Slashdot Log In
Theo de Raadt Responds
from the no-fear-of-forking-here dept.
A book on code auditing?
by LizardKing
Would you and/or other members of the OpenBSD coders consider writing a book on secure, bug-free coding and auditing? Most programming books feature sample code that is written for pedagogical purposes. Quite often this runs contrary to how secure code should be written, leaving a gap in many a programmers knowledge. A book on audinting and how to avoid security pitfalls when coding would also make your life easier - less code to audit for OpenBSD, and more time top concentrate on nifty new features!!!
Theo:
There is perhaps a split between the two issues you bring up. On the one side is secure coding, as in code written to be secure by the original author(s). On the other side, auditing, which is where an outsider (or an insider) later on goes and tries to clean up the mess which remains. And there is always a mess. Perhaps part of the problem is that a huge gap lies between these two. In the end though, I think that a book on such a topic would probably have to repeat the same thing every second paragraph, throughout the book: Understand the interfaces which you are coding to! Understand the interfaces which you are coding to! Most of the security (or simply bug) issues we audited out of our source tree are just that. The programmer in question was a careless slob, not paying attention to the interface he was using. The repeated nature of the same classes of bugs throughout the source tree, also showed us that most programmers learn to code by (bad) examples. A solid systems's approach should not be based on "but it works". Yet, time and time again, we see that for most people this is the case. They don't care about good software, only about "good enough" software. So the programmers can continue to make such mistakes. Thus, I do not feel all that excited about writing a book which would simply teach people that the devil is in the details. If they haven't figured it out by now, perhaps they should consider another occupation (one where they will cause less damage).
Making the rest secure
by squiggleslash
OpenBSD has a well deserved reputation for security "out of the box" and for the fact the inbuilt tools are as secure as they're ever likely to be. However, the Ports system is, perhaps, an example of where the secure approach currently has limitations - an installation of OpenBSD running popular third-party systems like INN can only be so secure because the auditing of INN, and other such software, is outside the scope of the BSD audit.
My question is, has the OpenBSD team ever proposed looking into how to create a 'secured ports' tree, or some other similar system, that would ensure that many of the applications people specifically want secure platforms like OpenBSD to run could be as trusted as the platforms themselves?
Theo:
We have our hands already pretty full, just researching new ideas in our main source tree, which is roughly 300MB in size. We also lightly involved ourselves in working with the XFree86 people a while back for some components there. Auditing the components outside of this becomes rather unwieldly. The difficulty lies not only in the volume of such code, but also in other issues. Sometimes communication with the maintainers of these other packages is difficult, for various reasons. Sometimes they are immediately turned off because we don't use the word Linux. Some of these portable software packages are by their nature never really going to approach the quality of regular system software, because they are so bulky.
But most importantly, please remember that we are also human beings, trying to live our lives in a pleasant way, and don't ussually get all that excited about suddenly burning 800 hours in some disgusting piece of badly programmer trash which we can just avoid running. I suppose that quite often some of our auditors look at a piece of code and go "oh, wow, this is really bad", and then just avoid using it. I know that doesn't make you guys feel better, but what can we say...
OpenBSD, security, et al.
by jd
With the release of SGI's B1 code, and the attempts by many U*ixen to secure their contents via capabilities, ACL's, etc, ad nausium, how is OpenBSD approaching the issue of resource control?
On a side note, is OpenBSD likely to ever head in the direction of being a distributed kernel? And, if so, how would security and resource management be maintained? (It's hard enough on a central kernel system.)
Theo:
On the first question, I think there is great confusion in the land of Orange Book. Many people think that is about security. It is not. Largely, those standards are about accountability in the face of threat. Which really isn't about making systems secure. It's about knowing when your system's security breaks down. Not quite the same thing. Please count the commercially deployed C, B, or even A systems which are actually being used by real people for real work, before foaming at the mouth about it all being "so great". On the other hand, I think we wil see if some parts of that picture actually start to show up in real systems, over time. By the way, I am surprised to see you list ACLs, which don't really have anything to do with B1 systems.
As to the second issue, I have no idea what a distributed kernel is, nor do I see how anything like that would improve security or quality of a system.
Forks and cooperation
by PapaZit
A lot of people know that OpenBSD forked from NetBSD, and there's still some animosity between the two groups. Personally, I think that the competition has helped both groups (NetBSD now ships with far fewer open services, for example).
Egos are delicate things, but do you see any chance for greater cooperation in the future, or do you see more forking and division as inevitable?
Theo:
Considering that NetBSD has maintained a black-hole route to the OpenBSD project networks for roughly four years, I don't see how any cooperation at higher levels are possible. However, there are developers who work on multiple projects. Some of them used to complain about having troubles from various groups. Nowadays, I think they've got it easier. Politics do not dictate developer relationships these days.
In Linux land, it appears that projects fork for financial reasons. In BSD land, it appears that the forks that have happened were purely political reasons. I don't know what will happen. It's been 5 years since the last fork in the BSD camp. Why are you guys so fork paranoid? Do you want everyone to vote for the same political party, too?
Kernel design
by laertes
I have only been using OpenBSD for a short while now, so forgive me if this question is based upon some incorrect assumtions.
OpenBSD's kernel design seems to be of the monolithic species. OpenVMS (no relation) and NT are two prominent operating systems that use a microkernel archetecture. The microkernel design seems to me to be fundamentally more secure, since there is less priveledged code. Further, if one of the servers is compromised, the damage is minimezed.
My question is this: Is the OpenBSD design fundamentally secure, or is it only a very well done implementation of a basically flawed design?
Theo:
I don't think it makes any difference, whatsoever. I think your computer science teachers are still teaching you from books written in the 80's, when the word "micro-kernel" was associated with a future utopia. We do not think that NT is a microkernel, and are you really so sure that OpenVMS is? A microkernel is not a kernel that does things through loadable modules. As well, I don't think it makes any difference, as long as a system does what it is supposed to do.
