OpenBSD Journal

Two mentions of OpenBSD as a positive security example.

Contributed by grey on from the a little good news is better than no news at all dept.

Bruce Schneier now has a blog and in it he mentions OpenBSD as an example of an open source project which actually leverages the availability of the source code for security, here's an excerpt:

"There's lots of open-source software out there that no one has analyzed and is no more secure than all the closed-source products that no one has analyzed. But then there are things like Linux, Apache or OpenBSD that get a lot of analysis. When open-source code is properly analyzed, there's nothing better. But just putting the code out in public is no guarantee."

Another brief mention comes in this week from Anandtech's A bit about the NX bit; Virus Protection Woes. Here is the relevant excerpt from the piece:

"In fact, NX/XD is a good first step to locking down the x86 architecture, as long as it's adopted correctly. OpenBSD and the Execshield projects have made the largest progress with implementing non-executable writable pages and other features, if only in software."

(Comments are closed)


  1. By Anonymous Coward (213.118.91.118) on

    "OpenBSD and the Execshield projects have made the largest progress with implementing non-executable writable pages and other features, if only in software."

    That guy from PaX is going to be so pissed because his hobby horse isn't mentioned... offtopic I know - sue me.

    1. By mirabile (213.196.242.88) on http://mirbsd.de/

      pax? Isn't that the posix archiver, plus cpio and tar?

      1. By Anonymous Coward (211.30.147.144) on

        Oh come on! As part of the open-source community, at least be aware of other technologies on other platforms! Have a look here : http://pax.grsecurity.net/ ( Its similar to W^X in OpenBSD. ) I think Adamantix, basically the Linux equivalent to OpenBSD, in a sense, should also get at least a mention. I use both OSs, they both offer great things to open source software's security innovation. (although, Adamantix doesn't quite compete in terms of clamping down on issues as quickly as OpenBSD. They still have 55 issues that need to be resolved...Out of the 282. Which isn't too bad, but needs to get better.)

        1. By Anonymous Coward (211.30.147.144) on

          Come to think of it, (looking up Adamantix in closer detail, and spending a few hours on it). OpenBSD craps on Adamantix when it comes to maintenance and fixing. Screw that, I'm taking off Adamantix!

        2. By Anonymous Coward (194.72.54.134) on

          I have a feeling that any attempt at humor will have to be clearly marked as such. At least I think it was an attempt at humor ;)

      2. By djm@ (203.217.30.86) on

        no, it is the latin word for "peace"

    2. By PaX Team (81.182.142.231) pageexec at freemail.hu on http://pax.grsecurity.net./

      well, what did you expect from an OpenBSD fan [1]? fair, objective analysis?

      if still in doubt, just look at your own moderation points that you earned with your schadenfreude.

      1. http://www.undeadly.org/cgiaction=article&sid=20020609090353&pid=131

      1. By SH (82.182.103.172) on

        Most likely, the AC, like me, has read your posts before on deadly.org on related matter. PaX vobiscum. /SH

        1. By PaX Team (81.182.76.119) pageexec at freemail.hu on

          uhm, what did you try to say with this? that i had schadenfreude? or wasn't objective? if so, care to provide some quotes?

      2. By tedu (67.124.88.60) on

        well, if anybody had their doubts, it's obvious you're not an openbsd user judging by your search engine prowess. many an openbsd user has trouble finding a man page, but you can dig up an obscure posting that's two years old and barely relevant.

        (that was joke.)

      3. By Anonymous Coward (195.217.242.33) on

        Out of interest ...

        the article was about NX bits, i didn't realise PaX used NX bits

        it obviously can't on platforms that don't support it


        OpenBSD only provides W^X on platforms that support NX on a page level

        hmmm.... well maybe not on some x86, as segment based NX is used

        1. By PaX Team (81.182.76.119) pageexec at freemail.hu on

          > the article was about NX bits, i didn't realise PaX used NX bits
          > it obviously can't on platforms that don't support it

          assuming you mean amd64's NX, PaX (or rather, linux itself) has always used that on that platform, but only in 64 bit mode (as noone asked for supporting NX on a 32 bit kernel on it). lately linux itself has added support for NX on 32 bit kernels on amd64 (and future i386 capable of NX), so i'll support that in the next release (all 4 lines it takes, that is ;-).

          on other (non amd64/i386) platforms PaX either uses the 'native' NX bit (alpha, ia-64, parisc, sparc, sparc64) or something equivalent (ppc, that's all ppc, not only 4xx).

          > OpenBSD only provides W^X on platforms that support NX on a page level
          > hmmm.... well maybe not on some x86, as segment based NX is used

          indeed, on i386 OpenBSD uses segmentation and userland tweaks to achieve W^X, but it's not per page. PaX provides per page NX behaviour on i386 by either of two approaches, each with a different tradeoff (userland address space size vs. performance impact).

          1. By Anonymous Coward (195.217.242.33) on

            Out of interest, what is the PPC equivelant ?

            It looks like it can only be acheived at the segment level.

            I seem to remember that it can only be acheived per-page on Book E - Enhanced PPC.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]