| version 1.440, 2019/04/02 12:46:57 |
version 1.441, 2019/05/27 22:55:26 |
|
|
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" |
<!doctype html> |
| "http://www.w3.org/TR/html4/loose.dtd"> |
<html lang=en> |
| <html> |
<meta charset=utf-8> |
| <head> |
|
| <title>OpenBSD: Security</title> |
<title>OpenBSD: Security</title> |
| <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> |
|
| <meta name="copyright" content="This document copyright 1997-2016 by OpenBSD."> |
|
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
<meta name="viewport" content="width=device-width, initial-scale=1"> |
| <link rel="stylesheet" type="text/css" href="openbsd.css"> |
<link rel="stylesheet" type="text/css" href="openbsd.css"> |
| <link rel="canonical" href="https://www.openbsd.org/security.html"> |
<link rel="canonical" href="https://www.openbsd.org/security.html"> |
| </head> |
|
| |
|
| <body bgcolor="#ffffff" text="#000000" link="#23238e"> |
<style> |
| |
h3 { |
| |
color: var(--red); |
| |
} |
| |
</style> |
| |
|
| <h2> |
<h2 id=OpenBSD> |
| <a href="index.html"> |
<a href="index.html"> |
| <i><font color="#0000ff">Open</font></i><font color="#000084">BSD</font></a> |
<i>Open</i><b>BSD</b></a> |
| <font color="#e00000">Security</font> |
Security |
| </h2> |
</h2> |
| |
|
| <hr> |
<hr> |
| <p> |
|
| |
|
| |
<p> |
| For security advisories for specific releases, click below: |
For security advisories for specific releases, click below: |
| |
|
| <p> |
<p> |
| |
|
| <a href="errata21.html">2.1</a>, |
<a href="errata21.html">2.1</a>, |
|
|
| <br> |
<br> |
| <hr> |
<hr> |
| |
|
| <a name="goals"></a> |
|
| <ul> |
<ul> |
| <li><h3><font color="#e00000">Goals</font></h3><p> |
<li><h3 id=goals>Goals</h3> |
| |
|
| |
<p> |
| OpenBSD believes in strong security. Our aspiration is to be NUMBER |
OpenBSD believes in strong security. Our aspiration is to be NUMBER |
| ONE in the industry for security (if we are not already there). Our |
ONE in the industry for security (if we are not already there). Our |
| open software development model permits us to take a more |
open software development model permits us to take a more |
|
|
| able to. We can make changes the vendors would |
able to. We can make changes the vendors would |
| not make. Also, since OpenBSD is exported with <a href=crypto.html> |
not make. Also, since OpenBSD is exported with <a href=crypto.html> |
| cryptography</a>, we are able to take cryptographic approaches towards |
cryptography</a>, we are able to take cryptographic approaches towards |
| fixing security problems.<p> |
fixing security problems. |
| |
|
| <a name="disclosure"></a> |
<li><h3 id=disclosure>Full Disclosure</h3> |
| <li><h3><font color="#e00000">Full Disclosure</font></h3><p> |
|
| |
|
| |
<p> |
| Like many readers of the |
Like many readers of the |
| <a href="https://www.securityfocus.com/archive/1"> |
<a href="https://www.securityfocus.com/archive/1"> |
| BUGTRAQ mailing list</a>, |
BUGTRAQ mailing list</a>, |
| we believe in full disclosure of security problems. In the |
we believe in full disclosure of security problems. In the |
| operating system arena, we were probably the first to embrace |
operating system arena, we were probably the first to embrace |
| the concept. Many vendors, even of free software, still try |
the concept. Many vendors, even of free software, still try |
| to hide issues from their users.<p> |
to hide issues from their users. |
| |
|
| |
<p> |
| Security information moves very fast in cracker circles. On the other |
Security information moves very fast in cracker circles. On the other |
| hand, our experience is that coding and releasing of proper security |
hand, our experience is that coding and releasing of proper security |
| fixes typically requires about an hour of work -- very fast fix |
fixes typically requires about an hour of work — very fast fix |
| turnaround is possible. Thus we think that full disclosure helps the |
turnaround is possible. Thus we think that full disclosure helps the |
| people who really care about security.<p> |
people who really care about security.<p> |
| |
|
| <a name="process"></a> |
<li><h3 id=process>Audit Process</h3> |
| <li><h3><font color="#e00000">Audit Process</font></h3><p> |
|
| |
|
| |
<p> |
| Our security auditing team typically has between six and twelve |
Our security auditing team typically has between six and twelve |
| members who continue to search for and fix new security holes. We |
members who continue to search for and fix new security holes. We |
