Two mentions of OpenBSD as a positive security example.

Contributed by grey on 2004-10-15 from the a little good news is better than no news at all dept.

Bruce Schneier now has a blog and in it he mentions OpenBSD as an example of an open source project which actually leverages the availability of the source code for security, here's an excerpt:

"There's lots of open-source software out there that no one has analyzed and is no more secure than all the closed-source products that no one has analyzed. But then there are things like Linux, Apache or OpenBSD that get a lot of analysis. When open-source code is properly analyzed, there's nothing better. But just putting the code out in public is no guarantee."

Another brief mention comes in this week from Anandtech's A bit about the NX bit; Virus Protection Woes. Here is the relevant excerpt from the piece:

"In fact, NX/XD is a good first step to locking down the x86 architecture, as long as it's adopted correctly. OpenBSD and the Execshield projects have made the largest progress with implementing non-executable writable pages and other features, if only in software."

(Comments are closed)

Comments

By Anonymous Coward (213.118.91.118) on 2004-10-15 22:06

"OpenBSD and the Execshield projects have made the largest progress with implementing non-executable writable pages and other features, if only in software."

That guy from PaX is going to be so pissed because his hobby horse isn't mentioned... offtopic I know - sue me.
Comments
1. By mirabile (213.196.242.88) on 2004-10-16 01:19 http://mirbsd.de/
  
  pax? Isn't that the posix archiver, plus cpio and tar?
  Comments
  1. By Anonymous Coward (211.30.147.144) on 2004-10-16 07:12
    
    Oh come on! As part of the open-source community, at least be aware of other technologies on other platforms! Have a look here : http://pax.grsecurity.net/ ( Its similar to W^X in OpenBSD. ) I think Adamantix, basically the Linux equivalent to OpenBSD, in a sense, should also get at least a mention. I use both OSs, they both offer great things to open source software's security innovation. (although, Adamantix doesn't quite compete in terms of clamping down on issues as quickly as OpenBSD. They still have 55 issues that need to be resolved...Out of the 282. Which isn't too bad, but needs to get better.)
    
    Comments
    
    By Anonymous Coward (211.30.147.144) on 2004-10-16 12:08
    
    Come to think of it, (looking up Adamantix in closer detail, and spending a few hours on it). OpenBSD craps on Adamantix when it comes to maintenance and fixing. Screw that, I'm taking off Adamantix!
    
    By Anonymous Coward (194.72.54.134) on 2004-10-18 12:33
    
    I have a feeling that any attempt at humor will have to be clearly marked as such. At least I think it was an attempt at humor ;)
  2. By djm@ (203.217.30.86) on 2004-10-17 03:25
    
    no, it is the latin word for "peace"
2. By PaX Team (81.182.142.231) pageexec at freemail.hu on 2004-10-17 10:27 http://pax.grsecurity.net./
  
  well, what did you expect from an OpenBSD fan [1]? fair, objective analysis?
  
  if still in doubt, just look at your own moderation points that you earned with your schadenfreude.
  
  1. http://www.undeadly.org/cgiaction=article&sid=20020609090353&pid=131
  Comments
  1. By SH (82.182.103.172) on 2004-10-17 20:01
    
    Most likely, the AC, like me, has read your posts before on deadly.org on related matter. PaX vobiscum. /SH
    
    Comments
    
    By PaX Team (81.182.76.119) pageexec at freemail.hu on 2004-10-19 09:58
    
    uhm, what did you try to say with this? that i had schadenfreude? or wasn't objective? if so, care to provide some quotes?
  2. By tedu (67.124.88.60) on 2004-10-17 20:14
    
    well, if anybody had their doubts, it's obvious you're not an openbsd user judging by your search engine prowess. many an openbsd user has trouble finding a man page, but you can dig up an obscure posting that's two years old and barely relevant.
    
    (that was joke.)
  3. By Anonymous Coward (195.217.242.33) on 2004-10-18 10:27
    
    Out of interest ...
    
    the article was about NX bits, i didn't realise PaX used NX bits
    
    it obviously can't on platforms that don't support it
    
    OpenBSD only provides W^X on platforms that support NX on a page level
    
    hmmm.... well maybe not on some x86, as segment based NX is used
    
    Comments
    
    By PaX Team (81.182.76.119) pageexec at freemail.hu on 2004-10-19 09:49
    
    > the article was about NX bits, i didn't realise PaX used NX bits
    > it obviously can't on platforms that don't support it
    
    assuming you mean amd64's NX, PaX (or rather, linux itself) has always used that on that platform, but only in 64 bit mode (as noone asked for supporting NX on a 32 bit kernel on it). lately linux itself has added support for NX on 32 bit kernels on amd64 (and future i386 capable of NX), so i'll support that in the next release (all 4 lines it takes, that is ;-).
    
    on other (non amd64/i386) platforms PaX either uses the 'native' NX bit (alpha, ia-64, parisc, sparc, sparc64) or something equivalent (ppc, that's all ppc, not only 4xx).
    
    > OpenBSD only provides W^X on platforms that support NX on a page level
    > hmmm.... well maybe not on some x86, as segment based NX is used
    
    indeed, on i386 OpenBSD uses segmentation and userland tweaks to achieve W^X, but it's not per page. PaX provides per page NX behaviour on i386 by either of two approaches, each with a different tradeoff (userland address space size vs. performance impact).
    
    Comments
    
    By Anonymous Coward (195.217.242.33) on 2004-10-20 08:20
    
    Out of interest, what is the PPC equivelant ?
    
    It looks like it can only be acheived at the segment level.
    
    I seem to remember that it can only be acheived per-page on Book E - Enhanced PPC.

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]