, 1997 and first released with OpenBSD 2.1.
281: <li><a href="https://man.openbsd.org/strlcpy.3">strlcpy(3)</a>,
282: <a href="https://man.openbsd.org/strlcat.3">strlcat(3)</a>:
283: Todd Miller and Theo de Raadt, July 1, 1998, OpenBSD 2.4
284: <li><a href="https://man.openbsd.org/strtonum.3">strtonum(3)</a>:
285: Ted Unangst, Todd Miller, and Theo de Raadt, May 3, 2004, OpenBSD 3.6
286: <li><a href="https://man.openbsd.org/imsg_init.3">imsg</a>:
287: Message passing API, written by Henning Brauer.
288: In libutil since May 26, 2010, OpenBSD 4.8;
289: used by various daemons before that.
290: <li><a href="https://man.openbsd.org/timingsafe_bcmp.3">timingsafe_bcmp(3)</a>:
291: Damien Miller, July 13, 2010, OpenBSD 4.9
292: <li><a href="https://man.openbsd.org/explicit_bzero.3">explicit_bzero(3)</a>:
293: Ted Unangst and Matthew Dempsky, January 22, 2014, OpenBSD 5.5
294: <li><a href="https://man.openbsd.org/ohash_init.3">ohash</a>:
295: Written and maintained by Marc Espie.
296: In libutil since May 12, 2014, OpenBSD 5.6;
297: used by make(1) and m4(1) before that.
298: <li><a href="https://man.openbsd.org/asr_run.3">asr</a>:
299: Replacement resolver written and maintained by Eric Faurot.
300: Imported April 14, 2012; activated on March 26, 2014, OpenBSD 5.6.
301: <li><a href="https://man.openbsd.org/reallocarray.3">reallocarray(3)</a>:
302: Theo de Raadt and Ted Unangst, April 22, 2014, OpenBSD 5.6
303: <li><a href="https://man.openbsd.org/getentropy.2">getentropy(2)</a>:
304: Matthew Dempsky and Theo de Raadt, June 13, 2014, OpenBSD 5.6
305: <li><a href="https://man.openbsd.org/sendsyslog.2">sendsyslog(2)</a>:
306: Theo de Raadt, July 10, 2014, OpenBSD 5.6
307: <li><a href="https://man.openbsd.org/timingsafe_memcmp.3">timingsafe_memcmp(3)</a>:
308: Matthew Dempsky, July 13, 2014, OpenBSD 5.6
309: <li><a href="https://man.openbsd.org/pledge.2">pledge(2)</a>:
310: Theo de Raadt, July 19, 2015, OpenBSD 5.9
311: <li><a href="https://man.openbsd.org/getpwnam_shadow.3">getpwnam_shadow(3)</a>,
312: <a href="https://man.openbsd.org/getpwuid_shadow.3">getpwuid_shadow(3)</a>:
313: Ted Unangst and Theo de Raadt, November 18, 2015, OpenBSD 5.9
314: <li><a href="https://man.openbsd.org/recallocarray.3">recallocarray(3)</a>:
315: Otto Moerbeek, Joel Sing and Theo de Raadt, March 6, 2017, OpenBSD 6.1
316: <li><a href="https://man.openbsd.org/freezero.3">freezero(3)</a>:
317: Otto Moerbeek, April 10, 2017, OpenBSD 6.2
318: <li><a href="https://man.openbsd.org/unveil.2">unveil(2)</a>:
319: Theo de Raadt and Bob Beck, July 13, 2018, OpenBSD 6.4
320: <li><a href="https://man.openbsd.org/malloc_conceal.3">malloc_conceal(3)</a>
1.76 otto 321: and
1.78 deraadt 322: <a href="https://man.openbsd.org/calloc_conceal.3">calloc_conceal(3)</a>:
323: Otto Moerbeek, May 10, 2019, OpenBSD 6.5
1.87 rob 324: <li><a href=https://man.openbsd.org/ober_read_elements.3>ober</a>:
1.82 schwarze 325: ASN.1 basic encoding rules API, written by Claudio Jeker and
326: Reyk Flöter, maintained by Rob Pierce and Martijn van Duren;
327: started in 2006/07, moved to libutil on May 11, 2019, OpenBSD 6.6
1.16 deraadt 328: </ul>
329:
1.59 job 330:
331: <h3>Programs and subsystems</h3>
1.16 deraadt 332:
333: <ul>
1.78 deraadt 334: <li><a href="https://man.openbsd.org/ypbind.8">ypbind(8)</a>,
335: <a href="https://man.openbsd.org/ypset.8">ypset(8)</a>,
336: <a href="https://man.openbsd.org/ypcat.1">ypcat(1)</a>,
337: <a href="https://man.openbsd.org/ypmatch.1">ypmatch(1)</a>,
338: <a href="https://man.openbsd.org/ypwhich.1">ypwhich(1)</a>,
339: and libc support: Started by Theo de Raadt.