Where Did You Learn Your Code Audit Discipline?
by EXTomar
Did the drive to audit code come from the need or the design of BSD? Or was it initially a whim? More imporantly, where did you learn it from? Is their some "mentor" you looked too for ridge design? I have to admire your team's daunting code reviewing...I wonder if I'll ever have that kind of meticulous coding nature.
Theo:
The auditing process developed out of a desire to improve the quality of our operating system. Once we started on it, it becames fascinating, fun, and very nearly fanatical. About ten people worked together on it, basically teaching ourselves as things went along. We searched for basic source-code programmer mistakes and sloppiness, rather than "holes" or "bugs". We just kept recursing through the source tree everytime we found a sloppiness. Everytime we found a mistake a programmer made (such as using mktemp(3) in such a way that a filesystem race occured), we would go throughout the source tree and fix ALL of them. Then when we fix that one, we would find some other basic mistake, and then fix ALL of them. Yes, it's a lot of work. But it has a serious payback. Can you imagine if a Boeing engineer didn't fix ALL of the occurances of a wiring flaw? Why not at least try to engineer software in the same way?
Firewall/NAT box
by yamla
Linux has FreeSco, a product that fits on a 3.5 inch floppy disk and acts as a router and NAT (Network Address Translation). I always thought something like this would be ideal for OpenBSD. After all, I would rather trust OpenBSD than Linux for this.
Are there any plans to produce something like this? Something with a very simple user interface that is quick and easy to get set up? I'd love to play with OpenBSD and do it by hand but I simply do not have the time.
Theo:
I must say that I am not a fan of these floppy-based routers. Essentially, you are taking one of the most unreliable pieces of storage known to man, and trying to build security infrastructure on it. That's madness. Just buy a small disk. Perhaps somethings based on a CD plus some other (non-floppy) persistant storage might be sane. But please. Not floppies. Are you mad?
Code-auditing
by AT
Any advise for code auditers? Can you share any tips or techniques you have found useful in uncovering bugs? What do you first look for in a fresh piece of code? What about a mature piece of code?
Theo:
I suppose the biggest tip would be to become a better programmer. In particular, study what functions that programs are calling, and ensure that the calling code is following the rules of those functions 100%. How many of you understand the complete & correct semantics of every function in libc, or even just the libc functions being called by the program you are looking? (I mean, we went through our entire source tree, and about half the strncat() and strncpy() calls were subtly wrong, even if it only meant they copied a character extra and then zero'd it out -- it is still sloppy).
When you know exactly what the APIs are, you'll spot the bugs very easily. In my mind, it is the same as any other job that requires diligence. Be careful. Humans learn from examples, and yet, in this software programming environment, the tremendous complexity breeds non-obvious mistakes, which we carry along with us, and copy into new chunks of code. We've even found in manual pages where functions were mis-described, and when we found those, lots of programmers had followed the instructions incorrectly...
Dual Processor Support
by dragonfly_blue
Although there has been some indication that people are interested in running OpenBSD on machines with dual or quad processors, it appears that there are not enough resources and volunteers available to make this a reality. Although I use OpenBSD for my web server, I am by no means an expert, at this, but I'm curious nonetheless.
From what I've heard, multiprocessing support is going to be a very tricky thing to implement, because it gives rise to so many possible exploits, particularly with regards to race conditions. I also understand that it would take a remarkable amount of effort and time to rewrite much of the code base for SMP without compromising the OS's integrity.
With that in mind, what kind of resources would you need before you could seriously consider attempting dual or quad processor support? And, if you were given unlimited access to those resources, how long would it take before a -stable release would be ready? I would really like to see this feature get implemented, although I know that at this point your developer team is busy enough as it is.
Theo:
At this time, we are not working on SMP. It's a lot of work, and not considered the most interesting thing to our developers. Sorry.
Time warp
by rho
Thanks for your work, Theo. I use OBSD every day as a workstation and as a firewall, and the Cop-chasing-script-kiddie t-shirt is the best.
If you could time warp back to the beginning of OpenBSD's development (ignoring the scism that brought you to that point), what would you do differently? Would you have chosen a more commercial focus? Pushed SMP development earlier? Run around in circles waving your hands in the air?
On another note, what's your feeling about commercial use of OpenBSD? i.e., do you support it, tolerate it, or what? (better example, I make a set-top box running OpenBSD, and I need the OS to do "X". If I called you and said, "Theo, I need OpenBSD to support 'X'", would I be told to piss up a rope, write it myself, or would the OpenBSD team do it for a price?)
Theo:
The licence on our code is pretty clear. We want vendors to use our code. We want commercial operating systems to ship with OpenSSH. Not shipping with an SSH varient causes great grief, and it is time that ends.
Same goes for OpenBSD. We would prefer if companies building commercial network appliances used OpenBSD, rather than writing their own operating systems. Typically, these companies are very comfortable with solving the problems within their application space. Yet, there is a history of these companies writing their own cruddy operating systems, and at the same time writing worse applications.
It would be better if routers, firewalls, telephone switches, fileservers, and whatever else used reliable components, designed by people who care.
So go ahead, use any parts of OpenBSD as parts of commercial systems.
Full Disclosure And Version Numbering
by Effugas
First of all, I want to thank you for the hard work you've done building OpenBSD. It truly is a wonderful package.
Much of the security in OpenBSD lies under the hood in the work you've done cleansing the source of unsafe library calls. While this work is appreciated, I've become more and more concerned lately about the fact that these changes are not necessarily documented and certainly not reflected in the version number of an application or utility.
Version numbers reflect a snapshot in the life of a codebase. They're used to reference unsafe editions or particularly stable builds. Major number reflect code branches, but minor numbers reflect specific states of the code -- such is the expectation of a user or an administrator when a version number is detected. Without granularity of versioning, I have no reason to trust or distrust a given application by its number; I must personally audit its source -- and end up giving it a number of my own.
