Annotation of www/security.html, Revision 1.43
1.1 deraadt 1: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML Strict//EN">
2: <html>
3: <head>
1.20 deraadt 4: <title>OpenBSD Security</title>
1.1 deraadt 5: <link rev=made href=mailto:www@openbsd.org>
6: <meta name="resource-type" content="document">
7: <meta name="description" content="OpenBSD advisories">
8: <meta name="keywords" content="openbsd,main">
9: <meta name="distribution" content="global">
10: <meta name="copyright" content="This document copyright 1997 by OpenBSD.">
11: </head>
12:
13: <BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#23238E">
14:
1.2 deraadt 15: <img alt="[OpenBSD]" SRC="/images/smalltitle.gif">
1.1 deraadt 16:
1.2 deraadt 17: <p>
1.12 deraadt 18: <h3><font color=#e00000><strong>OpenBSD Security Views</strong></font></h3>
1.22 deraadt 19:
1.14 deraadt 20: OpenBSD believes in strong security. Our aspiration is to be NUMBER
1.22 deraadt 21: ONE in the industry for security (if we are not already there). Our
22: open software development model permits us to take a more
23: uncompromising view towards increased security than Sun, SGI, IBM, HP,
24: or other vendors are able to. We can make changes the vendors would
1.27 deraadt 25: not make. Also, since OpenBSD is exported with <a href=crypto.html>
1.41 deraadt 26: cryptography software</a>, we are able to take cryptographic
27: approaches towards fixing security problems.<p>
1.18 deraadt 28:
29: Like most readers of the
1.13 deraadt 30: <a href=http://www.geek-girl.com/bugtraq/index.html>
1.18 deraadt 31: BUGTRAQ mailing list</a>,
32: we believe in full disclosure of security problems. We believe that
33: security information moves very fast in crackers circles. Our
34: experience shows that coding and release of proper security fixes
35: typically requires about an hour of work resulting in very fast fix
36: turnaround. Thus we think that full disclosure helps the people who
1.22 deraadt 37: really care about security.<p>
1.15 deraadt 38:
1.12 deraadt 39: Our security auditing team typically has between six and twelve
1.15 deraadt 40: members, and most of us continually search for and fix new security
41: holes. We have been auditing since the summer of 1997. The process we
1.12 deraadt 42: followed to increase security was simply a comprehensive file-by-file
43: analysis of every critical software component. Flaws were found in
44: just about every area of the system. Entire new classes of security
45: problems were found while we were doing the audit, and in many cases
46: source code which had been audited earlier had to be re-audited with
1.22 deraadt 47: these new flaws in mind.<p>
1.12 deraadt 48:
1.31 deraadt 49: Some members of our security auditing team work for
50: <a href=http://www.secnet.com>Secure Networks</a>, the company that
1.32 deraadt 51: makes the industry's premier network security scanning software
52: package Ballista.
1.31 deraadt 53: This company does a lot of security research, and this fits in well
54: with the OpenBSD stance.<p>
55:
1.34 deraadt 56: Another facet of our security auditing process is its proactiveness.
1.16 deraadt 57: In almost all cases we have found that the determination of
58: exploitability is not an issue. During our auditing process we find
1.42 deraadt 59: many bugs, and endeavor to fix them even though exploitability is not
60: proven. We have fixed many simple and obvious careless programming
61: errors in code and then only months later discovered that the problems
62: were in fact exploitable. In other cases we have been saved from full
63: exploitability of complex step-by-step attacks because we had fixed
64: one of the steps. An example of where we managed such a success is
65: the
1.30 deraadt 66: <a href=http://www.secnet.com/sni-advisories/sni-19.bsd.lpd.advisory.html>
1.35 deraadt 67: lpd advisory from Secure Networks.</a><p>
1.29 deraadt 68:
1.35 deraadt 69: This proactive auditing process has really paid off. Statements like
70: ``This problem was fixed in OpenBSD about 6 months ago'' have become
71: commonplace in security forums like <a
72: href=http://www.geek-girl.com/bugtraq/index.html>BUGTRAQ</a>.<p>
73:
74: Most of our security auditing happened immediately before the OpenBSD
1.36 deraadt 75: 2.0 release and during the 2.0->2.1 transition, over the last third of
76: 1996 and first half of 1997. Thousands (Yes, that is thousands) of
77: security issues were fixed rapidly over the year long period; bugs
78: like the standard buffer overflows, protocol implementation
79: weaknesses, information gathering, and filesystem races. More
80: recently the security problems we find and fix tend to be more obscure
81: or complicated. Still we will persist for a number of reasons:
82:
1.35 deraadt 83: <ul>
84: <li>Occasionally we find a simple one we missed before.
85: <li>Security is like an arms race; the best attackers will continue
86: to search for more complicated exploits, so we should too.