340: Imported April 26, 1993 and first released with NetBSD 0.9.
341: <li><a href="https://man.openbsd.org/ypserv.8">ypserv(8)</a>:
342: Started by Mats O. Jansson in 1994.
343: Imported October 23, 1995 and first released with OpenBSD 2.0.
344: <li><a href="https://man.openbsd.org/mopd.8">mopd(8)</a>:
345: Started by Mats O. Jansson in 1993.
346: Imported September 21, 1996 and first released with OpenBSD 2.0.
347: <li><a href="anoncvs.html">AnonCVS</a>:
348: Designed and implemented by Chuck Cranor and Theo de Raadt in 1995
349: (<a href="papers/anoncvs-paper.pdf">paper</a>,
350: <a href="papers/anoncvs-slides.pdf">slides</a>)
351: <li><a href="https://man.openbsd.org/aucat.1">aucat(1)</a>:
352: Started by Kenneth Stailey.
353: Imported January 2, 1997 and first released with OpenBSD 2.1.
354: Now maintained by Alexandre Ratchov.
355: <li><a href="https://www.openssh.com/">OpenSSH</a>
356: including <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
357: <a href="https://man.openbsd.org/scp.1">scp(1)</a>,
358: <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>,
359: <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>,
360: <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>,
361: <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>,
362: <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>,
363: <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>:
364: Started by Aaron Campbell, Bob Beck, Dug Song, Markus Friedl,
365: Niels Provos, and Theo de Raadt
366: as a fork of SSH 1.2.12 by Tatu Ylonen.
367: Imported September 26, 1999 and first released with OpenBSD 2.6.
368: Now maintained by Markus Friedl, Damien Miller, Darren Tucker, and
369: Theo de Raadt.
370: <li><a href="https://man.openbsd.org/mg.1">mg(1)</a>:
371: Started by Dave Conroy in November 1986.
372: Imported February 25, 2000 and first released with OpenBSD 2.7.
373: Now maintained by Mark Lumsden.
374: <li><a href="https://man.openbsd.org/m4.1">m4(1)</a>:
375: Originally implemented by Ozan Yigit and Richard A. O'Keefe for 4.3BSD-Reno.
376: Considerably extended and maintained by Marc Espie since 1999.
377: <li><a href="https://man.openbsd.org/pf.4">pf(4)</a>,
378: <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a>,
379: <a href="https://man.openbsd.org/pflogd.8">pflogd(8)</a>,
380: <a href="https://man.openbsd.org/authpf.8">authpf(8)</a>,
381: <a href="https://man.openbsd.org/ftp-proxy.8">ftp-proxy(8)</a>:
382: Started by Daniel Hartmeier as a replacement for the non-free ipf by
383: Darren Reed. Imported June 24, 2001 and first released with OpenBSD
384: 3.0. Now maintained by Henning Brauer.
385: <li><a href="https://man.openbsd.org/OpenBSD-5.9/systrace.4">systrace(4)</a>,
386: <a href="https://man.openbsd.org/OpenBSD-5.9/systrace.1">systrace(1)</a>:
387: Started by Niels Provos.
388: Imported June 4, 2002 and first released with OpenBSD 3.2.
389: Deleted after OpenBSD 5.9 because
390: <a href="https://man.openbsd.org/pledge.2">pledge(2)</a> is even better.
391: <li><a href="https://man.openbsd.org/spamd.8">spamd(8)</a>:
392: Written by Bob Beck. Imported December 21, 2002 and first released with
393: OpenBSD 3.3.
394: <li><a href="https://man.openbsd.org/dc.1">dc(1)</a>:
395: Written and maintained by Otto Moerbeek.
396: Imported September 19, 2003 and first released with OpenBSD 3.5.
