OpenBSD Journal

pinsyscalls(2) work summarized by Theo de Raadt

Contributed by Peter N. M. Hansteen on from the safely pinned dept.

In a post to tech@, Theo de Raadt (deraadt@) summarizes the multi-year effort to make certain attack vectors unavailable on OpenBSD:

Subject:    pinsyscalls(2)
From:       "Theo de Raadt" <deraadt () openbsd ! org>
Date:       2024-01-28 20:20:59

pinsyscalls(2) has gone into the tree without too much difficulty, and no
issues are currently known.

None of this could have been possible without help from a few groups of
people.
- gnezdo@ and others for early on reviewing the ports tree and removing (or
  at least reducing) calls to syscall(2)
- afresh1@, who followed my guidance and over 6 months wrote a syscall(2)
  emulator inside perl
- But most of all -- jsing@, who went through multiple iterations inside
  the go ecosystem to (1) force it to use libc system call stubs, which
  permitted msyscall(2), and (2) incrementally remove use of syscall(2)
  inside go and go libraries.

The direct-syscalls-inside-the-binary model used by go (and only go, noone
else in the history of the unix software does this) provided the biggest
resistance against this effort.

Start to end, this took 5 years.

Together with library relinking, this makes some specific low-level attack
methods unfeasable on OpenBSD, which will force the use of other methods.
Hopefuly those other methods are more difficult, or also harmed by library
relinking and other changes we've made.

This is all about removing avenues, and forcing attackers to use other
methods which are hopefully more challenging.

If you're not on -current, this is a preview of what to look forward to in the upcoming OpenBSD 7.5 release.


Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]