You and your team are code auditing masters. Rather than pollute the namespace by making indistinguishable your securely built modified code and the original(and, by extension, your secure code and numerous unnamed distributions' "just get it to compile" modifications), wouldn't it be appropriate for OpenBSD to apply a name extension to any package which it has modified, and in the interests of full disclosure, to provide a reasonable CHANGELOG of the fixes contained therein?
Theo:
Two numbers exist for every component of OpenBSD. One number is the release that the piece came in, ie. 2.8.
The other number exists in each source file that was built. And that number is also in each binary that was built from those files. You can use the what(1) command to determine the revisions of source files which make up each binary.
As to the "original" you talk about, there is no original. OpenBSD uses it's own components. I don't know what packages you are talking about. cat is cat. ftpd is ftpd. tar is tar. It's the one that came with a certain release. In the systems approach, the version numbering that other groups do is sometimes invalid, because pieces (such as libraries) are all part of the picture.
Was the last plane you were on using front wheel version 2.7 or 2.9? You don't care. You do however care greatly that a "systems approach" was used to ensure that it was whole. And in the OpenBSD case, that means pick a version, and install the patches.
Asking for more means that you want us to do less work on the system, and more version numbering.
Where does the money go?
by MrSparkler
I've seen reports of estimated CD sales per release at being as high as 10000. Add in t-shirt/poster sales and donations and a relatively considerable sum of money is flowing around OpenBSD. Combine this with the fact that checks are to be written to Mr. de Raadt and I get curious as to how the finances are handled. Not that I'm suggesting any misappropriation is occurring, I would just like to know who is in charge of the money and whether or not the OpenBSD project is registered as a non-profit organization (and if it is then checks should be made out to - and the CD image should be copyrighted to - that organization). Also, I would like to see a small financial report put out (as would be required if it were a non-profit organization in Alberta) so that users can see where their money is going. Plus, I would also like know exactly how many CDs are sold per release.
I greatly appreciate the work that the OpenBSD project developers have put in, and I plan on continuing to use, purchase, and donate to OpenBSD (and maybe even contribute when I get the technical skills) regardless of the answer to this question: Where exactly does the money go?
Theo:
We've not yet sold 10,000 CDs in a release. Hopefully we will soon. The project ends up with a bit less than 50% of the revenues from CD sales. The tshirt business is doing OK, but you make a lot less selling textiles. With posters we operate just above break-even. Even though some are sold on the web, most turn out to be free handouts at most conferences. That is how I planned the posters to operate.
We have thought about becoming a non-profit organization, but it is not really a good idea. It would not provide any real benefit -- to you -- as the masses. Especially in Canada, there are costs and serious responsibilities associated with doing such a thing. We would be giving up a lot of freedom, and would need to hire someone to do a lot of accounting. Also, since many of our donations come from outside Canada, we still could not really generate taxable benefits to you. (And I must ask, why are people so cheap, that they only give donations when it provides a partial reduction in their taxes, rather than a real donation? I actually find that pretty fake.)
Money from the project goes to various things. First off, it ensures that I can work full time on OpenBSD, and not need another job. I am also hoping to do the same for other developers in the project, who have indicated that they are interested in doing so. Secondly, certain grimey, unenjoyable, and very important development tasks sometimes put a bit of money in developer pockets. Some OpenSSH work was funded by matching OpenBSD money against donations from a Van Dyke. Thirdly, the project buys a fair amount of hardware: In powerpc land alone, 4 machines this year. Fourth, shipping costs to conferences sometimes severely cut into profits from sales. And finally, when developers get together to do hacking, project money sometimes pays for various things, like airplane tickets, accomodation, and sometimes even some beer. And beer results in ideas, which results in new code.
--------------
Before you ask: yes, we'll be doing Slashdot interviews with people from other *BSD projects in the near future - Robin
Re:But he doesnt follow his own advice (Score:2)
In the end, I felt an interview would not *help* the OpenBSD community really, because someone would find fault in *something* and draw it out, enhance it, to really no good point at all. Well, it seems that CyberKNet's post is a nice example of that. It's classic
You think his answers were belittling? Look at your questions, for crying out loud:
LizardKing's Q on a code auditing book--Answered on the OBSD newsgroup already. Search deja.
Making Ports Secure--Gee, let's ask a question to the person resonsible for OS security about ALL program security that might run on the OS. iow, if there was an interview with Linus, it would be like asking him why perl on some Linux distributions had a security hole because the developers were stupid enough to hard code
B1 and OpenBSD Q--Asked and answered when Trusted BSD came out. Search deja and misc.
Working with other BSD distributions--Communication is a two way road. Look, this is a silly question to ask, not because of the question, but because the answer is so readily apparant. The comments by the NetBSD and FreeBSD groups as well as users is plain to see on the newsgroups, on web pages, etc. It's all *very* public.
SMP and dual-processor support--Search the mailing lists. Asked and answered.
Version numbering--Already addressed when there were comments about the lack of a stable branch in OBSD.
$ issues--Lovely. As if that wasn't an insulting question.
The "I don't want to teach you" mentality is really the "No, I don't want to feed you with a spoon." No one, including the moderators, checked to see if these questions were asked and answered by simply grepping an email archive. No Linux user in the community is going to point out that, "Hey, last year or so, there was a posting on a Debian mailing list about developers getting sick of answering lame questins too."
As to the BSD and Linux community differences, well, they are different communities. I moved away from Linux because the communities just got bogged down *for my tastes*. My take is that the Linux community is *incredibly* ignorant of the BSD community, not vice versa.
filtering by FreeBSD/NetBSD (Score:3)
> a black-hole route to the OpenBSD
> project networks for roughly four years,
Those who do not familiar with Mr. Theo de Raadt's usual action about BSDs should know the following history about the mail filtering.
This issue is once raised by a OpenBSD developer in DaemonNews forum [daemonnews.org] which has neutral position between FreeBSD, NetBSD and OpenBSD, and its conclusion is that the forum should never have posted the topic [daemonnews.org]. I don't know why Mr. de Raadt mentioned this filtering again in slashdot. Perhaps He'd like to show that he is still ready to post mail bomb to FreeBSD/NetBSD mailing list?