397: <li><a href="https://man.openbsd.org/bc.1">bc(1)</a>:
398: Written and maintained by Otto Moerbeek.
399: Imported September 25, 2003 and first released with OpenBSD 3.5.
400: <li><a href="https://man.openbsd.org/sensorsd.8">sensorsd(8)</a>:
401: Started by Henning Brauer.
402: Imported September 24, 2003 and first released with OpenBSD 3.5.
403: Reworked by Constantine A. Murenin.
404: <li><a href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a>:
405: Written and maintained by Marc Espie.
406: Imported October 16, 2003 and first released with OpenBSD 3.5.
407: <li><a href="https://man.openbsd.org/carp.4">carp(4)</a>:
408: Written by Mickey Shalayeff, Markus Friedl, Marco Pfatschbacher,
409: and Ryan McBride.
410: Imported October 17, 2003 and first released with OpenBSD 3.5.
1.93 tj 411: <li><a href="https://www.openbgpd.org/">OpenBGPD</a>
1.78 deraadt 412: including <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>
413: and <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a>:
414: Written and maintained by Henning Brauer and Claudio Jeker,
415: and also maintained by Peter Hessler.
416: Imported December 17, 2003 and first released with OpenBSD 3.5.
417: <li><a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>:
418: Started by Ted Lemon and Elliot Poger in 1996.
419: Imported January 18, 2004 and first released with OpenBSD 3.5.
420: Reworked by Henning Brauer.
421: Now maintained by Kenneth Westerback.
422: <li><a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>:
423: Started by Ted Lemon in 1995.
424: Imported April 13, 2004 and first released with OpenBSD 3.6.
425: Reworked by Henning Brauer.
426: Now maintained by Kenneth Westerback.
427: <li><a href="https://man.openbsd.org/hotplugd.8">hotplugd(8)</a>:
428: Started by Alexander Yurchenko.
429: Imported May 30, 2004 and first released with OpenBSD 3.6.
1.93 tj 430: <li><a href="https://www.openntpd.org/">OpenNTPD</a>
1.78 deraadt 431: including <a href="https://man.openbsd.org/ntpd.8">ntpd(8)</a>
432: and <a href="https://man.openbsd.org/ntpctl.8">ntpctl(8)</a>:
433: Written and maintained by Henning Brauer.
434: Imported May 31, 2004 and first released with OpenBSD 3.6.
435: Portable version maintained by Brent Cook.
436: <li><a href="https://man.openbsd.org/dpb.1">dpb(1)</a>:
437: Started by Nikolay Sturm on August 10, 2004; first available for OpenBSD 3.6.
438: Rewritten and maintained by Marc Espie since August 20, 2010.
439: <li><a href="https://man.openbsd.org/ospfd.8">ospfd(8)</a>,
440: <a href="https://man.openbsd.org/ospfctl.8">ospfctl(8)</a>:
441: Started by Esben Norby and Claudio Jeker.
442: Imported January 28, 2005 and first released with OpenBSD 3.7.
443: <li><a href="https://man.openbsd.org/ifstated.8">ifstated(8)</a>:
444: Started by Marco Pfatschbacher and Ryan McBride.
445: Imported January 23, 2004 and first released with OpenBSD 3.8.
446: <li><a href="https://man.openbsd.org/bioctl.8">bioctl(8)</a>:
447: Started by Marco Peereboom.
448: Imported March 29, 2005 and first released with OpenBSD 3.8.
449: <li><a href="https://man.openbsd.org/hostapd.8">hostapd(8)</a>:
1.88 schwarze 450: Written by Reyk Flöter.
1.78 deraadt 451: Imported May 26, 2005 and first released with OpenBSD 3.8.
452: <li><a href="https://man.openbsd.org/watchdogd.8">watchdogd(8)</a>:
453: Started by Marc Balmer.
454: Imported August 8, 2005 and first released with OpenBSD 3.8.
455: <li><a href="https://man.openbsd.org/sdiff.1">sdiff(1)</a>:
456: Written by Ray Lai.
457: Imported December 27, 2005 and first released with OpenBSD 3.9.
458: <li><a href="https://man.openbsd.org/dvmrpd.8">dvmrpd(8)</a>,
459: <a href="https://man.openbsd.org/dvmrpctl.8">dvmrpctl(8)</a>:
460: Started by Esben Norby.
