Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
BSD Operating Systems

OpenBSD 3.2 Readies For Release, pf Matures 304

An anonymous reader writes "Just over a year ago, OpenBSD creator Theo de Raadt ripped ipfilter out of the OpenBSD code leaving "the world's most secure OS" temporarily without a packet filter. Here's an interesting interview with Daniel Hartmeier, author of pf, the stateful packet filter developed as a replacement. Now just over a year old, it sounds like pf has already become a serious contendor in the world of stateful packet filtering. This interview is of particular relevance with OpenBSD 3.2 to be released on Friday, 11/1."
This discussion has been archived. No new comments can be posted.

OpenBSD 3.2 Readies For Release, pf Matures

Comments Filter:
  • Poppycock! (Score:3, Funny)

    by Mr_Icon ( 124425 ) on Tuesday October 29, 2002 @11:09PM (#4561598) Homepage

    Codswallop, January 11th is a Saturday!

    • Re:Poppycock! (Score:2, Interesting)

      by Skyfire ( 43587 )
      (Yes I know this is offtopic) Speaking of which, does anyone know why the US uses MM/DD and everywhere else uses DD/MM? And please don't use the typical "Because USians give a rats ass about the rest of the world" (even though its true)
  • by Fnkmaster ( 89084 ) on Tuesday October 29, 2002 @11:11PM (#4561612)
    Dear Slashdotters,

    I decided to save you the effort of replying to this article by summarizing all of the posts you are about to make.

    1) BSD is dead poster: BSD is dead! Only 13 people use OpenBSD and they all live in their parent's basements!
    2) Dumb Karma Whore: Packet filtering? What's that? Can somebody explain why pf is a better packet filter than the alternatives?
    3) De Raadt Hater: Theo sucks! Burn in hell, Theo, you self-righteous prick. FreeBSD 0wnz!
  • pf ported to Debian? (Score:2, Interesting)

    by Centinel ( 594459 )
    Does anyone know if anyone has ported the OpenBSD pf over to Debian?
    • Well, I don't see it in the userspace program list in aptitude anywhere, not that I expected it, since in the interview with the pf creator he says that it is hooked in to the OpenBSD kernel directly. Your best hope of getting it with Debian soon was the project to port Debian to OpenBSD, but since that was just abandoned you'll have to wait a while or do the work yourself.
      • There were plans to create a Debian GNU/FreeBSD operating system. (Maybe not just FBSD, without the GNU/. (They would probably use the FBSD C library, but most things would be the existing Debian packages. I guess there would be some new packages with FreeBSD software.)) I can't remember what I saw most recently about the Debian on FreeBSD project, but I don't think it's totally abandoned.

        Anyway, pf is specific to OpenBSD's kernel, and I don't think it is likely to be ported to other kernels.
        • Other way around. The whole point of any GNU/*anything* port, Debian or not, is to get the entire GNU toolchain running on said kernel.

          The debian part would obviously be porting as much stuff as possible to run on said GNU/*anything*.

          So GNU/OpenBSD would run pf but not iptables. See?

          This is the one point where the GNU/*OS* thing makes sense. Though I think GNU Debian *OS*/*arch* would be better, as in GNU Debian Linux/i386 or GNU Debian OpenBSD/i386.
          • yeah, that's what I was trying to say, but got sidetracked half way through :(. Of course they would use pf where Debian on linux uses iptables. However, the C library, as an interface between the kernel and user space, takes a lot of work to get working on a different kernel, or a different architecture. However, some GNU software is designed to run on a GNU system, and uses things like getline() instead of fgets(). (read the GNU libc info page if you don't know about this.) Most major pieces of software are portable to non-GNU systems, so they could get by without the GNU C extensions.
      • by neroz ( 449747 )
        What a shame. Lets hope the {Net|Free}BSD ports dont follow suit - they are a lot futher along.
        Heres the post from the Debian GNU/OpenBSD porter:
        ---
        Subject: status debian/openbsd
        From: Andreas Schuldei
        Date: Tue, October 22, 2002 4:50 pm
        To: debian-bsd

        There are several indications that openbsd's security is more or
        less up to the level what can be achived with todays debian
        gnu/linux.