Re:Theo: Version Number Specifics (Score:3)
Re:Theo and Microkernels (Score:2)
Secondly, pay attention to what Theo is saying: most security problems come from incorrect use of interfaces. In the microkernel world, you may indeed have fewer interfaces to the kernel, but understanding how to use those interfaces can be an extremely daunting tasks (just ask anyone who's hacked on Mach before). Furthermore, you still need interfaces to all the userland code that's running on top of the kernel (i.e., if you need to interface with the filesystem, it doesn't matter whether it's in the kernel or not, you can still get the interface wrong and thereby create a security problem). In HURD, for example, the interfaces and interdependancies between modules are MORE complex, particularly given that you have to allow for an infinite number of implementations of said interfaces.
Re:Working with microkernels (Score:2)
Econ 102... (Score:3)
The big "merit" in the "donation" thing is if this allows the organization to receive individual contributions from individuals that wouldn't otherwise be able to "deduct" the payment for tax purposes.
While, when you add this sort of thing up across thousands of churches, it adds up to real money, it's not going to be spectacularly worthwhile for a software project that might get $30K in donations and have to spend a chunk of that on organizational costs.
A reply to his reply to my questions. :) (Score:3)
However, some form of resource control is essential to preventing users authorised for one thing from doing something else.
ACL's are -one- way of doing this, the schemes described in B1 are another. You're again 100% right that they're not the same thing. However, they both attempt to deliniate exactly what a user is and is not able to do.
(As for foaming at the mouth, I'm going to go out on a limb here and guess you've met some pseudo-nerds who're drunk on a mix of power & Agent Orange, and who believe that if it's "Official", it's somehow "better" or mysteriously "all-encompasing". I'm not about to start a cult to the Mighty OB1. :)
Distributed Kernels are kernels which divide low-level tasks between sub-kernels, where each sub-kernel runs on a seperate processor or even a seperate machine.
Distributed Kernels are one way of doing hardware-independent parallel processing. You're not tied to SMP, you're not tied to a single motherboard, you're not even tied to a specific manufacturer.
From a security standpoint, it has two major impacts. On the one hand, breaking one component of the system does NOT necessarily compromise any other component. They run on seperate CPUs, after all. This means that you can have secure intrusion detection at the kernel level, with secure fail-over to a non-compromised system in the event of intrusion.
On the other, you're now ferrying very low-level data across a network of unknown security. The risk of someone compromising the system by compromising the network is obviously much higher than for a stand-alone kernel.
Last, but not least, to anyone who may be critical of him, Theo de Raadt is perhaps the most brilliant guy in the BSD world and I'd place him as one of the top 3 coders in the world.
As for his infamous "moods" - if he's bipolar, HFA or AS, then his moods (and his brilliance) are entirely explicable and nothing to condemn him for.
Re:No plans for SMP... (Score:2)
Exactly, Choice is good. The important fact is that all of these OSes are a mere hop, skip, and a jump from each other. All of them also have their technical advantages as well.
And yes, that includes Linux.
The beautty is that once compatibility is out of the picture you are free to choose your OS for purely technical reasons.
Re:No plans for SMP... (Score:5)
SMP is plenty interesting to the Linux crowd. They have spent a huge amount of time working on it. The fact that it isn't interesting to Theo and the folks working on OpenBSD simply highlights one of the benefits to the Open Source way of getting things done.
If you start your project on OpenBSD and decide that you need SMP to get the performance you need "porting" to Linux shouldn't be much harder than moving your source to a Linux box and typing "make." If, on the other hand, you develop on Linux and then decide that Linux's security isn't good enough for implementation, you can just as easily port to OpenBSD.
There is never going to be an Uber OS that is specialized for every task (although the generic Unix way of recompiling the kernel does come close). That's why standardized APIs are so important. That way you can change your OS midstream if it isn't giving you what you need. The Open Source community has done a pretty good job of matching up APIs.
Re:No upstream (Score:2)
OpenBSD is not "300MB of source" that Theo thought up. There's quite a bit--likely a majority--of stuff brought in from other coders *WHICH RETAIN IDENTICAL VERSION INFORMATION*.
Go query Perl. Or vi. Or httpd. They're all external packages, with their own internal version. If Theo wanted to reversion them to "Perl OBSD 2.8" and "Apache OBSD 2.8" and so on, that's fine. But that Perl ain't 5.6.0 unless it was built from the 5.6.0 tree.
--Dan
Re:No upstream (Score:2)
Now, why would I put the question to the number one distribution known for doing it right, when everybody else does it to?
To redefine that which is known as "doing it right", so we don't get any more Debian Secret Backported Bugfixes.
:-)
--Dan
Re:Theo: Version Number Specifics (Score:2)
Yes, I can definitely hunt down the changes, and Theo is well within his rights to change the source. Hell, I'm thrilled he's fixing problems.
But should I have to check a changelog to know there's a change?
That's the bottom line question. Should not a version reflect a snapshot of code? Should not I be able to trust a given codebase by its version alone, rather than have to audit the source by hand?
If a version *doesn't* refer to a snapshot of code...well, what does it refer to?
--Dan
Re:Security... (Score:2)
Because I wanted command completion. What, you think sh is the height of security? Among other things, *any* shell can be trojan'd to attack replace su, or even
You are correct, of course. Most things shouldn't be done as root. I could theoretically have checked versions without it. This is somewhat on the order of a spelling flame, but I'll take it in stride.
As for my qualifications, feel free to scan my BugTraq posts, and thank you for helping to prevent my ego from growing too large.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Re:No upstream (Score:2)
Still, I question if the version number should stay stable. Suppose, for a moment, that the rest of the world finally discovers major holes in 5.6.0. Should OpenBSD administrators have to root around the Changelogs to realize they're running a safe build? Wouldn't it be better for them to be running 5.6.0_OB2.7 and see that, heh, the Changelog shows that the new stuff protects them?