461: Imported June 1, 2006 and first released with OpenBSD 4.0.
462: <li><a href="https://man.openbsd.org/ripd.8">ripd(8)</a>,
463: <a href="https://man.openbsd.org/ripctl.8">ripctl(8)</a>:
464: Started by Michele Marchetto.
465: Imported October 18, 2006 and first released with OpenBSD 4.1.
466: <li><a href="https://man.openbsd.org/pkg-config.1">pkg-config(1)</a>:
467: Started by Chris Kuethe and Marc Espie.
468: Imported November 27, 2006 and first released with OpenBSD 4.1.
469: Now maintained by Jasper Lievisse Adriaanse.
470: <li><a href="https://man.openbsd.org/relayd.8">relayd(8)</a>
471: with <a href="https://man.openbsd.org/relayctl.8">relayctl(8)</a>:
1.88 schwarze 472: Started by Pierre-Yves Ritschard and Reyk Flöter.
1.78 deraadt 473: Imported December 16, 2006 and first released with OpenBSD 4.1.
1.118 ! bentley 474: Now maintained by Sebastian Benoit.<br>
1.78 deraadt 475: <li><a href="https://man.openbsd.org/cwm.1">cwm(1)</a>:
1.96 tj 476: Started by <a href="https://monkey.org/~marius/cwm/README">Marius
1.78 deraadt 477: Aamodt Eriksen</A> in 2004.
478: Imported April 27, 2007 and first released with OpenBSD 4.2.
479: Now maintained by Okan Demirmen.
480: <a href="https://github.com/chneukirchen/cwm">Portable version</a>
481: maintained by Leah Neukirchen.
482: <li><a href="https://man.openbsd.org/ospf6d.8">ospf6d(8)</a>,
483: <a href="https://man.openbsd.org/ospf6ctl.8">ospf6ctl(8)</a>:
484: Started by Esben Norby and Claudio Jeker.
485: Imported October 8, 2007 and first released with OpenBSD 4.2.
486: <li><a href="https://man.openbsd.org/libtool.1">libtool(1)</a>:
487: Written by Steven Mestdagh and Marc Espie.
488: Imported October 28, 2007 and first available for OpenBSD 4.3.
489: Now maintained by Marc Espie, Jasper Lievisse Adriaanse,
490: and Antoine Jacoutot.
1.88 schwarze 491: <li><a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>:
492: Started by Reyk Flöter.
1.78 deraadt 493: Imported December 5, 2007 and first released with OpenBSD 4.3.
1.88 schwarze 494: Now maintained by Martijn van Duren.
1.78 deraadt 495: <li><a href="https://man.openbsd.org/sysmerge.8">sysmerge(8)</a>:
496: Written and maintained by Antoine Jacoutot,
497: originally forked from mergemaster by Douglas Barton.
498: Imported April 22, 2008, first released with OpenBSD 4.4.
499: <li><a href="https://man.openbsd.org/ypldap.8">ypldap(8)</a>:
500: Started by Pierre-Yves Ritschard.
501: Imported June 26, 2008 and first released with OpenBSD 4.4.
502: <li><a href="https://www.opensmtpd.org/">OpenSMTPD</a>
503: including <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>,
504: <a href="https://man.openbsd.org/smtpctl.8">smtpctl(8)</a>,
505: <a href="https://man.openbsd.org/makemap.8">makemap(8)</a>:
506: Started by Gilles Chehade.
507: Imported November 1, 2008 and first released with OpenBSD 4.6.
508: Now maintained by Gilles Chehade and Eric Faurot.
1.96 tj 509: <li><a href="https://tmux.github.io/">tmux</a>,
1.78 deraadt 510: <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>:
511: Started in 2007 and maintained by Nicholas Marriott.
512: Imported June 1, 2009, first released with OpenBSD 4.6.
513: <li><a href="https://man.openbsd.org/ldpd.8">ldpd(8)</a>,
514: <a href="https://man.openbsd.org/ldpctl.8">ldpctl(8)</a>:
515: Started by Michele Marchetto.
516: Imported June 1, 2009 and first released with OpenBSD 4.6.
517: Now maintained by Claudio Jeker.