        The kernel code seems to have severe race conditions and the
        userspace seems to be bitten by a compareable number of security
        incidents as e.g. a stabel debian with a correspondig software
        base.

        Since my reason for this port is primary to provide a more secure
        environment for debian users with the same feel, right now this
        port seems not to be worthwhile.

        OpenBSD seems to make efforts to change to elf binary format some
        time in the future. When this happend and the audit efforts show
        further results i will reevaluate the situation.

        Everyone who wants to carry on with this port is welcome to take
        over.
        ---
  • oh GREAT (Score:4, Funny)

    by Anonymous Coward on Tuesday October 29, 2002 @11:20PM (#4561663)

    I had never before done any kernel programming, but I knew C

    Great... I'm going to recommend to my boss that we replace all our FreeBSD and Linux servers with OpenBSD! With that kind of kernel programming experience on the team, you know it's gonna be SOLID! Check it.. he didn't say he "heard of" C, or "dabbled in" C, or even "thought there was a language called" C, he KNEW C! Inside and out!

    And hey, did you read the interview, the man owns TWO, count 'em, TWO cats! Between the three of them, they should hammer out some sweet packetfilter code.

    (hey it's a joke. but I'm still not giving up FreeBSD)

  • by congiman ( 39253 ) on Tuesday October 29, 2002 @11:26PM (#4561693)
    Its already out there in the source tree... and has been for a while (beginning of october).

    You can grab the main .tgzs from:
    ftp.usa.openbsd.org/pub/OpenBSD/snapshots/i 386

    I'm pretty sure you can do this install by getting the floppys (.fs) files and selecting FTP install.

    If you have 3.1 (or any other version) you can upgrade the source tree (this is how I did it)

    set your cvsroot:
    setenv CVSROOT anoncvs@anoncvs.usa.openbsd.org:/cvs
    cd /usr
    cvs -q get -rOPENBSD_3_2 -P src

    You can then follow along here:

    http://www.openbsd.org/faq/upgrade-minifaq.html

    Make sure you do all the steps,
    Be especially sure you do 1.5, 1.8, 3.1.* before you do a make build..

    (note: if you are doing it from something earlier than 3.1 you should do the other changes (3.0.* etc. etc.)

    -- C

    • this information is bad, as the 3.2 snapshots are now further ahead in development than the 3.2 release code. there is no supported method for backtracking from -current to -release.

      for the impatient, the best method is to check out the 3.2 sources from cvs (as described) and build from source
      • by congiman ( 39253 ) on Tuesday October 29, 2002 @11:46PM (#4561798)
        The snapshots on ftp.usa.openbsd.org are still 10/3/2002.....

        But, I'll also grant you that that seems weird in that it usually changes more often.

        If all else fails, wait 3 days and you can find it at:

        ftp://ftp.usa.openbsd.org/pub/OpenBSD/3.2
        (THIS LINK WILL NOT WORK UNTIL FRIDAY)
        (this is posted in PST, so Friday is still 3 days away).

        Yeah the best way would be to grab 3.1
        ftp://ftp.usa.openbsd.org/pub/OpenBSD/3.1

        install it
        and then src code upgrade

        -- C
    • You can grab the main .tgzs from:
      ftp.usa.openbsd.org/pub/OpenBSD/snapshots/i 386