===
$ perl -v
This is perl, v5.6.0 built for sparc-openbsd
Copyright 1987-2000, Larry Wall
Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5.0 source kit.
Complete documentation for Perl, including FAQ lists, should be found on
this system using `man perl' or `perldoc perl'. If you have access to the
Internet, point your browser at http://www.perl.com/, the Perl Home Page.
$ perl -V
Summary of my perl5 (revision 5.0 version 6 subversion 0) configuration:
Platform:
osname=openbsd, osvers=2.7, archname=sparc-openbsd
uname='openbsd'
config_args='-Dopenbsd_distribution=defined -dsE'
hint=recommended, useposix=true, d_sigaction=define
usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef
useperlio=undef d_sfio=undef uselargefiles=define
use64bitint=undef use64bitall=undef uselongdouble=undef usesocks=undef
Compiler:
cc='cc', optimize='-O2', gccversion=2.95.2 19991024 (release)
cppflags='-fno-strict-aliasing -I/usr/local/include'
ccflags ='-fno-strict-aliasing -I/usr/local/include'
stdchar='char', d_stdstdio=undef, usevfork=true
intsize=4, longsize=4, ptrsize=4, doublesize=8
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=8
ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
alignbytes=8, usemymalloc=n, prototype=define
Linker and Libraries:
ld='ld', ldflags =''
libpth=/usr/lib
libs=-lm -lc
libc=/usr/lib/libc.a, so=so, useshrplib=true, libperl=libperl.so.6.0
Dynamic Linking:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=define, ccdlflags=' '
cccdlflags='-DPIC -fPIC ', lddlflags='-Bshareable '
Characteristics of this binary (from libperl):
Compile-time options: USE_LARGE_FILES
Built under openbsd
Compiled at May 5 2000 12:35:29
@INC:
.
===
Re:No upstream (Score:2)
YES! It IS! It's too hard for me to read the source code to every app I run. I admit it. I want to trust Theo. I want to believe his prying eyes are protecting me from danger. I don't *want* to have to go diving into the code he writes or even the fixes he claims when a new vulnerability comes out. I want to know: Is this the exact same code that is vulnerable everywhere else? Then upgrade. Is this NOT the exact same code, and therefore I should check the Changelog?
I'm not asking alot. I'm merely asking the question: What do version numbers mean, if they *aren't* snapshots of code?
--Dan
Re:No upstream (Score:2)
--Dan
Re:No upstream (Score:2)
--Dan
Theo: Version Number Specifics (Score:5)
I don't think it's fair to say, as you did, that "ftpd is ftpd" or "tar is tar" for all of OpenBSD. Examples from version lines throughout OpenBSD:
spork# perl -v
This is perl, v5.6.0 built for sparc-openbsd
bash-2.04#
GNU troff version 1.15
bash-2.04# nawk -V
awk version 19990620
bash-2.04# gcc -v
Reading specs from
gcc version 2.95.2 19991024 (release)
bash-2.04#
Concurrent Versions System (CVS) 1.10.7 (client/server)
[vi
Version 1.79 (10/23/96) The CSRG, University of California, Berkeley.
bash-2.04#
tcpdump version 3.4.0
libpcap version 0.5
bash-2.04#
Server version: Apache/1.3.12 (Unix)
Server built: May 5 2000 14:44:59
Look. Some of these you modified. Maybe all of em. Maybe one of em(I *know* you touched Perl.) Lets take the example of tires, why don't we. If I've got Firestone Model X432LFR tires on my car, and I run down to the dealership asking why I'm driving a deathtrap, is he allowed to laugh at me because "Of course *we'd* never put the deadly X432LFR tires on your car, we'd only put the *good* X432LFR tires on! Stupid customer."
That's essentially what happened with Debian a while back, and it was infuriatingly unfair.
I'm not asking you to do more work, Theo--you've *done* the work. I'm asking you to admit it, mark it, brand it in such a way that we know you've been forced to do something to it to make it secure. And then all of us can bitch and moan to the author's of whatever package you've taken and say, "Heh, he changed your stuff, maybe there's something you should look at." Maybe we'll be ignored. But, in the end, *you* did the right thing.
Theo: You and your team rewrote much of an early build of SSH. Technically, you could have said, "Here's SSH1.2.1x, as part of the OpenBSD system." But then nobody would have known what you had pulled off, and people would have had trouble finding your specific improvements. I'm not saying you need to rename every package to show how much you've added. But to keep the original version numbers is to conflate your secure and solid version with whatever bugs you *know* lurk in other people's code. When Foobar 1.2 comes out with a remote root, and OpenBSD ships with Foobar 1.2, do you like--or enjoy--when system administrators frantically upgrade your *already fixed version* of Foobar 1.2 with the original author's possibly broken Foobar 1.3?
Because that's what your version numbers cause.
They're easy to fix, Theo. It's just a tag to let us know you fixed something. It's something for us to differentiate your code with. (Incidentally--what does little on my 2.7 Sparc build.) Consider this: As much as you say you've only dealt with the system, I *know* many of the packages from Ports have had patches that didn't modify version numbers--and I have *no* idea if anything's been modified in your packages section. I just don't know.
This is not a problem specific to you, but I think OpenBSD is in the right place to change what I consider to be a particularly pernicious industry practice. I believe in your systems approach, but a secure system cannot be built from insecure parts. If you've secured your parts--show this, and perhaps let us know where to look to find out how.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Re:Theo and Microkernels (Score:2)
What userland protection helps is stability ; less code that can deref a bad pointer, etc. What it can't help is the quality of the code. At the end of the day, an attempted attack will try to make the code make the wrong decision; i.e. allow something to happen that shouldn't have, or do something that is shouldn't have. That has nothing to do with whether or not it causes a segfault somewhere else.
Although some attacks could make monolithic kernel code do something to other code segments somewhere else, it really isn't all that likely or often used. Attacks tend to be against making code call the wrong routine, set a variable the wrong way, etc. That stuff can't be helped with microkernels.