| have been auditing since the summer of 1996. The process we follow to |
have been auditing since the summer of 1996. The process we follow to |
|
|
| audit, and often source code which had been audited earlier needs |
audit, and often source code which had been audited earlier needs |
| re-auditing with these new flaws in mind. Code often gets audited |
re-auditing with these new flaws in mind. Code often gets audited |
| multiple times, and by multiple people with different auditing |
multiple times, and by multiple people with different auditing |
| skills.<p> |
skills. |
| |
|
| |
<p> |
| Some members of our security auditing team worked for Secure Networks, |
Some members of our security auditing team worked for Secure Networks, |
| the company that made the industry's premier network security scanning |
the company that made the industry's premier network security scanning |
| software package Ballista (Secure Networks got purchased by Network |
software package Ballista (Secure Networks got purchased by Network |
| Associates, Ballista got renamed to Cybercop Scanner, and well...) |
Associates, Ballista got renamed to Cybercop Scanner, and well...) |
| That company did a lot of security research, and thus fit in well |
That company did a lot of security research, and thus fit in well |
| with the OpenBSD stance. OpenBSD passed Ballista's tests with flying |
with the OpenBSD stance. OpenBSD passed Ballista's tests with flying |
| colours since day 1.<p> |
colours since day 1. |
| |
|
| |
<p> |
| Another facet of our security auditing process is its proactiveness. |
Another facet of our security auditing process is its proactiveness. |
| In most cases we have found that the determination of exploitability |
In most cases we have found that the determination of exploitability |
| is not an issue. During our ongoing auditing process we find many |
is not an issue. During our ongoing auditing process we find many |
|
|
| and only months later discovered that the problems were in fact |
and only months later discovered that the problems were in fact |
| exploitable. (Or, more likely someone on |
exploitable. (Or, more likely someone on |
| <a href="https://www.securityfocus.com/archive/1">BUGTRAQ</a> |
<a href="https://www.securityfocus.com/archive/1">BUGTRAQ</a> |
| would report that other operating systems were vulnerable to a `newly |
would report that other operating systems were vulnerable to a <q>newly |
| discovered problem', and then it would be discovered that OpenBSD had |
discovered problem</q>, and then it would be discovered that OpenBSD had |
| been fixed in a previous release). In other cases we have been saved |
been fixed in a previous release). In other cases we have been saved |
| from full exploitability of complex step-by-step attacks because we |
from full exploitability of complex step-by-step attacks because we |
| had fixed one of the intermediate steps. An example of where we |
had fixed one of the intermediate steps. An example of where we |
| managed such a success is the lpd advisory that Secure Networks put out. |
managed such a success is the lpd advisory that Secure Networks put out. |
| <p> |
|
| |
|
| <a name="newtech"></a> |
<li><h3 id=newtech>New Technologies</h3> |
| <li><h3><font color="#e00000">New Technologies</font></h3><p> |
|
| |
|
| |
<p> |
| As we audit source code, we often invent new ways of solving problems. |
As we audit source code, we often invent new ways of solving problems. |
| Sometimes these ideas have been used before in some random application |
Sometimes these ideas have been used before in some random application |
| written somewhere, but perhaps not taken to the degree that we do. |
written somewhere, but perhaps not taken to the degree that we do. |
| <p> |
|
| |
|
| <ul> |
<ul> |
| <li>strlcpy() and strlcat() |
<li>strlcpy() and strlcat() |
|
|
| <li>ProPolice |
<li>ProPolice |
| <li>... <a href="/innovations.html">and others</a> |
<li>... <a href="/innovations.html">and others</a> |
| </ul> |
</ul> |
| <p> |
|
| |
|
| <li><h3><font color="#e00000">The Reward</font></h3><p> |
<li><h3 id=reward>The Reward</h3> |
| |
|
| |
<p> |
| Our proactive auditing process has really paid off. Statements like |
Our proactive auditing process has really paid off. Statements like |
| ``This problem was fixed in OpenBSD about 6 months ago'' have become |
<q>This problem was fixed in OpenBSD about 6 months ago</q> have become |
| commonplace in security forums like |