      Those are snapshots of 3.2-current, not of what will be released as 3.2.
  • OBSD Support !!! (Score:4, Insightful)

    by SuperDuG ( 134989 ) <[be] [at] [eclec.tk]> on Tuesday October 29, 2002 @11:38PM (#4561753) Homepage Journal
    I think the one thing that everyone absolutely always neglects to realize is that Open BSD is the absolute perfect firewall/router solution for any network. All serious networks I've ever seen or worked with use Open BSD as their router/firewall solution and for good reason, it's perfect. It's stable, secure, and BSD Free, what more could you possibly want. Open BSD is made for security and it does its job wonderfully.
    • by Churchill ( 78417 )
      All serious networks I've ever seen or worked with use Open BSD as their router/firewall solution and for good reason, it's perfect.
      You're right! Managing hundreds of OpenBSD firewalls in dozens of locations, all the while maintaining a cohesive security policy is a BREEZE with the excellent OpenBSD pf management software! Er, no. What kind of serious networks are you working on, anyway?
      • Not networks that serve. Man everyone who posts is really a moron. Not every network on the internet is meant to serve. When I said serious networks I was talking companies that provide net access to every desk type networks. OBSD is the perfect solution for these situations as it can serve as the firewall/router/webserver/email server. It's all stable and secure and works perfectly for your average small to mid-size business. I'd recommend a midrange PC with Open BSD anyday before I recommended a cisco solution.
        • You are a troll.

          I run some very serious networks, and we don't use openbsd. What is so superior about PF?

          Openbsd can't do policy routing, and PF is quite limited.

          And a serious network doesn't run the mail server and webserver and router on the firewall.

    • An embedded, dedicated solution?

      Don't get me wrong, though I've personally not used a BSD as a firewall, I know people who have, and they're happy with it, completely happy. But I really prefer something which was built from the ground up to be a firewall and ONLY a firewall.

      I've worked extensively with the Sonicwall [sonicwall.com] devices, and I've also heard some good things about the WatchGuard Firebox [watchguard.com] series. Then again, if you want to go gung ho all out and out, you can get a Cisco PIX.

      Basically, for me, it boils down to having a specific device for a specific job, as opposed to having a general purpose piece of software running on commodity hardware for a specific job.
    • Well, I can report that my (publicly traded) corp is pretty OBSD friendly. Almost all our edge hosts on our international VPN or the DMZ are OpenBSD. It does most routing, all email and spam filtering.

      It isn't doing the VPN proper right now, because we've invested too much in a commercial VPN. Also, most of our discrete host access to the VPN (over dialup or broadband) is Microsoft PPTP (which is lingua franca in terms of client access). We use NT exclusively for authentication/authorization (except for the NIS stuff on all our UNIX boxes), but we are switching to Active Directory. This got us thinking about running arbitrary LDAP services on OBSD and falking out all the Windows 2K client boxes. Shades of Samba!

      There is talk about switching our web and ftp server(s) to OBSD. We've already made the jump from Netscape to Apache (on Solaris), and IBM is *most* happy to supply us with OS-free Netfinity servers to run this stuff on. We still have a lot of value left in our Sparcs, but as they age it looks less and less like they will be replaced with newer hardware.

      The main obvious benefit for me is that I get to tag on a t-shirt or two onto our corporate orders. I mean, having stable email is all well and good, but a new OBSD t-shirt every 6 months! That rings my bell.

  • by browser_war_pow ( 100778 ) on Tuesday October 29, 2002 @11:40PM (#4561766) Homepage
    What I don't get is why don't these projects realize the kind of coup they could score by releasing a Mandrake/RedHatesque installer that even the average marketting drone could use to setup a fully operational installation. I'd love to use OpenBSD if I thought I could get it working. I'm still just a novice with *NIX though so some of this is a bit too hardcore for people like me right now. But still, getting OpenBSD an installer that **just works** for the average person would take it to a whole new level.
    • by krmt ( 91422 ) <therefrmhere@@@yahoo...com> on Tuesday October 29, 2002 @11:57PM (#4561836) Homepage
      Making a good installer is hard work. OpenBSD just doesn't have its priorities there, and rightly so. If someone really felt strongly enough about the issue to write a nice graphical installer, or port one of the Linux ones over, there's nothing stopping them from doing so. It's just obviously not that important right now.

