OpenBSD Gets Even More Secure 374
Telent writes "As seen in this post by Theo de Raadt, OpenBSD is getting even more secure, working on smashing script kiddies running buffer overflow exploits dead. Tightening PROT_* according to the POSIX standards and creating a non-executable stack on most architectures are just two of the recent enhancements, most of which are in -current now."
linux should have non-exec stack by defualt (Score:5, Interesting)
Re:linux should have non-exec stack by defualt (Score:5, Informative)
There are several reasons why Linux does not have non-executable stacks yet...
One of them is that gcc and the kernel use trampolines. From the gcc docs [fifi.org]:
AFAIK, linux uses trampolines at least in these places:
Both problems can be addressed (the openwall patches take care of the kernel trampolines), but it's not as easy as turning off the PROT_EXEC bits in the stack.
Also, a non-exec stack is not a silver bullet: it only makes exploiting buffer overflows somewhat harder. Check out this article [securityfocus.com] from Solar Designer (the OpenWall patch author).
On top of the above:
You may now understand why Linus has so far judged that a non-executable stack was more trouble than it was worth.
Re:linux should have non-exec stack by defualt (Score:5, Insightful)
Then, trampolines are not the only way to implement nested functions. Just a neat one.
And finally, gcc has all the hooks to turn the memory protection back on for the little chunk that wants stack execution.
Guess what ? gnu-ada uses trampolines, and it works on OpenBSD current...
Re:linux should have non-exec stack by defualt (Score:3, Insightful)
Also, you don't need an executable heap/stack for these overflows to cause damage (overwrite access tokens, change flag states, etc.)
Sure every little bit helps, but it's still kind of a losing battle.
IMO, it would be better to spend more time educating people and making it socially unacceptable to use C/C++ when they could just as easily use a high level language with bounds checking. You know, like LISP people have been saying for 30 years.. ;)
But alas this is a touchy subject.
Re:linux should have non-exec stack by defualt (Score:4, Funny)
Re:linux should have non-exec stack by defualt (Score:2, Funny)
Re:linux should have non-exec stack by defualt (Score:2, Insightful)
Re:linux should have non-exec stack by defualt (Score:2)
>you won't have to bitch to the world about it EVER again!
I suppose that's one approach. I just PLONKed the guy.
concrete galoshes (Score:3, Funny)
Re:concrete galoshes (Score:5, Insightful)
I understand your joking, but point the next one towards the right area
Re:concrete galoshes (Score:2)
I have used OpenBSD for some task-specific servers, and undoubtedly will again. I'm very glad it exists (regardless of the personalities involved) because it defines one end of a spectrum, from slow-but-steady to willy-nilly. Actually defining that spectrum can be someone else's flamebait.
Re:concrete galoshes (Score:2)
You're sort of right (Score:5, Interesting)
Forget about security through obscurity, this is security through paranoia. Sometimes, it is justified.
Re:HTTP? IRC! (Score:3, Informative)
And then they ship sendmail and BIND with it.
The BIND that comes with OpenBSD is an audited V 4.x IIRC. That should suffice for many many users, those that need 8.x or 9.x can find it them the ports tree. The sendmail is locked down as well and doesn't accept connections by default.
Nice FUD otherwise.
smp blah. (Score:2, Flamebait)
-sithEnder
Re:smp blah. (Score:5, Informative)
Why does anyone need this crap. (Score:3, Informative)
If all these exploits are beaten before they are even implemented how will one prove their worth to their employers?
Damn it, I thought that SQL Slammer was a saving grace. We didn't have our servers at sp3 but then again they are behind a dual stage firewall so we had no hicup at all. However, I got the time at work to install patches as a result of the media.
To summarize: don't eliminate vunerabilities because you'll just be eliminating someones job (both the admins and hackers).
[end sarcasm, or my attempt at sarcasm since I haven't seen any around these parts since 1995]
Re:smp blah. (Score:2)
Most Secure OS (Score:5, Informative)
Re:Most Secure OS (Score:2)
Re:Most Secure OS (Score:2)
Only one remote hole in the default install, in more than 7 years!
Uber secure? Yes. Secure? Probably not, but they're working on it.
Actually that one remote hole is a stronger statement for OpenBSD than when there were none known.
VMS (Score:5, Insightful)
Re:VMS (Score:5, Funny)
All my servers run CP/M for the same reason.
Re:VMS (Score:2)
Let's here for the IBM AS/400.
