Ask Theo de Raadt about OpenBSD

OpenBSD 2.8 was released today, so this seemed like a good time to ask project leader Theo de Raadt about OpenBSD -- or anything else. He's a rather colorful person; a pizza eater, kernel hacker, and devout rock climber, so even though this is a big day for OpenBSD you might want to discuss a few other things with Theo, too. We'll choose about 10 of the highest-moderated questions and e-mail them to him shortly after noon (US EST) tomorrow. His answers will appear next week.

Kernel design

I have only been using OpenBSD for a short while now, so forgive me if this question is based upon some incorrect assumtions.

OpenBSD's kernel design seems to be of the monolithic species. OpenVMS (no relation) and NT are two prominent operating systems that use a microkernel archetecture. The microkernel design seems to me to be fundamentally more secure, since there is less priveledged code. Further, if one of the servers is compromised, the damage is minimezed.

My question is this: Is the OpenBSD design fundamentally secure, or is it only a very well done implementation of a basically flawed design?

Where Did You Learn Your Code Audit Discipline?

Did the drive to audit code come from the need or the design of BSD? Or was it initially a whim? More imporantly, where did you learn it from? Is their some "mentor" you looked too for ridge design? I have to admire your team's daunting code reviewing...I wonder if I'll ever have that kind of meticulous coding nature.

Gifts May Not Be Taxable :-)

On the one hand, if Theo brought in $300K, "10,000 @$30" and didn't have any expenses, that would be pretty impressive funding.

More realistically, the amounts get diminished in two obvious ways:

• Theo needs to pay, up front, for the CD "burns." I'd expect that to be around $5/unit, which just ate $50K right there. :-(
• Many of the CDs are not sold directly, but are rather resold. In which case it's likely something more like $15 that comes in to Theo.
• Unsold inventory, anyone?

  What doesn't get sold transforms magically into "pieces of chad" that aren't being fought over by Floridan electoral officials, but which rather cost that $5, and result in zero input of cash.

I'd be surprised if Theo's seeing as much as $100K of "positive" cash flow, all in all. If he's seeing more than that, bully for him; it's not as if he hasn't put in a lot of work that resulted in that.

As for your suggestion that it would be slick to have a "charity" to handle the money, while part of me agrees, there's definitely room for duality here.

What I would like to see is for people to take the action of Just Plain Giving Out Gifts to developers that they want to give money to. No "charitable contribution;" no "tax deduction."

One might think that this is a losing proposition, as there's "no deduction." To the contrary, if there's that deduction, on your side, then the money must be treated as a taxable income on the part of those that receive it as income.

It's worse than that; employment income involves deductions, which means that lots of the money gets eaten up by taxation.

In contrast, if you give someone $50 a gift of your after-tax income, it may not be deductible in your hands, but should correspondingly not be taxable in their hands. If someone received $40K in nontaxable gifts, that might well be as good as receiving $60K in taxable income...

Food for thought...

Pizza!

Theo, would you prefer anchovies or black olives on your pizza?

----------------------------

Still hindering?

Hi Theo,

Do you think your once overzealous (now calmed) ego is still hurting OpenBSD? Or has time calmed the fires?

In the early days the open fighting between the NetBSD (we won't take changes until hell freezes over) and the OpenBSD (we are the best, you suck) camps was pretty unattractive, to say the least.

Mac OS X & BSD

What's your take on Apple putting a BSD-layer in their forthcoming Mac OS X? What effect do you see this having on the BSD community & your own distribution in particular?

My question for Theo...

I've read both the FreeBSD and OpenBSD looking for facts to support what is the best choice and only found OpenBSD claims for good security. From talking to people who use the BSD's more than I do I've heard FreeBSD is faster than OpenBSD on average. I've heard that FreeBSD is faster for running user applications and OpenBSD has faster networking code. Is this true and does the 2.8 release change any this?

Firewall/NAT box

Linux has FreeSco [freesco.com], a product that fits on a 3.5 inch floppy disk and acts as a router and NAT (Network Address Translation). I always thought something like this would be ideal for OpenBSD. After all, I would rather trust OpenBSD than Linux for this.

Are there any plans to produce something like this? Something with a very simple user interface that is quick and easy to get set up? I'd love to play with OpenBSD and do it by hand but I simply do not have the time.

Re:Kernel design

The microkernel design seems to me to be fundamentally more secure.