Sorry, all microkernels are really good for are (1) loadable features (no recompiling), (2) crash protection. But, they do the traditional tradeoff of speed for it (multiple context switches for a single system call, etc.).
But, anyone else get the feeling that a good portion of the questions Theo did respond to were all asking the same thing: what common errors do you end up fixing? Not a horrible question to answer by far. Sure you could say 'bad code,' but a list of good examples of security-critical mistakes are far more helpful.
--
"But it works." (Score:3)
See also: the "HTML" on the supposed "geek web site" called Slashdot. (as well as, to be fair, the rest of the web.)
Hey, where's my question? (Score:3)
Mac OS X & BSD [slashdot.org]
I'm curious about how the BSD folks view the impending couple million new users they've got heading their way when MacOS X is released.
Please, no Mac-rants, they're trite & off-topic. I just wanna know about the question.
Re:Forks are Good! (Score:2)
No upstream (Score:4)
As a Linux user, one comment Mr de Raadt made surprised me:
In Linuxland, cat is GNU cat, tar is GNU tar, httpd comes from the Apache project, rpm comes from Red Hat, and so on. There is always an upstream maintainer for any particular package and no distributor (AFAIK) tries to maintain its 'own' releases of things. If a bug is found, the fix tries to swim upstream to the breeding ground, where it can add itself to the gene pool for future releases of all distributions. (Alas, I do not have a ten-man team auditing my comments for dodgy metaphors.)
I suppose it makes sense in a way to have your own codebase, especially if you are concentrating more on security than on adding new features. You have control over every line of code that goes in, and you don't mind missing out on new versions of stuff that is released. Also, if your original 'upstream source' is a group of people you split acrimoniously from, you might prefer not to rely on them. (Although I can't help feeling that if the OpenBSD and NetBSD people made more of an effort to commonize code in both directions, the feud wouldn't have lasted as long. This sort of thing going on between two Linux distros - eg Mandrake and RedHat - would be unthinkable.)
But not relying on an upstream maintainer for packages does not mean you can't contribute your fixes back. All the BSDs originate from a common code base, right? There must surely be at least 95% common code in the shell and shell utilities (which change relatively slowly), even if the kernels have diverged. So what effort do they make to avoid reinventing the wheel? And when OpenBSD fixes a set of bugs, do they report them to the maintainers of the original package?
Perhaps the problem would be that they couldn't agree on who should be the original source. Imagine if NetBSD claimed that they were now the 'official' maintainers of BSD make, for example. Would OpenBSD accept that? Perhaps some neutral 'BSD Foundation', with support from all three free BSDs, could take over maintenance of the common or fairly-common BSD code. Or somebody from Berkeley (Bill Joy perhaps?) could make a ceremonial proclamation.
About a secure ports tree (Score:2)
Re:This is ridiculous. (Score:2)
Perserverence is not always a sign of strength or skill. Once you learn how to add, you move on to multiplication.
I have a similar tendency to like DOS. I have spent a whole lot of time playing with it, and am not afraid to say that I know it well. DOS is very simple, but very stable, meaning that there is rarely anything new for it. I know that the latest version of Norton Utilities for DOS will be 8.0, and the latest version of NC will always be 5.0. I know how to fix things in it.
However, I also know that it is old and not good, which is why I don't use it anymore (except for the occasional 5-day contract at some company with a bunch of 386es). I am instead trying new things.
Single processor x86 Unix and C are nice and safe. SMP is new stuff, and you no longer feel warm and comfy there, sort of like getting out of bed on a winter morning. But you have to get out of bed... that's the way the whole thing works. :-)
--
Re:Working with microkernels (Score:2)
Microkernels are just a whole lot more work to implement... they don't have the resources or the interest.
I think OpenBSD just wants to produce a simple and secure BSD variant for uniprocessor micros... not be the Ultimate OS.
"Free your mind and your ass will follow"
Theo misses a point (Score:3)
system (firewall/router, et.al.) is not to use
the floppy, but, to make it simpler to configure
than "BOOTP/Diskless".
In a floppy-based system like that (firewall), the
floppy would be used to boot the host, that is all. The goal is to have *NO* disks, or any other
moving parts.
Re:No upstream (Score:2)
* http://www.se.openbsd.org/security.html
And maybe this page:
* http://www.se.openbsd.org/plus.html
For Debian I have:
* http://www.debian.org/security/
If I need to get the code difference I use diff either on the OpenBSD source tree of the debian source tree. But when there comesa security hole it's usally a note on what OS the hole works on. If a patchg exists the time to find out if one need to add the patch is usally very small. (Actually it's selldom upgrade to this new version that has this fix and all this new features...)
Re:GPL? (Score:2)
Re:BAH! (Score:2)
Question:
How do I became a good refeeree?
Answer:
I suppose the best tip is to go a loot of fights.
(Even thous one could wonder if this fits to boxing.)
/ Balp
Why you should be afraid of forking. (Score:3)
snip
Why are you guys so fork paranoid?
Looks to me like you've already answered your own question, Theo.
-
Before flaming Theo ... (Score:5)
And what's wrong with that?
OK, he's no "Dear Abby", but neither is RMS. I know many here aren't big RMS fans, but are you insecure enough about your own little world that when someone says, "Quit bothering me with stupid details, just write the code" you start flipping out? I attended Supercomputing '99 and went to a talk by Thomas Sterling, one of the original Beowulf pioneers at NASA. A good chunk of his talk was spent complaining about "Linux cruftiness" and "why are you people here when you could be writing code"? I admit I was somewhat pissed coming out of it, but it did have the effect of motivating me to start programming again. I think sometimes we just need a swift kick in the arse from someone (hi Greg!) to get motivated.
Bottom line: ignore the stupid "Are you mad?" comments from someone whose ego is a bit too big to take the time to be polite, and focus on the "learn your APIs, understand your APIs, and stop writing shitty code." Learn the message, ignore the messenger.