1.96 tj 518: <li><a href="https://mdocml.bsd.lv/">mandoc</a>
1.78 deraadt 519: including <a href="https://man.openbsd.org/mandoc.1">mandoc(1)</a>,
520: <a href="https://man.openbsd.org/man.1">man(1)</a>,
521: <a href="https://man.openbsd.org/apropos.1">apropos(1)</a>,
522: <a href="https://man.openbsd.org/makewhatis.8">makewhatis(8)</a>,
523: <a href="https://man.openbsd.org/man.cgi.8">man.cgi(8)</a>:
524: Started by Kristaps Dzonsons in November 2008.
525: Imported April 6, 2009, first released with OpenBSD 4.8.
526: Now maintained by Ingo Schwarze.
527: <li><a href="https://man.openbsd.org/ldapd.8">ldapd(8)</a>,
528: <a href="https://man.openbsd.org/ldapctl.8">ldapctl(8)</a>:
529: Written by Martin Hedenfalk.
530: Imported May 31, 2010 and first released with OpenBSD 4.8.
1.96 tj 531: <li><a href="https://www.openiked.org/">OpenIKED</a>
1.78 deraadt 532: including <a href="https://man.openbsd.org/iked.8">iked(8)</a>
533: and <a href="https://man.openbsd.org/ikectl.8">ikectl(8)</a>:
1.88 schwarze 534: Started by Reyk Flöter.
1.78 deraadt 535: Imported June 3, 2010 and first released with OpenBSD 4.8.
1.88 schwarze 536: Now maintained by Tobias Heider.
1.78 deraadt 537: <li><a href="https://man.openbsd.org/iscsid.8">iscsid(8)</a>,
538: <a href="https://man.openbsd.org/iscsictl.8">iscsictl(8)</a>:
539: Written and maintained by Claudio Jeker.
540: Imported September 24, 2010 and first released with OpenBSD 4.9.
541: <li><a href="https://man.openbsd.org/rc.d.8">rc.d(8)</a>,
542: <a href="https://man.openbsd.org/rc.subr.8">rc.subr(8)</a>:
543: Written and maintained by Robert Nagy and Antoine Jacoutot.
544: Imported October 26, 2010 and first released with OpenBSD 4.9.
545: <li><a href="https://man.openbsd.org/tftpd.8">tftpd(8)</a>:
546: Written and maintained by David Gwynne.
547: Imported March 2, 2012 and first released with OpenBSD 5.2.
548: <li><a href="https://man.openbsd.org/npppd.8">npppd(8)</a>,
549: <a href="https://man.openbsd.org/npppctl.8">npppctl(8)</a>:
550: Started by Internet Initiative Japan Inc.
551: Imported January 11, 2010, first released with OpenBSD 5.3.
552: Maintained by YASUOKA Masahiko.
553: <li><a href="https://man.openbsd.org/ldomd.8">ldomd(8)</a>,
554: <a href="https://man.openbsd.org/ldomctl.8">ldomctl(8)</a>:
555: Written and maintained by Mark Kettenis.
556: Imported October 26, 2012 and first released with OpenBSD 5.3.
557: <li><a href="https://man.openbsd.org/sndiod.8">sndiod(8)</a>:
558: Written and maintained by Alexandre Ratchov.
559: Imported November 23, 2012 and first released with OpenBSD 5.3.
560: <li><a href="https://man.openbsd.org/cu.1">cu(1)</a>:
561: Written and maintained by Nicholas Marriott.
562: Imported July 10, 2012 and first released with OpenBSD 5.4.
563: <li><a href="https://man.openbsd.org/identd.8">identd(8)</a>:
564: Written and maintained by David Gwynne.
565: Imported March 18, 2013 and first released with OpenBSD 5.4.
566: <li><a href="https://man.openbsd.org/slowcgi.8">slowcgi(8)</a>:
567: Written and maintained by Florian Obser.
568: Imported May 23, 2013 and first released with OpenBSD 5.4.
569: <li><a href="https://man.openbsd.org/signify.1">signify(1)</a>:
1.96 tj 570: Written and maintained by <a href="https://www.tedunangst.com/flak/post/signify">Ted Unangst</a>.
1.78 deraadt 571: Imported December 31, 2013 and first released with OpenBSD 5.5.
572: <li><a href="https://man.openbsd.org/htpasswd.1">htpasswd(1)</a>:
573: Written and maintained by Florian Obser.