Re:VMS (Score:3, Informative)
Re:Most Secure OS (Score:4, Interesting)
More Examples (incl. Linux) (Score:3, Interesting)
Trusted Solaris [sun.com]
andPit Bull [argus-systems.com] from Argus Systems
IIRC, these are more common Un*ces that are patched to provide "capabilities" - that is, instead of the root being the one-size-fits-all user that has enough privileges to get anything done, different kinds of access are broken down so that if a running program getw 0wned, it limits the damage.
Theo's answer to that probably would be, "code it right in the first place and it won't GET 0wned!!!", which is a valid point, the devil (no pun intended) is in the details.
BTW, I first came across EROS comes from Alan Cox in an interview with Robert Metcalfe a few years ago (remember the "Open Sores" series of articles? Great trolling, Bob!), in response to a question of what he thought was going to be the next big thing after Linux. He was impressed with the response (having previously accused Linux-y types of monomaniacal zeal), but it didn't overturn his opinion at the time that Linux was doomed. Oh well. (This comes to you courtesy of the similarly fated Internet.)
open source security (Score:3, Interesting)
Re:open source security (Score:2, Funny)
Interresting...(might be OT) (Score:3, Interesting)
The problem is always where to start, I assume there is no BSD flavor as easy to install as Mandrake (just to pick one), but then I am a happy user of Debian (2.2) floppy installer. A few hints to start out on, for instance a install/easy of use comparison of the various BSD's would probably be helpful to more than a few readers.
Quicky how-to (the real one is decent) (Score:2)
It does put you in a disk partition situation which can freak people out. For your first experiment on a disk with no data you care about, you can tell it to use the whole disk for obsd, and go with two partitions. (many would advise separate partitions for
If you can set up an ftp server, you might want to get the ~120MB (if using X, about half that if not) and put it on a local ftp server. I have found the mirrors pretty adequate, even right after a new release.
Post an obfuscated email and I'll send you a cheat-sheet, with how to do common things that are too easy for the gurus to think of supplying and too hard for a novice like me to figure out. Mostly network stuff.
Re:Interresting...(might be OT) (Score:5, Interesting)
1. I have found Open is actually easier to install than Free. Granted, this could be due to my love of purely simple methods, which the Open installer is. net is, in my mind, the hardest of the three, with free being very much in the middle.
2. I fail to see how Open is slwoer and more limited. It is true that Free has the most amazing tcp stack in production today, but Open's is pretty tight, and is plenty efficient in disk I/O and CPU usage. Its also not limited in any way. The stock install has a lot less "stuff" in it than most other OS's, but I consider that a definate bonus. "Ports" in a few extras, and you have an awesome, httpd, ftp, mail, dns, whatever server. In my company, we have dual purpose dns/mx backup OpenBSD machines.
3. While it is true that OpenBSD makes a dandy firewall, and quite frankly, I would use nothing else but OpenBSD for said purpose, that's not all its good for, and this "typecasting" has to stop. Does just fine in any other role too, hell, I have an OpenBSD DESKTOP. DESKTOP!
4. As for an Open box getting owned, not surprising. The final step in a secure OS, is knowing how to maintain it, and miantaining Open is no picnic, once free is up and running it is far easier to lean to patch it. Both are fairly simple once ya get the hang of it, but the free learning curve is much faster. And quite frankly, a lot of businesses deploy tons of freebsd machines, lots of admins know it. Open is a newer project, with a smaller real world footprint.
Just my unspellchecked thoughts. Its almost my birthday, I no longer feel compelled to check my typos out.
Re:Interresting...(might be OT) (Score:3, Interesting)
1. I can't really comment, I've only watched it be installed. I would agree that NetBSD is the hardest, the installer doesn't really seem to flow. Personally I would prefer to just receive a shell when I put the CD in. I can fsck, disklabel, fstab, and untar all by msyelf, thank you very much.
2. OpenBSD and NetBSD are definitely a lot slower than FreeBSD. NetBSD feels a lot less responsive than FreeBSD. Both take much longer to boot. I believe the reason is simply that speed hacks are hard to port and are potentially insecure.
3. My original post was going to address OpenBSD desktops, but I decided not to. Using OpenBSD as a desktop is sort of like using a weed whacker to mow your lawn, then saying "Weed whackers do just fine in any other role!" Maybe so, but there are better solutions available.