      That said, if you want an easy install, there are plenty of alternatives for you. You've already mentioned Redhat and Mandrake, and there's also the very notable OSX. These might not be products focused primarily on security, but if you're really concerned about security then you're going to have to be willing to do some work of your own. Even OpenBSD doesn't guarantee security in the absence of knowledge. So if you're willing to put in the work to learn to be effectively secure (and thus actually use the system properly) then you're certaintly willing to learn how to install the thing.
    • If you buy the CD, the insert has a walkthrough of an install. OpenBSD is actually one of the easiest installs if you follow the documentation.

      psxndc

    • It's MUCH easier than you think... It just takes some reading (just a tad, which is all stuff you NEED to administer the system anyways).

      You want:

      http://www.openbsd.org/faq/faq4.html [Installing OpenBSD]

      and

      http://www.openbsd.org/faq/index.html [The entire FAQ]
    • the project is not commercial, and has no dreams of having millions of users. it only seeks to do what it does well - which it has for some time.

      most of the users and all of the developers would probably scoff at the idea of upgrading the installer because development resources aren't cheap, and they feel the time would be better spent elsewhere since the installer does work just fine.

      the 'rustic' install (complete with MANUAL PARTITIONING!!!) serves as a barrier to entry, keeping the mailing lists more clean of 'how do i mount a floppy?' questions.
    • by evilviper ( 135110 ) on Wednesday October 30, 2002 @02:21AM (#4562405) Journal
      Personally, I find OpenBSD's installer to be simpler than ony other. Who needs a GUI?

      Do you want to setup networking? [Y, n]
      Do you expect to run XFree86? [Y, n]


      What could be more simple than that? I can install OpenBSD in the time it takes most GUI installers just to load.

      The one place it needs work is FDISK, and that's not a problem unless you say 'NO' when asked if you'd like to 'use the entire hard drive'.

      The installer has some nice perks too. You can use wild cards when selecting your packages, so a simple "-x*" will unselect all the X packages. Just "*" selects everything (one of the few OSes where you almost always want EVERYTHING-there's no junk in the distro), or you can always go with the default, minimum, install.

      That's why I like OpenBSD, it isn't a bunch of shinny things, it's just a very simple and elegant Operating System. Installer and all.
      • The one place it needs work is FDISK, and that's not a problem unless you say 'NO' when asked if you'd like to 'use the entire hard drive'.

        Unfortunately, that one problem killed OBSD for me. Surely, it's not uncommon to want to dual-boot OBSD with something else.
        • Surely, it's not uncommon to want to dual-boot OBSD with something else.

          It's not a very common occurance actually.

          I don't setup any of my servers to dual-boot.

          As for workstations:

          An extra hard drive is cheap.

          Few people just 'play around' with OpenBSD. It usually replaces the other OSes, and not many people are concered about co-existance.

          FDISK is easy enough to use if you read the (very detailed) man page. From the docs on the CD, from the man pages on OpenBSD.org, even from within fdisk-you can easilly access the man page.

          I mentioned fdisk only because it is the most complicated part of the entire OpenBSD system, not because it's complexity is significantly over and above any other installer OSes' installer. It may take a few minutes to figure it out, but it is more powerful than any other fdisk program I've seen, and gives you a better picture of what's actually happening than any other program.

          Note For non-BSD users: FDISK is the program that modifies the (up to) four primary partitions. If you tell the installer to use the full disk, you don't even need te run fdisk. Within one of those primary partitions you create (or had the installer automatically create) is where you use DISKLABEL to allocate space for each mount point (/, /tmp, /usr, /usr/local, /home, ETC.).

          I wouldn't want non-BSD users to get the impression that setting your hard drive is difficult, from this conversation, just because the job of fdisk is different on other platforms.

    • easy? (Score:3, Insightful)

      by rsax ( 603351 )
      What's your definition of an easy installer? I would rather have something functional over easy/GUI. When I first installed OpenBSD I had only used Debian since then (only for a year or so). I printed out the entire FAQ [openbsd.org] and read it back and forth whenever I had some free time. If you read it, you will notice that it walks you through the entire installation procedure. If I was able to install OpenBSD using their excellent text installer just by reading the documentation available on their site then I'm sure anyone (who's willing to do research) can. It also helps to have an old box to install on first, play around, install again.. rinse and repeat as required.
    • by RAMMS+EIN ( 578166 ) on Wednesday October 30, 2002 @03:17AM (#4562574) Homepage Journal
      I don't wanna boast, be elitist, troll, whatever here, but I actually think the OpenBSD 3.1 installer is one of the best installers I've ever seen. Sure enough, it doesn't have a GUI, but it fits on one 1.44 MB diskette and uses little RAM.