Currently, very few vulnerabilities of mainstream (monolithic kernel) systems involve compromise of the kernel proper. I can't think of any off hand. Some involve DOS'ing the kernel (ping of death). Some involve tricking the kernel into sending bad data to someone else (eg, modprobe). I've heard of potential buffer overruns being fixed in Linux, but I've never heard of any being exploited. Perhaps it's because there are too many bugs to exploit above the kernel, or because it's too hard to develop and tests the exploits, or because kernel developers are just a careful breed; but making the kernel harder to take over doesn't seem to buy you much in practice.

Even if you are worried about such attacks, it's not at all clear that a microkernel wins. A great benefit of a monolithic kernel is that the entire development project is more unified. Developers are more likely to be familiar with the whole codebase, aware of interrelationships and finding bugs throughout. This is why Linus insists on keeping megs of random drivers in the kernel distribution. If the parts of a microkernel are developed in more isolation, there are fewer eyes on the whole thing, and more chance of miscommunication. For example, the Linux/modprobe bug mentioned above could just as well have happened between two services in a microkernel-based system.

Packages?

With the effort underway by www.openpackages.com, and with the correlating efforts on the linux side by Connectiva to making a apt-rpm bridge, do you think it would be a good thing, from a security, and OS level point of view, to have a single type of package.

Does your team support the efforts towards a unified package structure?

Further down the road, if one package structure does develop for *BSD, would you also support an effort towards a common package from *BSD to linux?

Thanks for a great OS..

Code-auditing

Any advise for code auditers? Can you share any tips or techniques you have found useful in uncovering bugs? What do you first look for in a fresh piece of code? What about a mature piece of code?

Serious kernel related...

Boxers or briefs ?

Elaborate.

Linux publicity

How do you feel about the amount of publicity Linux has got in the press in the last couple of years, as opposed to the relatively low profile of the *BSDs?

Dual Processor Support

Although there has been some indication that people are interested in running OpenBSD on machines with dual or quad processors, it appears that there are not enough resources and volunteers available to make this a reality. Although I use OpenBSD for my web server, I am by no means an expert, at this, but I'm curious nonetheless.

From what I've heard, multiprocessing support is going to be a very tricky thing to implement, because it gives rise to so many possible exploits, particularly with regards to race conditions. I also understand that it would take a remarkable amount of effort and time to rewrite much of the code base for SMP without compromising the OS's integrity.

With that in mind, what kind of resources would you need before you could seriously consider attempting dual or quad processor support? And, if you were given unlimited access to those resources, how long would it take before a -stable release would be ready? I would really like to see this feature get implemented, although I know that at this point your developer team is busy enough as it is.

Full Disclosure And Version Numbering

Theo--

First of all, I want to thank you for the hard work you've done building OpenBSD. It truly is a wonderful package.

Much of the security in OpenBSD lies under the hood in the work you've done cleansing the source of unsafe library calls. While this work is appreciated, I've become more and more concerned lately about the fact that these changes are not necessarily documented and certainly not reflected in the version number of an application or utility.

Version numbers reflect a snapshot in the life of a codebase. They're used to reference unsafe editions or particularly stable builds. Major number reflect code branches, but minor numbers reflect specific states of the code--such is the expectation of a user or an administrator when a version number is detected. Without granularity of versioning, I have no reason to trust or distrust a given application by its number; I must personally audit its source--and end up giving it a number of my own.

You and your team are code auditing masters. Rather than pollute the namespace by making indistinguishable your securely built modified code and the original(and, by extension, your secure code and numerous unnamed distributions' "just get it to compile" modifications), wouldn't it be appropriate for OpenBSD to apply a name extension to any package which it has modified, and in the interests of full disclosure, to provide a reasonable CHANGELOG of the fixes contained therein?

Yours Truly,

Dan Kaminsky, CISSP
DoxPara Research
http://www.doxpara.com

Where doe the money go?

I've seen reports of estimated CD sales per release at being as high as 10000. Add in t-shirt/poster sales and donations and a relatively considerable sum of money is flowing around OpenBSD. Combine this with the fact that checks are to be written to Mr. de Raadt and I get curious as to how the finances are handled. Not that I'm suggesting any misappropriation is occurring, I would just like to know who is in charge of the money and whether or not the OpenBSD project is registered as a non-profit organization (and if it is then checks should be made out to - and the CD image should be copyrighted to - that organization). Also, I would like to see a small financial report put out (as would be required if it were a non-profit organization in Alberta) so that users can see where their money is going. Plus, I would also like know exactly how many CDs are sold per release.