4. This wasn't a maintainence thing. As I recall, it was the sshd thing. It got hit right away (as the sshd vulnerability was being announced) by a script which hit all our boxes. The irony is that the FreeBSD boxes were not vulnerable, because of patches to OpenSSH made by the FreeBSD developers. This is actually something of a recurring theme with FreeBSD: major application is vulnerable except for the one shipped with FreeBSD, due to local patches. Personally I trust the network security of FreeBSD better than I do OpenBSD, but I believe it would be easier for a user to break root on a FreeBSD box than an OpenBSD one.
I enjoyed your sig.
sh
Re:Interresting...(might be OT) (Score:2)
What? Can you make sense of this?
I also use OpenBSD as a desktop. It runs X11 and I like WindowMaker.
Open and Net a LOT slower than Free? Post some numbers please, because as a Free and Open user since Open 2.5, I find this rather exagerated.
Are you one of these people that equate a few percent as being a lot?
This wasn't a maintainence thing.
One very out of the ordinary incident and you've given up on OpenBSD "network security"? Talk about reactionary!
Re:Interresting...(might be OT) (Score:2)
Doesn't that defeat the the purpose? If OpenBSD is more difficult to maintain than FreeBSD, isn't that a security problem? If security is difficult to use, users will either not use it or misconfigure it. Then your security features are pointless..
Re:Interresting...(might be OT) (Score:2)
For the lamens among us... (Score:2)
We're not all l33t haxx0rs here...
Re:For the lamens among us... (Score:2, Informative)
Re:For the lamens among us... (Score:5, Informative)
Preventing the CPU from executing code located on the stack will in many/most cases prevent these malicious instructions from ever running (because they're located on the stack).
For a detailed explanation, see Smashing the Stack For Fun and Profit [shmoo.com] by Aleph One.
Re:For the lamens among us... (Score:5, Informative)
A common bug in programs is that when they are receiving input (from the disk, from the keyboard, but most relevantly, from the Internet), they forget to make sure that they have enough room to "write down" the input they are receiving, and so they end up writing right past the end of their scratch area and over other stuff. Typically, this will cause the program to malfunction and/or crash soon afterwards.... BUT:
Years ago, crafty nasty little hax0rs realized they could use this type of bug to gain control of a computer remotely via the Internet. What they do is they find a computer running a program that has this sort of bug, and then send it input that is too big for the program's buffer, and contains a little program. The buggy program duly writes the input onto its stack, munging some of its other data -- and the hacker has formed the input "just so", so that the data it overwrites is the data governing what the computer will do next. So instead of just crashing, the program then executes the hacker's program. The program then usually "unlocks the front door" of the computer to the hacker, allowing the hacker to control the computer by remote.
Making the stack non-executable means the the computer doesn't allow itself to execute any code that is located in the stack. This means that the hacker can upload his evil program, but he can't trick the computer into running it.
Why this feature hasn't been standard in all OS's since the invention of the MMU, I cannot fathom.
Re:For the lamens among us... (Score:4, Informative)
If your program overflows the end of a temporary string or array (due to a bug in the error-checking, most likely), it can overwrite other things on the stack, including the return address of the current function call.
So, the attacker sends in an enormous string, which "just happens" to contain some executable code that does something nasty, followed by the address of that same code.
The new return address overwrites the one on the stack, so that when the function returns, it actually jumps into the previously-loaded data on the stack, which then does something nasty.
Making the stack non-executable causes the program to crash when you try to exploit it this way.
You can still overwrite data on the stack, which might still allow you to get a program to misbehave, but at least you're limited to running code that's already in the application.
Some of the other changes mentioned in the paper try to make it harder to exploit overwriting data on the stack, too.
Hope this was helpful,
-Mark
Re:For the lamens among us... (Score:3, Insightful)
Not really. You can still control the program flow by overwriting the return address, and given the stack-only parameter passing scheme on x86, you can also supply arguments to whatever function you choose to return to (with register arguments, you'd be limited to whatever registers are going to be loaded off the stack before you return, and argument registers are typically not preserved by the callee). While the typical exploit that just wants /bin/sh to run would likely just call system() or execve() or something, if one really wants to run code from the stack, the stack could be set up to return to memcpy() with the arguments pointing at the code to be moved to an executable area, and a subsequent return value that points to the destination. Null bytes would present a problem with (at least) the length argument, assuming the overflow is from a C-style string, but a sufficiently clever attacker could utilize other library functions to patch in the needed null bytes.
Thus, it may make certain attacks marginally harder, but it doesn't stop foreign code from being executable. It's most visible effect would be the problems it causes to legitimate programs that may want to execute dynamically generated code on the stack.