commonplace in security forums like |
| <a href="https://www.securityfocus.com/archive/1">BUGTRAQ</a>.<p> |
<a href="https://www.securityfocus.com/archive/1">BUGTRAQ</a>. |
| |
|
| |
<p> |
| The most intense part of our security auditing happened immediately |
The most intense part of our security auditing happened immediately |
| before the OpenBSD 2.0 release and during the 2.0->2.1 transition, |
before the OpenBSD 2.0 release and during the 2.0→2.1 transition, |
| over the last third of 1996 and first half of 1997. Thousands (yes, |
over the last third of 1996 and first half of 1997. Thousands (yes, |
| thousands) of security issues were fixed rapidly over this year-long |
thousands) of security issues were fixed rapidly over this year-long |
| period; bugs like the standard buffer overflows, protocol |
period; bugs like the standard buffer overflows, protocol |
|
|
| fixing for our 2.2 release. We do not find as many problems anymore, |
fixing for our 2.2 release. We do not find as many problems anymore, |
| it is simply a case of diminishing returns. Recently the security |
it is simply a case of diminishing returns. Recently the security |
| problems we find and fix tend to be significantly more obscure or |
problems we find and fix tend to be significantly more obscure or |
| complicated. Still we will persist for a number of reasons:<p> |
complicated. Still we will persist for a number of reasons: |
| |
|
| <ul> |
<ul> |
| <li>Occasionally we find a simple problem we missed earlier. Doh! |
<li>Occasionally we find a simple problem we missed earlier. Doh! |
|
|
| <li>Finding and fixing subtle flaws in complicated software is |
<li>Finding and fixing subtle flaws in complicated software is |
| a lot of fun. |
a lot of fun. |
| </ul> |
</ul> |
| <p> |
|
| |
|
| |
<p> |
| The auditing process is not over yet, and as you can see we continue |
The auditing process is not over yet, and as you can see we continue |
| to find and fix new security flaws.<p> |
to find and fix new security flaws. |
| |
|
| <a name="default"></a> |
<li><h3 id=default><q>Secure by Default</q></h3> |
| <li><h3><font color="#e00000">"Secure by Default"</font></h3><p> |
|
| |
|
| |
<p> |
| To ensure that novice users of OpenBSD do not need to become security |
To ensure that novice users of OpenBSD do not need to become security |
| experts overnight (a viewpoint which other vendors seem to have), we |
experts overnight (a viewpoint which other vendors seem to have), we |
| ship the operating system in a Secure by Default mode. All non-essential |
ship the operating system in a Secure by Default mode. All non-essential |
| services are disabled. As the user/administrator becomes more familiar |
services are disabled. As the user/administrator becomes more familiar |
| with the system, he will discover that he has to enable daemons and other |
with the system, he will discover that he has to enable daemons and other |
| parts of the system. During the process of learning how to enable a new |
parts of the system. During the process of learning how to enable a new |
| service, the novice is more likely to learn of security considerations.<p> |
service, the novice is more likely to learn of security considerations. |
| |
|
| |
<p> |
| This is in stark contrast to the increasing number of systems that |
This is in stark contrast to the increasing number of systems that |
| ship with NFS, mountd, web servers, and various other services enabled |
ship with NFS, mountd, web servers, and various other services enabled |
| by default, creating instantaneous security problems for their users |
by default, creating instantaneous security problems for their users |
| within minutes after their first install.<p> |
within minutes after their first install. |
| |
|
| <a name="crypto"></a> |
<li><h3 id=crypto>Cryptography</h3> |
| <li><h3><font color="#e00000">Cryptography</font></h3><p> |
|
| |
|
| |
<p> |
| And of course, since the OpenBSD project is based in Canada, it is possible |
And of course, since the OpenBSD project is based in Canada, it is possible |
| for us to integrate cryptography. For more information, read the page |
for us to integrate cryptography. For more information, read the page |
| outlining <a href=crypto.html>what we have done with cryptography</a>.</p> |
outlining <a href=crypto.html>what we have done with cryptography</a>. |
| |
|
| <li><h3><font color="#e00000">Advisories</font></h3><p> |
<li><h3 id=advisories>Advisories</h3> |
| |
|
| |
<p> |