      The installation process is as simple as answering questions that are in plain English. The one thing that sucks about it is the disklabel part. I think it would be helpful to do some ad-hockery to come up with sensible defaults here. Nevertheless, help is available in clear English and a swap and root partition (and whatever more you deem necessary) are soon enough created.'

      Now I am going to abuse the rest of this post for stating what other improvements (besides the disklabel editor already mentioned) I would like to see in OpenBSD. The default install ships with many services (fully or nearly completely) preconfigured but commented out. This is a Good Thing. However, although SMTP and POP3 are mostly set up this way, the same is not true for their secure (tunneled over SSL) versions. I think that OpenBSD, especially with its focus on security, should really offer this.

      Another thing that would be good for OpenBSD to have is a secure distributed filesystem. This applies to other operating systems as well, and I know there are various options that work, each with serious drawbacks. Two options that I consider of special interest are Coda [cmu.edu] and SFTP. Coda is said to be in alpha stage (and has been, for a long time), but is reported to work quite nicely. SFTP is not technically a filesystem, but can be used as one by Linux with LUFS [sourceforge.net]. I think a LUFS-equivalent for [Open]BSD would be a huge win.
      • SFTP is not technically a filesystem, but can be used as one by Linux with LUFS [sourceforge.net]. I think a LUFS-equivalent for [Open]BSD would be a huge win

        if NetBSD's mount_portal was ported to OpenBSD then i think it would be simple. right now OpenBSD (and FreeBSD) uses an older mount_portal which isn't as robust as NetBSD's.

        anyone know the linux equivalent of mount_portal?

    • In truth, it's been a while since I installed OpenBSD (3.0 was the last one I tried), and I found it ... easy. I'm certainly not a particularly competent user, and although I'll admit the disk partitioning tripped me up, the rest was really simple.

      Additionally, the OpenBSD FAQ sets the standard for docs. Once installed, I had dhcpd/NAT/ipfw and a load of other goodies set up in under half an hour.

      I would suggest that people who say installing OpenBSD is hard just haven't tried it. If you have, be more specific: ugh eez too hardt is hardly a good bug report, or the kind of thing that'll get over-worked developers to make changes.
    • I don't really mind there not being a real GUI-based installer. Although I would appreciate the comfort in having one, I've found OpenBSD installs extremely painless and easy, the installation on my (slightly dated) router box takes no more than 15 minutes. Even as a beginner, a quick read-through of the really excellent FAQ provides all the information you need to get started in no time.

      But then, there's this article I stumbled across on Deadly [deadly.org]:

      G.O.B.I.E [gobie.net], a "Graphical OpenBSD Installer Engine", and I have to say the screenshots [gobie.net] look pretty damn slick. They are also working on other cool things. From the web site:

      [G.O.B.I.E] wishes to add some value to the product by developing installation modules to known servers such as Bind, Sendmail, Inn Apache..

      Among them, you will find help to configure PF(Packet Filter), authpf, altq and some other tools.

      We have planed to build a kernel configuration tool too !!!


      I think that sounds like an interesting project and (though IMHO not absolutely needed) I would like to see it being officially presented as an alternative to the current installer.
    • OpenBSD is one of the easiest installers. Try FreeBSD or even worse, Solaris. Then come back to OpenBSD.
      • I found OpenBSD to be an easy install EXCEPT for the disklabel editor. The editor should be able to present to the user a reasonable default partitioning scheme for servers(isn't that what OpenBSD is all about - having a secure, working system from the default install?)

        Moreover, from reading the documentation, it appears that there is no warning about the creation of a partitioning scheme that is potentially unbootable. This is silly!
    • Its due to the intended audience/market.