87: </ul>
1.15 deraadt 88:
1.14 deraadt 89: The auditing process is not over yet, and as you can see we continue
1.28 deraadt 90: to find and fix new security flaws.<p>
1.12 deraadt 91:
92: <p>
93: <h3><font color=#e00000><strong>OpenBSD 2.1 Security Advisories</strong></font></h3>
1.11 deraadt 94: These are the OpenBSD 2.1 advisories. All these problems are solved
95: in OpenBSD 2.2. Some of these problems still exist in other
1.1 deraadt 96: operating systems.
97:
98: <ul>
1.27 deraadt 99: <li><a href=advisories/rfork>Rfork() system call flaw (patch included)</a>
100: <li><a href=advisories/procfs>Procfs flaws (patch included)</a>
101: <li><a href=advisories/signals>Deviant Signals (patch included)</a>
1.9 deraadt 102: </ul>
103:
104: <p>
1.12 deraadt 105: <h3><font color=#e00000><strong>OpenBSD 2.2 Security Advisories</strong></font></h3>
1.11 deraadt 106: These are the OpenBSD 2.2 advisories. All these problems are
1.9 deraadt 107: solved in OpenBSD current. Some of these problems still exist in other
1.14 deraadt 108: operating systems.
1.9 deraadt 109:
110: <ul>
1.40 deraadt 111: <li><a href=errata.html#f00f>Intel P5 f00f lockup (patch included).</a>
112: <li><a href=advisories/sourceroute>Sourcerouted Packet Acceptance.</a>
113: A patch is available <a href=errata.html#sourceroute>here</a>.
114: <li><a href=errata.html#ruserok>Setuid coredump & Ruserok() flaw (patch included).</a>
115: <li><a href=advisories/sourceroute>Read-write mmap() flaw.</a>
116: Revision 3 of the patch is available <a href=errata.html#mmap>here</a>
117: <li><a href=errata.html#ldso>MIPS ld.so flaw (patch included).</a>
1.43 ! deraadt 118: <li><a href=errata.html#mountd>Accidental NFS filesystem export (patch included).</a>
1.1 deraadt 119: </ul>
120:
1.21 deraadt 121: <p>
122: <h3><font color=#e00000><strong>Watching our Security Changes</strong></font></h3>
123: Since we take a proactive stance with security, we are continually
124: finding and fixing new security problems. Not all of these problems
125: get widely reported because (as stated earlier) many of them are not
126: confirmed to be exploitable. We do not have the time resources to
127: make these changes available in the above format.<p>
128:
129: Thus there are usually minor security fixes in the current source code
130: beyond the previous major OpenBSD release. We make a limited
131: gaurantee that these problems are of limited impact and unproven
132: exploitability. If we discover a problem definately matters for
133: security, patches will show up here quickly.<p>
134:
135: People who are really concerned with critical
136: security can do a number of things:<p>
137:
138: <ul>
139: <li>If you understand security issues, watch our
1.27 deraadt 140: <a href=mail.html>source-changes mailing list</a> and keep an
1.23 deraadt 141: eye out for things which appear security related. Since
1.21 deraadt 142: exploitability is not proven for many of the fixes we make,
143: do not expect the relevant commit message to say "SECURITY FIX!".
144: If a problem is proven and serious, a patch will be available
145: here very shortly after.
146: <li>Track our current source code tree, and teach yourself how to do a
1.29 deraadt 147: complete system build from time to time (read /usr/src/Makefile
148: carefully). Users can make the assumption that the current
149: source tree always has stronger security than the previous release.
150: <li>Install a binary <a href=snapshots.html>snapshot</a> for your
151: architecure, which are made available fairly often. For
152: instance, an i386 snapshot is typically made available weekly.
1.21 deraadt 153: </ul>
154:
1.9 deraadt 155: <p>
1.12 deraadt 156: <h3><font color=#e00000><strong>Other Resources</strong></font></h3>
1.3 deraadt 157: Other security advisories that have (in the past) affected OpenBSD can
1.4 deraadt 158: be found at the <a href=http://www.secnet.com/nav1.html>Secure Networks archive</a>.
1.25 deraadt 159: Some OpenBSD audit team members worked with Secure Networks on discovering
160: and solving the problems detailed in some of their security advisories.
1.3 deraadt 161:
1.5 deraadt 162: <p> If you find a new security problem, you can mail it to
1.6 deraadt 163: <a href=mailto:deraadt@openbsd.org>deraadt@openbsd.org</a>.
1.7 deraadt 164: <br>
1.5 deraadt 165: If you wish to PGP encode it (but please only do so if privacy is very
1.27 deraadt 166: urgent, since it is inconvenient) use this <a href=advisories/pgpkey>pgp key</a>.
1.5 deraadt 167:
1.2 deraadt 168: <hr>
1.27 deraadt 169: <a href=index.html><img src=/back.gif border=0 alt=OpenBSD></a>
1.24 deraadt 170: <a href=mailto:www@openbsd.org>www@openbsd.org</a>
171: <br>
1.43 ! deraadt 172: <small>$OpenBSD: security.html,v 1.42 1998/03/03 01:32:38 deraadt Exp $</small>
1.1 deraadt 173:
1.24 deraadt 174: </body>
175: </html>