OpenBSD is fantastic

Posted on 2018-03-13
I have been using OpenBSD, a FREE, multi-platform 4.4BSD-based UNIX-like operating system, both professionally and privately since about 2004, and today I'm going to share some of my experiences with you.

As I was gathering my thoughts for this article I quickly realized that it is actually quite difficult to give due credit to the developers of OpenBSD. OpenBSD is unique and it's fantastic, however much of its splendor "hides" in the design and coding of the operating system, and as such isn't visible to the average user. You need to understand some of what goes on under the hood to really appreciate OpenBSD.

OpenBSD is easy and quick to install and you will be surprised at how simple and well designed the system is. This is because a lot of work goes into making everything right from the beginning, and the project is following the UNIX philosophy to the letter.

OpenBSD comes with a lot of applications in the base system ready to run, however nothing is enabled by default, you have to enable the services you need. Every configuration file follows the same kind of syntax, a very human-readable syntax, and it's hence easy to understand and setup. Every single option is meticulously documented in the man pages and the OpenBSD project considers lacking documentation a bug - which is what every professional programmer should do.

Lacking documentation, or incorrect documentation, is just as dangerous to a running system as security bugs are. The reason for this is that security issues sometimes arise from misconfiguration. If you don't know how to setup your system, how can you be sure that it isn't running in a manner that makes it easy for an attacker to compromise the system? A lot of Spam on the Internet origins from misconfigured mail servers that has been compromised by hackers.

Every single line of code in the operating system kernel and base system gets security audited and scrutinized by the programmers, and everything is coded following a strict set of guidelines and principles that tries to eliminate all the typical coding mistakes (yes, most security bugs are coding mistakes made by programmers and developers).

But that's not all. What really makes OpenBSD amazing is all the security mitigation work that goes into the development of the operating system and the OpenBSD developers are doing some fantastic frontier engineering in this area.

Security mitigations are techniques that help prevent attackers from running malicious code on the operating system or take advantage of security bugs or weaknesses in software.

If you're using a piece of software, say like a browser, and the browser has a security bug that is exploitable, then it is possible for a hacker to possibly gain access to your computer. How much damage the hacker can do on your computer depends on the underlying security of the operating system.

OpenBSD has a number of mitigations techniques build into the kernel and base system that makes life really difficult for a hacker. Firstly, this means that it becomes much more difficult for a hacker to gain access to your system in the first place, using the normal exploitation techniques which work on many other operating system like Microsoft Windows, Linux, Mac OS, and others. Secondly, if an attacker happens to gain access to the system despite these mitigations, the amount of damage the attacker can do is much more limited and constricted.

Here is a list of some of the OpenBSD security innovations build into the operating system and enabled by default.

  • Enforced W^X in the kernel on i386/amd64/sparc64.
  • Enforced W^X userland as of version 6.0.
  • SROP (sigreturn(2) oriented programming) mitigation by default.
  • Static-PIE for self-relocating static binaries.
  • Stack protector.
  • Privilege dropping and separation for most of the base system as a matter of policy, new stuff doesn't get enabled without it.
  • bcrypt password hashes only, with an automatically selected rounds value based on system performance.
  • PIE by default for base, packages, and ports.
  • C shared library re-ordering at boot time, i.e: libc.so is re-linked at boot time so objects are randomly ordered.
  • System-wide sandboxing (pledge(2)) of a large percentage of the userland, incl. privileged part of the X server, most networking facing daemons included.
  • arc4random(3), which backs rand(3), random(3), and drand48(3), with an audited base/ports tree. Software must opt-in to deterministic broken POSIX behavior.
  • And the list goes on at OpenBSD Innovations

Several of these innovations has been adopted and implemented by other operating systems projects thanks to the work done by the OpenBSD developers.

OpenBSD is a robust and reliable operating system that you can run with minimal interaction once it is setup. It is actually the only operating system that enables you to sleep at night in case you're running any system critical software.

OpenBSD maintains a portable version of many parts of the base system, including:

  • LibreSSL, a free implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, forked from the OpenSSL 1.0.1g branch
  • OpenBGPD, a free implementation of the Border Gateway Protocol 4 (BGP-4)
  • OpenOSPFD, a free implementation of the Open Shortest Path First (OSPF) routing protocol
  • OpenNTPD, a simple alternative to ntp.org's Network Time Protocol (NTP) daemon
  • OpenSMTPD, a free Simple Mail Transfer Protocol (SMTP) daemon with IPv4/IPv6, PAM, Maildir and virtual domains support
  • httpd, an HTTP server first included in the 5.6 release
  • OpenSSH, a free implementation of the Secure Shell (SSH) protocol
  • OpenIKED, a free implementation of the Internet Key Exchange (IKEv2) protocol
  • Common Address Redundancy Protocol (CARP), a free alternative to Cisco's patented HSRP/VRRP server redundancy protocols
  • PF, an IPv4/IPv6 stateful firewall with NAT, PAT, QoS and traffic normalization support
  • pfsync, a firewall states synchronization protocol for PF firewall with High Availability support using CARP
  • spamd, a spam filter with greylisting support designed to inter-operate with the PF firewall
  • sndio, a compact audio and MIDI framework
  • Xenocara, a customized X.Org build infrastructure
  • cwm, a stacking window manager
  • tmux virtual console multiplexer
  • The X.Org Server
  • Clang
  • GNU Compiler Collection
  • Perl
  • NSD
  • Unbound
  • Ncurses
  • GNU Binutils
  • GNU Debugger
  • Awk

All of this is in the base system of the operating system and it is a part of a standard OpenBSD installation. The third-party software components (from X.Org Server and downwards in the list) comes with OpenBSD-specific patches for increased security.

Besides from the above OpenBSD provides, as of writing, more than 9.700 installable applications via the OpenBSD package manager.

However, it is very important to note that even though you are adviced to use the precompiled packages over manually building software from ports, the package collections for the "release" and "stable" branches of OpenBSD does not get package upgrades. As such security updates are only available through the ports system when you are running the "stable" branch.

When serious bugs or security flaws are discovered in the applications in ports, they are fixed in the "stable" branch of the ports tree. Contrary to the base system, the "stable" ports only gets security backports for the latest release. This means that if you're using third party applications you need to check out the correct branch of the ports tree, and build the software from it manually. The ports can be kept up to date with CVS and you can subscribe to the ports-changes mailing list in order to receive security announcements related to applications in the ports tree.

Since the ports collection is a collection of software from third party providers it does not go through the same thorough security audit that is performed on the OpenBSD base system. The OpenBSD project does not have enough resources to ensure the same level of robustness and security with ports as they do with the base system.

Take a look at the OpenBSD project website for further information.

Relevant links

OpenBSD Security

OpenBSD Frequently Asked Questions

OpenBSD on Wikipedia

Exploit Mitigation Techniques: an Update After 10 Years

Theo de Raadt on Pledge at EuroBSDCon 2017

Theo de Raadt on RETGUARD on the OpenBSD mailing list

If you have any comments or corrections feel free to email them to me.