While there is no silver bullet to these sorts of attacks, making the stack grow upward (or strings grow downward) would eliminate a lot more holes than a non-exec stack. Unfortunately, people are too bound by tradition, and still introduce new ABIs that use downward-growing stacks, even when there's no hardware bias against upward-growing stacks, such as on most RISC chips.
Re:For the lamens among us... (Score:3, Informative)
The stack is a LIFO (Last in First out) data structure. OS's and programs use it to store all sorts of data, but one thing it's commonly used for is storing return addresses for subroutines and such.
By "stack smashing" what people mean is the typical goal of a buffer overflow attack. A program that doesn't do bounds checking on an array of data can be fed a huge amount of data that exceeds the length of the buffer that it has allocated to hold that memory. It then starts walking over other parts of memory and runs into the stack (which exists in memory just like everything else).
If you overwrite a return address in the stack with a pointer that points to some code that you've written to memory with the buffer overflow you just did, you can execute arbitrary code and thusly take control of a system (with whatever privileges the program you just attacked uses).
Since a lot of your overflowing data is going into the stack, it's a potential space for a lot of the code you might want to execute. Since the stack should only hold data and pointers, not code, it's safe to make it non-executeable with the MMU. This makes it harder to write a buffer overflow exploit, although it doesn't totally prevent it (since you can stick your malicious code in non-stack space as well).
(Feel free to flame/mod me down for any mistakes in this explanation.
Re:For the lamens among us... (Score:2)
What I use BSD for (Score:5, Informative)
Why?
If you've ever installed a Linux distribution, you will immediately note the number of third-party libraries and applications installed on a 'base' system. This is frustrating for me, because for the most part I may not want all those extra applications installed, because it clutters up the system, and there may be various vulnerabilities present that I'll be open to.
Instead I prefer to use BSD in these situations, because when you install the operating system, everything with a few choice exceptions (ie, gcc, apache, less) everything is part of the BSD operating system, no third party apps are installed unless you choose to at install time.
So when I install a BSD server, its clean from the get go. If I want bash, I have to install the package. This way I get control over what is on my system, and spend far less time adding what I want, instead of removing what I don't want (in the case of a Linux distro).
I use MacOS X laptop, which is the vision for what I always wanted my linux desktop systems to be. I can play DVD's, get sound working, simple updates, bash, gcc, ircII, web browsers which don't have problems on most sites, beautiful MP3 application, mail, etc.
For me, I don't even bother with Linux except for testing program portability, or for wireless lan-related applications (airsnort).
Re:What I use BSD for (Score:5, Informative)
I found this true with redhat and suse, BUT you can use another meta distro: Gentoo.
You only merge(Gentoo-speak for fetch/compile/install packages) on what u need and satisfies your dependencies. Bootstrapping a gentoo system takes a couple of phases, however after the 3rd phase you have a base system close to 400mb(extra megabytes are due to having a development system needed to compile everything).
Plus, you can customize specific packages such as compiling in gtk/kde support, etc with USE variables. And if that don't work, you can edit the ebuild script file right then and there and customize you're own version right there(i.e. adding --msdfs configure flag to samba to compile in Microsoft DFS support)
I won't bore you with more details, but you can check out www.gentoo.org.
Re:What I use BSD for (Score:4, Informative)
You should give Linux From Scratch [linuxfromscratch.org] a try. You will build your own Linux system, installing each component manually. No clutter, just what you need, and compiled the way you want it. It is a very good learning experience too.
Re:What I use BSD for (Score:2)
In our small shop, we use OpenBSD for firewalls, FreeBSD for file servers, Debian and Windows 2000 for workstations. For any given purpose, any of these systems might have a decisive advantage. I listed them in my rough order of bias. At the top of the list is maximal purity coupled with the narrowest applicability. At the bottom of the list is maximimal impurity coupled with universal applicability. We try to push our subsystems uphill where possible, but we're not zealots about it.
If I had to pick just one I would pick Debian and I'd be 20% miserable all of the time, but hardly ever 100% miserable (because something you really depend upon works badly or isn't available at all).
My only complaint about the package system in Free/Open is that selecting your packages is somewhat more manual than it ought to be. It's a bit of a pain to clone a known configuration at a different revision level because you have to pick exactly the right package names. I'm no fan of dselect, but dpkg is pretty livable.