I greatly appreciate the work that the OpenBSD project developers have put in, and I plan on continuing to use, purchase, and donate to OpenBSD (and maybe even contribute when I get the technical skills) regardless of the answer to this question: Where exactly does the money go?

Your take on TrustedBSD

OpenBSD is widely recognized, both inside and outside of the hacker community, as being an incredibly secure, stable, and robust operating system. Yet when the TrustedBSD project was recently founded to create a *BSD that would eventually be certified for use in the most sensitive areas of the US Government, FreeBSD was used as a starting point. Why do you believe this decision was made? What argument would you make for (or against) the use of OpenBSD in such a case?

Time warp

Thanks for your work, Theo. I use OBSD every day as a workstation and as a firewall, and the Cop-chasing-script-kiddie t-shirt is the best.

If you could time warp back to the beginning of OpenBSD's development (ignoring the scism that brought you to that point), what would you do differently? Would you have chosen a more commercial focus? Pushed SMP development earlier? Run around in circles waving your hands in the air?

On another note, what's your feeling about commercial use of OpenBSD? i.e., do you support it, tolerate it, or what? (better example, I make a set-top box running OpenBSD, and I need the OS to do "X". If I called you and said, "Theo, I need OpenBSD to support 'X'", would I be told to piss up a rope, write it myself, or would the OpenBSD team do it for a price?)

Theo

What do you think about Bruce Schneier [counterpane.com] saying "Security is a process, not a product." Is OpenBSD a secure product?

Re:A book on code auditing?

I hate replying to what is probably a flamebait, but...

Writing Solid Code : Microsoft's Techniques for Developing Bug-Free C Programs by Steve Maguire is a good book on the subject. Ignoring the obvious anti-MS mindset of the original poster, this book has good techniques for any platform.

One of the books I rate higher then this is Steve McConnell's "Code Complete," which is also from MS Press. Maybe MS doesn't read their own books - but a lot of the are great.

Other *NIXes

Theo, what are your general thoughts on the other UNIX variants out there? Is Solaris too slow? Is IRIX waaay insecure?

Also, which UNIXes do you enjoy working with (other than OpenBSD)?

OpenBSD's niche in the computing world

What is your intention for OpenBSD in the computing world? Most knowledgable people wouldn't doubt it is a great operating system and that it fits very well providing network services (I for one use it as a firewall, NAT router), but it's clunky interface (and higher learning curve) is keeping from being a top notch workstation (a la FreeBSD, Linux). Do you have any plans to increase OpenBSD's usability as a workstation type operating system? --Shamino

Trust

What are your thoughts on Brian Kernighan's paper [umsl.edu] "Reflections on Trusting Trust"? It almost makes a code audit seem hopeless, because not only does one have to audit all of the code one compiles to trust it, but also all of the code that generated that code (ie previous versions of your c compiler).

Would it be possible to, say, make a very small, very simple (read: no optimizations) cc compiler written in assembly for each architecture, and compile gcc (or whatever our system compiler is) with this trivial compiler first? It seems to me that this would eliminate the problem of having to know whether the entire history of whatever code we were running was trojan-free or not. If this is in fact possible, is it something that you would be interested in having in OpenBSD? In any event, keep up the good work!

Easy to use based OS?

As someone who has used (and still uses) OpenBSD from time to time I have been extremely impressed with the security and the fact that it installs a "minimal" system that you can later build up.

However, as a person that deals with new entries into the use of open-source/free software on a regular basis, I have often wondered about the possibility of an easy to use/install version of OpenBSD. I realize in the past that the OpenBSD team has sort of shrugged off the ease of use idea as un-important when compared to the security issues, and that is all well and good for the primary drive of OpenBSD. However, as a person that would like to see people become more security concious (or at least aware of security as an issue), and a person that would love to see common desktop systems become far more secure, I have often wondered about developing a solid desktop system on top of OpenBSD.

My question is not whether or not you and the OpenBSD team would themselves do this. I believe you have addressed this in the past (with a resounding "not now"). But, I would be interested in whether you would support an effort to do this sort of project or not. If a group were established with the sole purpose of developing a desktop distribution based on OpenBSD (and auditing every line of the desktop applications as well as your current teams does the base system), would you look at that as a positive for OpenBSD, or a negative? Would you be willing to commicate with the individuals that would be attempting this, and occassionally help them out with coding issues if they asked? Or would you at least voice support for an effort such as this? Or would you flat out seperate "real" OpenBSD from any attempt to make it more "user friendly"?