574: Imported March 17, 2014 and first released with OpenBSD 5.6.
575: <li><a href="https://www.libressl.org/">LibreSSL</a>:
576: Started by Ted Unangst, Bob Beck, Joel Sing, Miod Vallat, Philip Guenther,
577: and Theo de Raadt on April 13, 2014, as a fork of OpenSSL 1.0.1g.
578: First released with OpenBSD 5.6.
579: Portable version maintained by Brent Cook.
580: <li><a href="https://man.openbsd.org/httpd.8">httpd(8)</a>:
1.88 schwarze 581: Started by Reyk Flöter.
1.78 deraadt 582: Imported July 12, 2014 and first released with OpenBSD 5.6.
583: <li><a href="https://man.openbsd.org/rcctl.8">rcctl(8)</a>:
584: Written and maintained by Antoine Jacoutot.
585: Imported August 19, 2014 and first released with OpenBSD 5.7.
586: <li><a href="https://man.openbsd.org/file.1">file(1)</a>:
587: Rewritten from scratch and maintained by Nicholas Marriott.
588: Imported April 24, 2015 and first released with OpenBSD 5.8.
589: <li><a href="https://man.openbsd.org/doas.1">doas(1)</a>:
590: Written and maintained by Ted Unangst.
591: Imported July 16, 2015 and first released with OpenBSD 5.8.
592: <li><a href="https://man.openbsd.org/radiusd.8">radiusd(8)</a>:
593: Written and maintained by YASUOKA Masahiko.
594: Imported July 21, 2015 and first released with OpenBSD 5.8.
595: <li><a href="https://man.openbsd.org/eigrpd.8">eigrpd(8)</a>,
596: <a href="https://man.openbsd.org/eigrpctl.8">eigrpctl(8)</a>:
597: Written and maintained by Renato Westphal.
598: Imported October 2, 2015 and first released with OpenBSD 5.9.
599: <li><a href="https://man.openbsd.org/vmm.4">vmm(4)</a>,
600: <a href="https://man.openbsd.org/vmd.8">vmd(8)</a>,
601: <a href="https://man.openbsd.org/vmctl.8">vmctl(8)</a>:
1.88 schwarze 602: Written by Mike Larkin and Reyk Flöter.
1.78 deraadt 603: Imported November 13, 2015 and first released with OpenBSD 5.9.
604: <li><a href="https://man.openbsd.org/pdisk.8">pdisk(8)</a>:
605: Originally written by Eryk Vershen in 1996-1998,
606: rewritten and maintained by Kenneth Westerback since January 11, 2016
607: and first released with OpenBSD 5.9.
608: <li><a href="https://man.openbsd.org/mknod.8">mknod(8)</a>:
609: Original version from Version 6 AT&T UNIX (1975),
610: last rewritten by Marc Espie on March 5, 2016
611: and first released with OpenBSD 6.0.
612: <li><a href="https://man.openbsd.org/audioctl.1">audioctl(1)</a>:
613: Originally written by Lennart Augustsson in 1997,
614: rewritten and maintained by Alexandre Ratchov since June 21, 2016
615: and first released with OpenBSD 6.0.
616: <li><a href="https://man.openbsd.org/acme-client.1">acme-client(1)</a>:
617: Written by Kristaps Dzonsons, imported August 31, 2016; released
618: with OpenBSD 6.1.
619: <li><a href="https://man.openbsd.org/syspatch.8">syspatch(8)</a>:
620: Written and maintained by Antoine Jacoutot.
621: Imported September 5, 2016; released with OpenBSD 6.1.
622: <li><a href="https://man.openbsd.org/ping.8">ping(8)</a>:
623: Restructured to include IPv6 functionality and maintained by Florian Obser.
624: The separate
1.81 deraadt 625: <a href="https://man.openbsd.org/OpenBSD-6.0/ping6.8">ping6(8)</a>
1.78 deraadt 626: was superseded on September 17, 2016,
627: and the new, combined version was released with OpenBSD 6.1.
628: <li><a href="https://man.openbsd.org/xenodm.1">xenodm(1)</a>:
629: Cleaned-up fork of
630: <a href="https://man.openbsd.org/OpenBSD-6.0/xdm.1">xdm(1)</a>
631: maintained by Matthieu Herrb.
632: Imported October 23, 2016; released with OpenBSD 6.1.