      If the installer is too complex/confusing for you, then you are not the intended audience.

      Not meant as an insult, just reality.

      OBSD isn't intended for the 'average' person, but one slightly above that level.
    • What I don't get is why don't these projects realize the kind of coup they could score by releasing a Mandrake/RedHatesque installer that even the average marketting drone could use to setup a fully operational installation.

      1) Do you really want a "marketing drone" establishing your critical network infrastructure? Average people shouldn't be meddling with the systems that can really make or break a company. This is serious stuff.

      2) The OpenBSD installer really is quite easy when you sit back and think about it. It's basically a well-thought-out shell script with prompts for necessary information. It's also very quick; OpenBSD installations are fast, since there isn't a quasi-stable GUI driving everything. It's also more dependable than a GUI. GUIs are complex from a software engineering point of view, and it is harder to guarantee their function. If you have questions about how OpenBSD goes about it's business...just look a the scripts.

      I'm still just a novice with *NIX...

      Don't let OpenBSD intimidate you, as it can provide a very fruitful learning experience about UNIX systems. OpenBSD really is one of the most directly and thoughtfully documented systems out there (at least for the userland stuff), but it just isn't an in-your-face system like Red Hat. Once the system installs, there is a helpful e-mail sitting in the root inbox, the installation CDs have very good README files, and the 'intro' and 'afterboot' man pages are also good. The OpenBSD website hosts a FAQ and links to mailing list archives that covers many questions for new users.
  • Why pf sounds great (Score:5, Informative)

    by capedgirardeau ( 531367 ) on Tuesday October 29, 2002 @11:49PM (#4561812)

    Excellent interview and responses, a very educational read for anyone who deals with firewalls and packet filtering. It should become part of the pf docs.

    He is very modest, but I like the sounds of some of the things he is doing. Here are some solid, specific things pf is doing that I dont think other packet filters are doing, ask your vendor how they are handling these same types of issues.

    This is why pf sounds like it will be very good (direct quotes from the article):

    ... [about the kernel integration] ... we just call a single function, pf_test(), from ip_input() and ip_output(), where all packets from network interfaces pass. Additionally, the function is called from the bridge code and after encapsulated packets are unwrapped, so encapsulated packets pass through pf at every layer. [security enhancement]

    ... The stateful connection tracking is based directly on Guido van Rooij's work (which is also the basis for IPFilter). ... To prevent attackers from tearing down connections, for instance with spoofed RSTs, the packet filter checks the sequence numbers in each TCP packet. Only the two peers involved in the connection (and the hops in between them) know the right sequence numbers. Guido's work shows how to keep lower and upper bounds on the sequence numbers given only the (incomplete) information the packet filter has, with a precision and beauty similar to the one you can find in a mathematic proof. [security enhancement]

    ... pf can randomize sequence numbers for hosts that have predictable ISN [initial sequence number] generators. [security enhancement]

    ... Fragment reassembly and normalization (eliminating ambiguities in packets that a receiver might interpret in different ways) was written by Niels Provos, based on Vern Paxson's work. This is something very useful I haven't seen implemented in a packet filter before ... Reassembling fragments allows the filter to deal only with complete packets, reducing the rule set complexity. In my opinion, it's well worth the additional cost. pf allows to specify what packets to normalize in which ways, so you can handle notoriously fragmented but otherwise known-good traffic separately. [security enhancement]

    ... pf implicitly creates state for all translated [NAT'ed] connections and stores the information needed for translation in the state entry. This simplifies and reduces lookups. [speed/security enhancement]

    ... [Skip Steps] And this is what skip steps are. For each parameter in each filter rule, the number of subsequent rules that specify the exact same value are counted. When, during evaluation of a rule, a parameter is found to not match, evaluation is not necessarily continued on the very next rule, but all subsequent rules that can't possibly match are skipped. [speed enhancement]

  • pF (Score:4, Funny)

    by LeiraHoward ( 529716 ) on Wednesday October 30, 2002 @12:25AM (#4561935) Homepage
    Wow.. you know you've been doing too much electronics homework when you look at "pF" and read it as "picoFarad" and wonder what that had to do with anything....