Either way, if the package system is your main area of concern, it's a certain sign you have nothing important to accomplish. They both get the job done well enough if getting the job done is your main concern.
Re:What I use BSD for (Score:3, Interesting)
FreeBSD clings too much to traditional Unix.
Heh.
And what did you expect it to cling to? Traditional VMS? Don't forget that FreeBSD IS UNIX. FreeBSD is a direct descendent of the code from the original 4.4BSD. THIS IS UNIX. Love it or leave it.
(Personally, I love FreeBSD and 5.0 kicks major ass. Linux is cool, but I use Gentoo, which is arguably more BSD-like than any of the other distros except for maybe Slackware.)
Deeply cool. (Score:3, Funny)
We have a lot of single-purpose OBSD boxen here. I like them a lot. Go, team, go!
Thank goodness - it's about damnned time! (Score:3, Interesting)
It's too bad that they weren't able to completely seperate executable and readable memory, but it's good to see somebody finally taking these problems seriously.
And as a bonus to making the system more secure, these changes will make it easier to debug stack-smashing bugs.
-Mark
But What About...? (Score:5, Interesting)
Theo de Raadt writes:
If you're running a JIT compiler/interpreter or other dynamic code assembly, you sure as hell do.
I can see how you might be able to write dynamically generated code to a page, then turn off PROT_WRITE and turn on PROT_EXEC before jumping to it. However, this is almost certainly two trips into the kernel, each involving tons of permission checking. So performance will likely suffer, which negates the whole point of doing JIT in the first place.
I like his survey of MMU architectures, though.
Schwab
You can do JIT (Score:5, Interesting)
You just have to explicitly mprotect(2) [openbsd.org] the memory where it happen with PROT_EXEC|PROT_WRITE. The fact that on some OSes it can work without doing that is actually a bug in these OSes.
What the change is doing is the right thing, using a minimum privilege way to achieve more security. If some static code actually contain data that look like machine code it could be executed this wont be possible anymore.
Non executable stack by itself was far from enough as most program have some way of putting things on the heap or elsewere for an attacker and he could jump there instead of jumping on the stack. Coding an exploit for OpenBSD will get real tough now, even if there's an actual buffer overflow.
Re:But What About...? (Score:3, Interesting)
There are too many presumptions in this comment about JIT. The protections Theo is using are imposed by the VM system, which means the protections are relative to a *view* of memory. It's not obvious to me that the JIT compiler needs to share the same view of memory as the process for which it compiles. I can't bring myself to believe that for a typical invocation of the JIT compiler, one process transition is a dominant cost.
What about other BSDs? (Score:3, Interesting)
Re:What about other BSDs? (Score:2)
Oh joy... over bufferflow (Score:5, Interesting)
Re:Oh joy... over bufferflow (Score:2)
"I'm in my happy place, I'm in my happy place... KABOOM! Muwahahahahaha!"
Nonexecutable stacks (Score:5, Insightful)
Re:Nonexecutable stacks (Score:3, Insightful)
Nobody said it was. To quote TdR, "We feel that these 4 technologies together will be a a royal pain in the ass for the typical buffer overflow attacker."
If you think "royal pain in the ass" constitutes proof, go back to math 101.
twisted logic (Score:2)
[[[
These exploits require a high degree of precision. I've tried to take out most of the guesswork, but there are two things that might cause the exploits to fail. The lpstat and rdist exploits expect certain things to be in the environment at exact locations.
]]]
Probably the best metaphor here is the game Twister. The new work by Theo et al. forces the black hat to put his left elbow on the blue bubble. Sure, he can still do something devious with his right leg. But if Theo keeps dealing out the cards, eventually his bowels will explode.
In constructive software development, the programming cost is widely regarded as exponential in the number of constraints faced. Yet in the popular lore, for a black hat, a sliver of a glimmer of a faint and twisted hope is all in a day's work. This from the lips of the same people who pretend not to believe in Area 51.
Really hard workers (Score:5, Informative)
This latest security measure goes to show why they're still #1 when it comes to really closing up a machine's holes to prevent abuse and unwanted infiltration into a system.
Unfortunately, they still can't get UltraSparcIII documentation [osnews.com] that they need for their project.
I urge you all to contact SUN Microsystems and demand that they hand over the details of the US III series computers.
*nix.org [starnix.org] -- Latest article > "Taming OS X"
Sun vs. commodity x86 (Score:5, Insightful)
This is another one of those things that is often forgotten when people try to argue that cheap x86 boxes are the cat's meow and all those other architectures should just die off.