-jdm
(I'm ready for my big Mod-down, Mr. Director :)).
Missing the point on floppy-based routers? (Score:5)
Flash RAM would be perferred, but flash disks are hardly ubiquitous and free-for-the-taking x86 systems that work great as routers don't generally have flash-based disks installed. A floppy drive is almost a given in any system.
The hardware advantage of a system without a hard disk is the reduction of heat generation, meaning they're easier to put in heat-hostile environments like telephone closets. System upgrades are a snap, since you just move the disk to another platform.
As far as security goes, other than floppy disks general lack of reliability, what's the problem with them? They're physically write-protecable, which many IDE disks aren't. Sure it's easier to swap a floppy out than a HD, but if your machine doesn't have physical security to begin with you've failed the first checklist item for security.
BAH! (Score:3)
Any advise for code auditers?
Theo:
I suppose the biggest tip would be to become a better programmer.
Bah Humbug! Thats equivalent to
Question:
How do I become a better sprinter??
Theo:
I suppose the biggest tip would be to just to run faster
Re:This is ridiculous. (Score:3)
Maybe being able to use a system as a firewall/gateway that makes me sleep at night because i feel confident that it will not get h4X0red.
I really don't give a fsck if it doens't have SMP support. What's the REAL percentage of online SMP boxes anyway? I'll admit the it is really nice (and usefull) but i'm sure there's a majority of sites that simply don't need it (yet).
---------------------------
"What is the most effective Windows NT remote management tool?
Re:This is ridiculous. (Score:4)
Uh, right. So go ahead and write an entire operating system in a new language then. Don't forget to design the language first though! Remember the C-bashing thread on Bugtraq over the summer? Whatever its limitations, we are stuck with C
2. The proper approach seems to be a very limited operating system, perhaps in C, with a virtual machine over that which is proven secure, thereby giving at least strong security to every application then running ontop of that VM.
Nice theory, much like many of the other 'ground-up' papers I've read. And meanwhile, while you sit posting and postulating on the great designs that will rule the operating systems world, I'll just use OpenBSD, and be happy with the stability and reliability of the system. Perhaps I'll look you up in ten years when you've finished this idea?
What is the point? Why bother if you aren't even going to put in SMP?
I really, really don't care whether or not OpenBSD has SMP. If I need a faster box, I'll just upgrade to a faster processor. The majority of server systems these days are either I/O or connectivity bound these days.
This is ridiculous. (Score:4)
Here's the main point, before we even get started: This project should be scrapped, there are easier and better ways to do what is being done here.
Now the reasons.
1. The fact that you need to go back and hand audit libc calls for "subtle" errors means that the wrong language is being used for the majority of these tasks.
For these types of ultra secure tasks, there should be extremely limited cases, and ideally no class of errors that would be "subtle" when it comes to standard library calls. I would suggest that C is not a good language to write a secure operating system in, because it very obviously requires too much manual labour to weed through the subtleties of it's operation.
2. The proper approach seems to be a very limited operating system, perhaps in C, with a virtual machine over that which is proven secure, thereby giving at least strong security to every application then running ontop of that VM.
Yes you'll need to audit that first limited OS and kernel, and yes it'll probably be in C, but let's limit the scope of that code severely. Plan to take a huge performance hit on running everything on that VM but make sure that it's totally secure, do whatever it takes to make sure that everything running on it is protected from itself and other programs. This is the only possible way to make an extensible operating system that is in any way secure, otherwise any software that is later added to the system will either need to be painstakingly audited or not installed. Performance should be a minor concern at this point as VMs can later be optimized, and security should be of prime importance.
3. After they finish all this auditing, we're left with a non-SMP capable OS with limited software of a similarily secure nature to use it with.
What is the point? Why bother if you aren't even going to put in SMP?
4. Theo is obviously so closed minded that no efficiency ideas are ever going to occur to him.
Witness his response to the question about distributed kernels - (in summary) "I have no idea what they are, but they're not useful to me." Great.
It is my opinion that people of this caliber of programming should be spending their time at doing more useful, or perhaps better thought out work.
Moderate at will.
Re:Forks are Good! (Score:4)
In Linux land, it appears that projects fork for financial reasons. In BSD land, it appears that the forks that have happened were purely political reasons. I don't know what will happen. It's been 5 years since the last fork in the BSD camp. Why are you guys so fork paranoid?
I suspect that the question was rhetorical, but it deserves an answer. I'm putting it here, with the other fork comment, even though it wasn't written as a follow-up to that comment.
Simply put, it's (too) often used as an object lesson in Linux land. Whenever an argument gets too heated, someone jumps in with "if we keep acting like this, we'll end up like the BSDs." Meaning, I suppose, "fighting over a very tiny percentage of mindshare instead of working together to take over the world."
I suspect that Linux is headed toward a fork. Linus and Alan Cox have been leaving things out of the kernel (like a debugger) that a lot of people want. As there's no charter or formal organizational structure, I think that a coup of some sort is inevitable. When it happens, the interest in the Net/Open split will rise to a crescendo.
I have friends who are OpenBSD advocates, and others who are NetBSD advocates. To hear each side talk, the other side writes crappy code between bouts of trying to ruin BSD for everybody. It's depressing, particularly when I think about what could happen if their talents could be combined. Or, if they would just shut up, stop sniping at each other, and code.
I'd love to see some sort of cross-bsd advocacy organization to help users take that middle step. Help with porting of cool shit between the BSDs. Make generic cross-BSD documentation. Help people decide which OS and user/developer community is right for them. etc.
Unfortunately, that requires a friendlier attitude than I often see between the BSDs. Charges of "code theft" particularly frustrate me. That's the whole damned point of open source: Seeing the good stuff, learning from it, and using it.