633: <li><a href="https://man.openbsd.org/ocspcheck.8">ocspcheck(8)</a>:
634: Written and maintained by Bob Beck.
635: Imported January 24, 2017; released with OpenBSD 6.1.
636: <li><a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>:
637: Written and maintained by Florian Obser.
638: Imported March 18, 2017; released with OpenBSD 6.2.
639: <li><a href="https://man.openbsd.org/rad.8">rad(8)</a>:
640: Written and maintained by Florian Obser.
641: Imported July 10, 2018; released with OpenBSD 6.4.
642: <li><a href="https://man.openbsd.org/unwind.8">unwind(8)</a>:
643: Written and maintained by Florian Obser.
644: Imported January 23, 2019; released with OpenBSD 6.5.
645: <li><a href="https://man.openbsd.org/openrsync.1">openrsync(1)</a>:
646: Written by Kristaps Dzonsons.
647: Imported February 10, 2019; released with OpenBSD 6.5.
1.82 schwarze 648: <li><a href="https://man.openbsd.org/sysupgrade.8">sysupgrade(8)</a>:
649: Written by Christian Weisgerber, Florian Obser, and Theo de Raadt.
650: Imported April 25, 2019; released with OpenBSD 6.6.
651: <li><a href="https://man.openbsd.org/snmp.1">snmp(1)</a>:
652: Written and maintained by Martijn van Duren.
653: Imported August 9, 2019; released with OpenBSD 6.6.
654: <li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>:
1.113 job 655: Written by Kristaps Dzonsons; maintained by Claudio Jeker,
656: Theo Buehler, and Job Snijders.
1.94 schwarze 657: Imported June 17, 2019; released with OpenBSD 6.7.
1.92 schwarze 658: <li><a href="https://man.openbsd.org/resolvd.8">resolvd(8)</a>:
659: Written and maintained by Florian Obser and Theo de Raadt.
660: Imported February 24, 2021; released with OpenBSD 6.9.
661: <li><a href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a>:
662: Written and maintained by Florian Obser.
663: Imported February 26, 2021; released with OpenBSD 6.9.
1.1 schwarze 664: </ul>
665:
1.11 deraadt 666: <h3>Projects maintained by OpenBSD developers outside OpenBSD</h3>
1.1 schwarze 667:
668: <ul>
1.96 tj 669: <li><a href="https://www.sudo.ws/">sudo</a>:
1.78 deraadt 670: Started by Bob Coggeshall and Cliff Spencer around 1980.
671: Imported November 18, 1999, first released with OpenBSD 2.7.
672: Now maintained by Todd Miller.
673: <li><a href="http://bulabula.org/femail/">femail</a>:
674: Written and maintained by Henning Brauer.
675: Started in 2005, port available since September 22, 2005.
1.96 tj 676: <li><a href="https://www.midish.org/">midish</a>:
1.78 deraadt 677: Written and maintained by Alexandre Ratchov.
678: Started in 2003, port available since November 4, 2005.
679: <li><a href="https://github.com/nicm/fdm">fdm</a>:
680: Written and maintained by Nicholas Marriott.
681: Started in 2006, port available since January 18, 2007.
682: <li><a href="https://github.com/ajacoutot/toad/">toad</a>:
683: Written and maintained by Antoine Jacoutot.
684: Started in 2013, port available since October 8, 2013.
685: <li><a href="https://mandoc.bsd.lv/docbook2mdoc/">docbook2mdoc</a>:
686: Started by Kristaps Dzonsons in 2014, maintained by Ingo Schwarze.
687: Port available since April 3, 2014.
1.96 tj 688: <li><a href="https://jasperla.github.io/portroach/">portroach</a>:
1.78 deraadt 689: Written and maintained by Jasper Lievisse Adriaanse,
690: originally forked from FreeBSD's portscout.
691: Started in 2014, port available since September 5, 2014.
692: <li><a href="https://github.com/yasuoka/cvs2gitdump">cvs2gitdump</a>:
693: Written and maintained by YASUOKA Masahiko.
694: Started in 2012, port available since August 1, 2016.
1.84 stsp 695: <li><a href="https://gameoftrees.org">Game of Trees</a>:
696: Written and maintained by Stefan Sperling.
697: Started in 2017, port available since August 9, 2019.
1.1 schwarze 698: </ul>