There are real reasons why the real UNIX workstations and servers are worth more (and cost more) than x86-based alternatives. Beyond the MMU stuff, there's also the OS-independent firmware POST diagnostics, more and more mainframe-class redundancy features the bigger the server gets, large CPU caches, SCSI or FC by default, chassis built to be easily maintained, ECC on pretty much every data channel, and on and on.
I think x86 has a niche in clustering and cheap wintel desktops (granted, a large niche), but it still doesn't excel in hard-core professional workstation and server applications. This memory permissions stuff is just another reason why. x86 is designed from the ground up as a mass-marketed technology (sort of like Chevrolet).
Sure (Score:4, Insightful)
Hint: there isn't one. 30% more speed matters a lot more to me and the overwhelming majority of the world than a feature which may or may not be fully used by the OS to try to help prevent a particular type of exploit in buggy servers.
FC? Now *there*'s a niche product. Slightly more sophisticated MMU? Yawn. Bigger POST? I'm not worried that the solid-state components of my system are going to spontaneously fail. Big CPU cache? All that does is help price/performance a bit, which in other architectures is already behind x86. Easily maintained chassis? What's wrong with simple side panels and a motherboard tray on a case? ECC on every data channel? I'm really not worried about my southbridge spontaneously failing, thank you very much.
When it comes right down to it, x86 is nothing special, but mass production *is*. You can throw more engineering resources at a chip and reduce cost more.
Re:Sure (Score:3, Informative)
Oh, don't be a dolt. There is *nothing* inherently flaky about x86 hardware, and some benefit to widespread usage causing more testing and more funds available for engineering.
Christ, I'm not an x86 proponent. I think the architecture is kinda ugly. But it is by no stretch of the imagination flaky.
Nice, but doesn't address the bigger problem. (Score:4, Insightful)
Linux, and Unix in general, tends to have pretty limited access controls. Even with ACL support, the distros still need to ship with restrictive settings and manage them. A lot can be done to provide a framework under which compromises can be limited and can be audited. Right now we don't have that. Without detection and reaction, how do you know that your prevention is effective?
Re:Nice, but doesn't address the bigger problem. (Score:4, Informative)
I'll leave that as a start.
Re:Nice, but doesn't address the bigger problem. (Score:5, Interesting)
The bigger problem is that the principle of least privilege is not adhered to in world of Unix. Programmers will always write bugs and applications will always have vulnerabilities that can be manipulated. Manipulation of services should only effect the service being manipulated, not the whole system. For example, services should have NO access to anything by default.
That is very much the approach that OpenBSD is taking - e.g. with privilege separated OpenSSH. If you exploit OpenSSH before authentication, you are unprivileged in a chroot that you can't write too. While this is not invulnerable (you may still abuse kernel bugs to escalate your privilege), it is a good deal better than before. OpenBSD also provides you tools with which you may further protect yourself: systrace [umich.edu] - a system call policy checker.
Re:Nice, but doesn't address the bigger problem. (Score:4, Interesting)
It would also be lovely to see the tool which manages all this unify all the ACL-like aspects of the system into a single interface. Firewalls, filesystem ACLs, and privilege delegation are all remarkably similar, it'd be great to be able to define them selectively in groups (I think SELinux calls them "contexts") and confer them to various processes. Daemons can bind to ports, but not regular users? Easy: set the firewall ACL policy to deny, then grant the "daemon" context an exemption. Then tie in other useful privileges, like the ability to write to /var/run and send messages to syslogd. All these things are obviously related conceptually, but currently you'd need 3 tools to do it all (I don't think it's possible to regulate syslogd access this way, period, but I'm being optimistic and assuming it is).
Unfortunately, from what I saw of SELinux when I last used it, all this is some time off... especially the part where it's easy to administer and use. But to end on a positive note, there are a bunch of people who recognize this problem and are working hard to correct it.
Terrific... (Score:2)
If they'll just get off of their butts and get SMP support, I'd switch all of my servers over to it in a week. Really. It's just too bad that they don't seem to want to support anything larger than a desktop PC.
Wait, my desktop is a dual Athlon. I guess my DESKTOP machine is just too advanced for them. C'mon, Theo, get it together.
steve
Hardware (Score:5, Informative)
On SPARC, Alpha or POWER CPUs there is one flag for the read-permission and another one for the execute-permission.
To prevent exploitation of buffer overflows, I believe that we simply need much better hardware.