I would be very interested in your response.

OpenBSD ISO Policies

Given the proliferation of cheap (ala CheapBytes [cheapbytes.com]) and free (from zedz [zedz.net], for example) ISO images of OpenBSD CDs, and the far more "available" nature of your *BSD and Linux competition, do you believe that your copyright (and through it, the official OpenBSD policies you've created) on the layout of the OpenBSD CD still warranted? Why?

Systems Programming

Hi Theo,

First, thanks for your work. I use OpenBSD every day for both workstations and servers. It's hard to beat.

My question is: How did you get started with OS programming? I guess reading books(Such as The design and implementation of 4.4BSD by McKusick & Bostic) together with source is one way to start. But which path did you take and how would you recommend getting into the details, given a solid knowledge of C, application development etc is present?

Good luck in the future!

A book on code auditing?

Would you and/or other members of the OpenBSD coders consider writing a book on secure, bug-free coding and auditing? Most programming books feature sample code that is written for pedagogical purposes. Quite often this runs contrary to how secure code should be written, leaving a gap in many a programmers knowledge. A book on audinting and how to avoid security pitfalls when coding would also make your life easier - less code to audit for OpenBSD, and more time top concentrate on nifty new features!!!


Chris

Making the rest secure

OpenBSD has a well deserved reputation for security "out of the box" and for the fact the inbuilt tools are as secure as they're ever likely to be. However, the Ports system is, perhaps, an example of where the secure approach currently has limitations - an installation of OpenBSD running popular third-party systems like INN can only be so secure because the auditing of INN, and other such software, is outside the scope of the BSD audit.

My question is, has the OpenBSD team ever proposed looking into how to create a 'secured ports' tree, or some other similar system, that would ensure that many of the applications people specifically want secure platforms like OpenBSD to run could be as trusted as the platforms themselves?
--

Rock Climbing

Theo,
I also am an avid rock climber and I was wondering what level you climb at and what you feelis your biggest climbing accomplishment. Do you do big wall or any mountaineering, or do you just do sport climbing and bouldering?
--neutrino

What sets Open BSD apart?

Assuming you are speaking with someone who somewhat unfamiliar with OpenBSD, what would you say sets it apart from other operating systems? Why would it be preferable to *nixes or NT or whatever else someone could think of?

Unifying the base?

This probably has been commented a lot, and there are more issues than just pure technical ones for this not having happenned before. But, is there any thought on your part, of possibly more code sharing between the bsd's.

Maybe even creating an "architecture council" in which the core of each project would have a say on features that should/can/may be implemented on both kernel and userland?

This would not have to be a "you must do this" kinda thing, but rather and amicable forum to discuss new ideas and share implementations?

So what's your thought on this? do-able, possibility, of have i been smoking too much crack?

;)

Re:Time warp

On another note, what's your feeling about commercial use of OpenBSD?

The OpenBSD team is happy to have the commercial use of OpenBSD...a quote from their web page:"OpenBSD encourages companies and independent developers to create products for use with OpenBSD, or based on OpenBSD itself. "[1]

They may or may not implement "X" for you though. I would imagine that if what you want is of general interest to everyone, they would probably do it for free, if not you could contact some of the developers on this page [openbsd.org], and they would probably be happy to help you out..for a price.

[1] taken from http://openbsd.org/products.html [openbsd.org]

OpenBSD, security, et al.

With the release of SGI's B1 code, and the attempts by many U*ixen to secure their contents via capabilities, ACL's, etc, ad nausium, how is OpenBSD approaching the issue of resource control?

On a side note, is OpenBSD likely to ever head in the direction of being a distributed kernel? And, if so, how would security and resource management be maintained? (It's hard enough on a central kernel system.)

Forks and cooperation

A lot of people know that OpenBSD forked from NetBSD, and there's still some animosity between the two groups. Personally, I think that the competition has helped both groups (NetBSD now ships with far fewer open services, for example).

Egos are delicate things, but do you see any chance for greater cooperation in the future, or do you see more forking and division as inevitable?

--

Security Improvements...

What do you think will be major Security improvements/features(kernel/base system) that are going to be added to OpenBSD?
Where is there still room for a lot of improvement? Also what are the goals of the OpenBSD project besides default Security?