--
Re:distributed kernel ... (Score:3)
Re:Missing the point on floppy-based routers? (Score:3)
It seems very difficult to obtain the same characteristics from a harddisk (or flash ram); I don't know how to physically prevent writing on a standard IDE hd. And if you use the hd just to load the FW into ram, and "hot-swap" it out, then it won't come back up, after powerfailure (even UPS's have their limits).
Floppy disk reliability is not much of an issue, i think, since the floppy isn't used to as a long term storage medium. Remember your friend dd:
"$ dd if=/dev/fd0H1440 of=floppy-image
2880+0 records in
2880+0 records out
$ dd if=floppy-image of=/dev/fd0H1440
2880+0 records in
2880+0 records out
$ The first dd makes an exact image of the floppy to the file floppy-image, the second one writes the image to the floppy." (SAG v. 0.6.2)
(And of course, one can always mount the dd-image; "mount -t ext2 -o loop")
So you develop, maintain and store, the actual FW information on another box, then write the image to a floppy (and making a backup fd image on the development box). All the floppy has to do, is to survive the initial boot. It may have to survive reboots, caused by powerfailure, but even if it does not (harddisks may fail too), a disaster recovery plan is part of the floppy disk based FW scheme; just write a new image, and boot. How many hd-based FW's has a spare harddisk, with a synced and updated system on it?
If you just have a slight suspecion, that the FW is compromized, then a reboot will flush out any trojans and root kits. The firewall may still contain som sort of security hole, but rebooting may give you time to discover what the hole was, and deploy a new FW.
Floppy based firewall is a very cool thing. It doesn't fit everybodies need, but it may be a viable solution to a great many.
Cdroms may offer similar advantages, but they may be slightly more difficult and expensive to develop and maintain.
In short; Firewalls on write protected media, seems to be a very good idea.
Design vs. Implementation (Score:3)
He then goes on to say that he really doesn't care about kernel design, so long as the kernel design works.
These two issues are completely different.
Lets face it - he's an implementation junkie. Which I would guess was not, and still is not, popular with the NetBSD crowd, as he probably had to step on a few toes...
'You're not using strcat correctly. You've introduced 6 exploitable bugs into the kernel'
'What do you mean I'm not using strcat correctly?? I've been coding since I was twelve years old!'
Cyano
Re:Missing the point on floppy-based routers? (Score:3)
md5sum the whole floppy[*]. On booting, if the floppy image does not have the same checksum, abort. Then it's possible that the router might not boot one day, but it's impossible for the disk to corrupt without you noticing.
[*]ok, md5sum all of the floppy apart from a file containing the md5sums.
Do it right! (Score:5)
Hear, hear! Two of my pet peeves right there:
(1) Why is it that the same bugs keep reappearing? Why is it that we assume bugs only occur in one place? Why is it that we hear, "I fixed the bug," as if a programmer can only screw up in one place?
(2) Every other piece of engineering goes through major scrutiny. Teams are brought in from the outside to look over blueprints. For open source software, we assume that just because anybody can look at the code, that everybody is. Even in OSS, we need to go to outside, objective reviewers and say, "Here's some money, and here's our code [or maybe, here's the URL for our code :-) ]. Please review it and tell us where we screwed up."
Mr. de Raadt knows his stuff; the coders do this themselves, and they take it seriously.
Re:But he doesnt follow his own advice (Score:3)
You wrote
In his first reponse, Theo wrote They don't care about good software, only about "good enough" software. Which I would paraphrase as software that doesn't make security a design goal.
In his other response, Theo wrote As well, I don't think it makes any difference, as long as a system does what it is supposed to do. Which I would paraphrase as software should achieve it's design goals, like security, no matter how it's implemented.
There is no contradiction in those two statements.
Ego based contradictions (Score:3)
As well, I don't think it makes any difference, as long as a system does what it is supposed to do.
This is a fairly asinine thing to say, especially since the second post had a very good point (Micro vs Monolithic kernels). My opinion of Theo is fairly low after this. Instead of responding with a mea culpa (yes a micro kernal is better, of course it's better to keep privledged code to a minimum, but it's also difficult to totally re-engineer a kernel especially when it works) we get mindless thrashing about micro kernals..
(an operating system based on 70's technology dissing ideas from the 80's as obsolete? Kind of ironic..)
But he doesnt follow his own advice (Score:3)
In the answer to the first question Theo goes into detail about why software should be good, not just "good enough". However in answer to the 5th question "Kernel Design" he contradicts his own previous argument by saying "I dont think it makes any difference, as long as the system does what it is supposed to"
Theo, throughout your responses, you have personally insulted the intelligence of the people who ask you questions. You have insulted the intelligence of the people who either use, pan to try, or know more than most of the dawdling masses about your distrobution. What I dont understand is why. If you could answer that, I would appreciate it. And if you could answer it without the typical belittling that is ever present throughout the answers to the questions asked before, I would appreciate it even more.
Sincerely,
CyberKnet
---
Working with microkernels (Score:5)
Forks are Good! (Score:5)
I think he is totally correct with this point. The point of a codefork is that you end up with two variants, only one of which, in the long term, will survive (usually). It leads to a sort of Darwinian survival of the fittest, and improves the overall code base in the long term as well as giving people options - they can mould their distro to their needs. I have often wondered why the Linux people are so scared of code forks also - could it be because they look back at the Unix wars of the eighties and shudder? This would suggest that the BSD'ers have not inherited the UNIX philosophy to the same degree as the Linux community - that may give them more freedom.
I am not suggesting that forks be encouraged, though, rather that people stop whining when they occur, and recognise them as an opportunity.
Perhaps forks will not be a good thing for Linux in ten years or so, but given that it is presently a sort of 'primordial ooze', and very creative, I do not think it is bad thing for the moment.
KTB:Lover, Poet, Artiste, Aesthete, Programmer.
Where the money goes (Score:3)
I find the ideas that I get from beer are generally along the lines of "I think I'll have another beer". TdR is obviously made of sterner stuff than I. Or it could just be that Canada has the 2nd worst beer in the world (after the US).
Re:Mr.Sparkler (Score:3)