  • The article is one of the best resumes I've ever seen.
    • by Futurepower(R) ( 558542 ) on Wednesday October 30, 2002 @12:46AM (#4562034) Homepage

      The article is one of the best resumes I've ever seen.

      Prospective employer: What have you done?
      Daniel: I wrote the stateful firewall in OpenBSD. Here's a kerneltrap.org article.
      Employer: (Silence while recovering from amazement.) What pay do you expect?


      I hit a key accidentally, and Mozilla posted my comment above.
  • The most secure OS (Score:4, Informative)

    by octogen ( 540500 ) <g.bobby@gmx . a t> on Wednesday October 30, 2002 @07:47AM (#4563317)
    And what's up with that "the most secure os" sarcasm? OpenBSD *is* secure.

    This definition depends on what you call "secure".

    Theo calls an OS with a very limited, trusted set of applications "secure" - however, running secure applications with root privileges has nothing to do with OS level security. That's application level security.

    I'd call an OS secure, if you can only hack it by exploiting a bug inside the OS kernel. That means, there is no way of gaining 'root' privileges or something like that by hacking into some highly privileged daemon, provided that the system is configured properly.

    To achieve this level of security, it is neccessary to have fine grained privilege and compartmentalization controls instead of the superuser/world distinction built into the OS kernel - and that's still missing in OpenBSD.

    What means "secure"?
    "[...] Put another way, "secure system" means safe enough to protect some real world information from some real world adversary that the information owner and/or user care about. [...]"
    - SE Linux FAQ, NSA [nsa.gov]

    -----

    There are mainly two types of secure Operating Systems.
    a) Everything up to the C2 level of security
    b) Everything from B1 up to A1 (never ever reached by any OS)

    The difference is information labeling.
    You only get a B1 security certificate, if your OS has mandatory access controls. It must be able to automatically prevent users from mixing secret data with public data. This is often called a "Trusted OS".

    Most people don't need information labeling/mandatory access control, because all their data has the same level of sensivity.

    TCSEC C2 does not say much about how the OS has to handle privileges, so a C2-level OS can still be very insecure, but it can also be very secure - almost impenetrable - and it still can't ever become certified at B1 or above, because it simply can't handle multiple levels of sensivity.

    -----

    Let's look at NON-Trusted-OSs first, because most people don't need a Trusted OS:

    OpenBSD lacks an uninterceptable audit trail and access control lists as required by TCSEC C2. It distinguishes between world and root privileges.

    VMS has an audit trail, access control lists, and a privilege model.

    AS/400s have an audit trail, access control lists, a privilege model, an object-based security model with type enforcement and hardware-supported pointer-in-memory-protection because of the single level storage address space, but that does not matter much (think about it as something which is similar to protect-mode on an x86, but based on objects and pointer to objects instead of segments and segment descriptors).

    VMS is clearly superior to OpenBSD, mainly because of the privilege model. If a process does not have many privileges, then an attacker can't gain many privileges by hacking it. Simple, isn't it?

    An AS/400 is (VMS users listen carefully) clearly superior to both, OpenBSD and VMS. It has a superset of the security features of VMS, and additionally it has object-based protection. Therefore, you can't write to a program object, and you can't execute a data file or things like that.

    Now let's look at Trusted OSs:

    SE-VMS has an audit trail, access control lists, a privilege model, information labeling and compartment mode.

    Solaris with Argus Pitbull has an audit trail, access control lists, fine grained privilege controls plus inheritance rules (proxy privilege sets and so on), a trusted computing base, information labeling and compartment mode (mandatory access controls).

    Both are clearly superior to the non-trusted OSs mentioned above, because applications can be totally separated from each other by putting them in separate compartments.
    If someone hacks into an application in compartment A, then he/she still can't access an application in compartment B, so he/she is locked down into a jail.