For example, IBM's AS/400 has Hardware pointer protection. It is absolutely impossible to fake certain types of pointers on the AS/400, because the CPU will recognize when a pointer has been overwritten due to a buffer overflow.
That's how REAL bufferoverflow-protection works. If you just make dataregions nonexecutable, you can still parameterize some kind of library function (how about execve()?) and make the vulnerable program jump into the codesegment to execute the library function with the parameters specified by the attacker.
AS/400s simply 'abuse' one bit in the ECC code as a flag for marking valid pointers.
For every 64 bits in RAM there should be 1 flag bit, which tells the CPU whether the data in memory is a valid pointer or not.
An instruction like LEA (Load effective address) should then implicitly set the flag, and instructions like MOV (Move Data, actually a copy instruction) should always clear the flag.
If a RET (return from subroutine) instruction tries to load an unflagged (=invalid) pointer, the CPU should trap to the OS kernel.
For legacy application, that are too damn stupid to use pointers in a correct way, a privilege could be added to the OS kernel to allow an application to use even invalid pointers.
Furthermore, read- and execute-permission should be separate flags and all stack- and heap-pages should be nonexec by default.
I use OpenBSD often, but... (Score:3, Informative)
Different stacks... (Score:4, Insightful)
Consider: C uses the stack for three types of information: call/return information, parameter passing, and local variable storage. I assert that this is the cause of most of the stack problems in C - you are using the same thing for three different needs.
Let me discuss each of the three uses in turn. I will use x86 terminology for this discussion because that is the primary architecture used for Linux and because that is what I am most familiar with, but you should be able to generalize my points without much problem.
First, you have the call/return stack. This needs to the be CPU stack so that normal CALL/RET operations work. The only things that should be stored here are the actual return addresses, as well as possibly register saves (esp. for interrupt routines). However, in a unified stack design it is possible for the bad guys to modify the return address. Thus, even in a non-executable stack environment I can still change the return address to point to a function, say exec().
Second, you have the parameter passing stack. Ideally the only thing on this stack would be parameters passed down to the function from the caller. However, in a unified stack design, I can modify this stack to contain data - thus I can create a pointer to the string "/bin/bash" on the stack. With this and with the call/return modification above, I can cause the current function to "return" to exec(), with "/bin/bash" as the arg. Boom. Remote shell.
Third, you have local variable storage. If this space were seperate from the other two stacks, then overflowing a local buffer, while still bad, would not be able to modify the return address nor would it be able to create parameters. Ideally, every subroutine would be given its own sparely mapped local space - thus boundary errors would likely throw a page fault (granted, the cost of setting such a mapping up for each subroutine call would be prohibitive, so it is unlikely to happen without some form of hardware acceleration. Perhaps a low/high limit register could be added to the various index functions, such that an access relative to EBP, ESI, EDI would fault if it went out of range.)
However, consider just seperating the stack into three areas, widely seperated. ESP would point to the hardware stack. EBP to the local storage area, and ESI to the parameter block (with EDI pointing to "this" for C++). Now, a bad programmer has a buffer in local storage and doesn't range check it. A would-be exploiter still cannot modify the return address nor can he modify the parameter stack. The most he could do would be to hose the local variable storage (granted, that might still allow him to corrupt the local vars for some other function and perhaps get an exploit that way, but it would be even more difficult).
Granted, to do what I just suggested means throwing out *all* standard libraries, tools, compilers, and so forth - I am not actually suggesting that the x86 family do this! However, for new architectures like Sledgehammer et. al, this might be the time to make such a break.
Re:BSD is dead (Score:3, Insightful)
in case of slashdotting (Score:5, Funny)
Re:in case of slashdotting (Score:2)
Re:in case of slashdotting (Score:2)
Because for many, many years... (Score:5, Interesting)
OpenBSD, on the other hand, probably has 100 months of bugfixing up its collective sleeve. I wonder if they expect that a month of portting applications will make them more popular? (-:
IRL, a month of porting applications would simply mean an order of magnitude more security holes to fix.
Making OpenBSD completely thread-safe in preparation for multi-CPU stuff is probably a steep hill to climb, too. However, the kind of stuff that OpenBSD does well probably means that very few single-CPU OpenBSD machines will be CPU-starved until long after they're disk-I/O or net-bandwidth-saturated. Which means that it makes more sense to cluster than to proliferate CPUs in an already-saturated environment.