| Please refer to the links at the top of this page. |
Please refer to the links at the top of this page. |
| |
|
| <a name="watching"></a> |
<li><h3 id=watching>Watching our Changes</h3> |
| <li><h3><font color="#e00000">Watching our Changes</font></h3><p> |
|
| |
|
| |
<p> |
| Since we take a proactive stance with security, we are continually |
Since we take a proactive stance with security, we are continually |
| finding and fixing new security problems. Not all of these problems |
finding and fixing new security problems. Not all of these problems |
| get widely reported because (as stated earlier) many of them are not |
get widely reported because (as stated earlier) many of them are not |
| confirmed to be exploitable; many simple bugs we fix do turn out to |
confirmed to be exploitable; many simple bugs we fix do turn out to |
| have security consequences we could not predict. We do not have the |
have security consequences we could not predict. We do not have the |
| time resources to make these changes available in the above format.<p> |
time resources to make these changes available in the above format. |
| |
|
| |
<p> |
| Thus there are usually minor security fixes in the current source code |
Thus there are usually minor security fixes in the current source code |
| beyond the previous major OpenBSD release. We make a limited |
beyond the previous major OpenBSD release. We make a limited |
| guarantee that these problems are of minimal impact and unproven |
guarantee that these problems are of minimal impact and unproven |
| exploitability. If we discover that a problem definitely matters for |
exploitability. If we discover that a problem definitely matters for |
| security, patches will show up here <strong>VERY</strong> quickly.<p> |
security, patches will show up here <strong>VERY</strong> quickly. |
| |
|
| |
<p> |
| People who are really concerned with security can do a number of |
People who are really concerned with security can do a number of |
| things:<p> |
things: |
| |
|
| <ul> |
<ul> |
| <li>If you understand security issues, watch our |
<li>If you understand security issues, watch our |
| <a href="mail.html">source-changes mailing list</a> and keep an |
<a href="mail.html">source-changes mailing list</a> and keep an |
| eye out for things which appear security related. Since |
eye out for things which appear security related. Since |
| exploitability is not proven for many of the fixes we make, |
exploitability is not proven for many of the fixes we make, |
| do not expect the relevant commit message to say "SECURITY FIX!". |
do not expect the relevant commit message to say <q>SECURITY FIX!</q>. |
| If a problem is proven and serious, a patch will be available |
If a problem is proven and serious, a patch will be available |
| here very shortly after. |
here very shortly after. |
| <li>Track our current source code tree, and teach yourself how to do a |
<li>Track our current source code tree, and teach yourself how to do a |
|
|
| instance, an amd64 snapshot is typically made available daily. |
instance, an amd64 snapshot is typically made available daily. |
| </ul> |
</ul> |
| |
|
| <p> |
<li><h3 id=reporting>Reporting problems</h3> |
| <a name="reporting"></a> |
|
| <li><h3><font color="#e00000">Reporting problems</font></h3><p> |
|
| |
|
| <p> If you find a new security problem, you can mail it to |
<p> |
| |
If you find a new security problem, you can mail it to |
| <a href="mailto:deraadt@openbsd.org">deraadt@openbsd.org</a>. |
<a href="mailto:deraadt@openbsd.org">deraadt@openbsd.org</a>. |
| <br> |
<br> |
| If you wish to PGP encode it (but please only do so if privacy is very |
If you wish to PGP encode it (but please only do so if privacy is very |
| urgent, since it is inconvenient) use this <a href="advisories/pgpkey.txt">pgp key</a>. |
urgent, since it is inconvenient) use this <a href="advisories/pgpkey.txt">pgp key</a>. |
| |
|
| <p> |
<li><h3 id=papers>Further Reading</h3> |
| <a name="papers"></a> |
|
| <li><h3><font color="#e00000">Further Reading</font></h3><p> |
|
| |
|
| |
<p> |
| Numerous |
Numerous |
| <a href="papers/index.html">papers</a> have been written by OpenBSD team members, |
<a href="events.html">papers</a> have been written by OpenBSD team members, |
| many dedicated to security. |
many dedicated to security. |
| </ul> |
</ul> |
| |
|
| </body> |
|
| </html> |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to security.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www