    Solaris with Pitbull is clearly superior to VMS, because of the much more sophisticated privilege model. It's more fine-grained and it has inheritance controls, so certain applications will only gain their privileges if they can inherit those privileges from another process. By default, executing another application always drops all privileges.

    -----

    What I'd like to say is .. 2 things:

    1. What about "OpenBSD is the world's most secure OS"? It has a pretty good verified kernel, but it's security mechanisms are simply not powerful enough. A bug-free kernel does not help alot, when you have to run things as root, because the kernel does not have appropriate security mechanisms like privilege controls or compartment mode...

    2. What about "Unix can't be secure"? I get really bored by VMS users comparing Standard-Linux with VMS; maybe compare the most secure setup of either Operating System and then let's talk about security again.
    HERE [getronicsgov.com] is TCSEC B3 certified Unix (Linux-compatible, too).

    regards,
    octogen
    • by foofboy ( 7823 )
      Point of order re:
      b) Everything from B1 up to A1 (never ever reached by any OS).
      There are several OS's rated B1 or above.

      From Dynamoo [dynamoo.com]:
      B - Mandatory Protection Division B specifies that the TCB protection systems should be mandatory, not discretionary. B1 - Labelled Security Protection As C2 plus:
      • Mandatory security and access labelling of all objects, e.g. files, processes, devices etc.
      • Label integrity checking (e.g. maintenance of sensitivity labels when data is exported).
      • Auditing of labelled objects.
      • Mandatory access control for all operations.
      • Ability to specify security level printed on human-readable output (e.g. printers).
      • Ability to specify security level on any machine-readable output.
      • Enhanced auditing.
      • Enhanced protection of Operating System.
      • Improved documentation.
      • Example OSes are: HP-UX BLS [ncsc.mil], Cray Research Trusted Unicos 8.0 [ncsc.mil], Digital SEVMS [ncsc.mil], Harris CS/SX [ncsc.mil], SGI Trusted IRIX [ncsc.mil].
      B2 - Structured Protection As B1 plus:
      • Notification of security level changes affecting interactive users.
      • Hierarchical device labels.
      • Mandatory access over all objects and devices.
      • Trusted path communications between user and system.
      • Tracking down of covert storage channels.
      • Tighter system operations mode into multilevel independent units.
      • Covert channel analysis.
      • Improved security testing.
      • Formal models of TCB.
      • Version, update and patch analysis and auditing.
      • Example systems are: Honeywell Multics, Cryptek VSLAN [ncsc.mil], Trusted XENIX. [ncsc.mil]
      B3 - Security Domains As B2 plus:
      • ACLs additionally based on groups and identifiers.
      • Trusted path access and authentication.
      • Automatic security analysis.
      • TCB models more formal.
      • Auditing of security auditing events.
      • Trusted recovery after system down and relevant documentation.
      • Zero design flaws in TCB, and minimum implementation flaws.
      • The only B3-certified OS is Getronics/Wang Federal XTS-300. [ncsc.mil]
      A - Verified Protection Division A is the highest security division. A1 - Verified Protection As B3 plus: A2 and above Provision is made for security levels higher than A2, although these have not yet been formally defined. No OSes are rated above A1.
  • OpenBSD is dying, because Theo has a cold.

    Heh...just kidding. But really, we're too dependant on him, and his whims. We need a less ego in the BSD world. Theo DeRaadt, Darren Reed, Dan Bernstein et al can be fine programmers but what's the damn point if they can't get along. OpenBSD's development has too much power concentrated in the hands of too few people. This leads to all sorts of boo-boos and the inability to maintain older code (3.0 just died...ugh!).

    I think that licenses are important. They need to be unconfusing. Project developers should find an existing, popular, and well understood license that most closely suit their needs and put their work under that license, rather than create their own. Here is where I fault DJB and Reed for their licensing quirks.

    What license is irritating me the most right now is PINE's.

  • Daniel has a mirror of the interview [benzedrine.cx] at his site [benzedrine.cx].

I've noticed several design suggestions in your code.

Working...