Re:Because for many, many years... (Score:2)
No they don't. That's what the next version is for. How do you expect them to make money if you have a relatively perfect (from the consumer viewpoint -- tons of features already + secure) OS.
OpenBSD is pretty successful for its stated goal -- security -- likewise Microsoft is even more successful for its own purpose. No use in comparing until you have an OS that truly does both (sorry OS X is not there). I would venture and say that Windows is closer to being secure than OpenBSD is to being useful to the general public.
Re:Why not Windows (Score:3, Interesting)
Notice that it's apparently worth it to Apple--hence the move to a Unix base. This is OpenBSD; Darwin is based on FreeBSD, right? But maybe somebody will find a way to incorporate these changes into Darwin, or maybe Apple will do it themselves. I would certainly appreciate it if they did.
Re:Why not Windows (Score:3, Insightful)
Re:Why not Windows (Score:2)
Re:Why not Windows (Score:3, Interesting)
Security isn't just a unix/windows war though, Solaris has had big trouble with security in the past, and so has IRIX. I haven't heard much about AIX, or HP-UX, but likely those machines wont be used for external servers anyway, so it's not QUITE as big a issue.
Re:Why not Windows (Score:3, Funny)
If you really want security, go and buy OpenVMS!!!!
Re:Why not Windows (Score:3, Informative)
Not trolling here, just showing another perspective to the issue.
Re:Why not Windows (Score:4, Interesting)
that is no reason for it, that is just an excuse.
Windows is written to meet demand, not to exceded it. It could be secure, but they really don't care.
There starting to care, unfortunatly they would have to do a real redsign from the ground, by people who where experts, and had never seen any other windows code.
Do you think Car companies would care about safety if you were forced to sign a waiver and couldn't sue them? Hell, you'ls be lucky if the brakes worked after a month.
I'd rather hace to do an update once in a while by hand, then an update every couple of months with push button convience.
Re:Why not Windows (Score:3, Informative)
For the 64 bit versions all pages have proper rwx permissions applied as specified in VirtualAlloc etc., but I'm not sure if the stack is no-exec by default.
Still, there are bound to be tons of protocol implementation errors that have nothing to do with fixed length buffers :P
not the real theo, please mod down. (Score:2)
Re:We are much more secure (Score:4, Interesting)
I do admire OpenBSD's approach to software development; it can be called responsible if nothing else. It's just that for volunteers who basically code other *nix OSes, code auditing is not nearly as much fun as porting your OS to a Nintendo.
Who are you? (Score:4, Funny)
Secondly, who the hell are you? Stop impersonating me on Slashdot.
Re:We are much more secure (Score:2, Funny)
Well don't lose sleep over it, I pretty sure NetBSD [netbsd.org] tied up those loose ends LOOOOONG ago.
Re:Now th (Score:2)
Uses (Score:2)
Re:Can DoS ever be totally prevented? (Score:2)
If it was anything under 61 times a minute I'd be more sympathetic.
12 times a minute would be peachy.
Re:Either way is good (Score:3, Funny)
1. Linux is better for developers (even some Microsoft developers like to use it as their developing platform - see the whole Roblimo Linux Fest deal)
2. There is more and better software available for Linux then Windows or Macintosh
3. Everything that the casual user needs is available after a 20 minute install process
4. Linux can be more easily managed regardless of overall network configuration
5. Again, and this can't be stressed enough since it is the main factor for management and pointy-hairs everywhere: Linux is far, far cheaper.
If an expensive cost, inflexibility, high risk factor, constant and forced upgrade cycles, and poor memory management makes a good desktop operating system then no, Linux sucks on the desktop.
You don't understand what is done (Score:4, Informative)
What is done is protecting memory zones created by the linker, mostly memory zone holding constants and static variables, so no there's no executable code in this area.
When you write a JIT you allocate your own memory on the heap and then compile your code there. On order for this code to be executable you have to mprotect(2) [openbsd.org] the memory zone holding your code with the PROT_EXEC flag, or PROT_EXEC | PROT_WRITE if you want to be able to modify it afterward. Anyway you can change the memory protection at anytime so anything you could do before you still can do.
Re:it will be impossible to JIT code on OpenBSD (Score:2)
* Microsoft releases source for all products under GPL; fixes all bugs and security holes
* Linux developers get bored, call it quits
* Intel admits Itanium is a flop; brings back Alpha
You do understand that stack protection pertains to execution of native processor instructions, right?
Re:oh ya, right (Score:4, Interesting)
To compare this to Trusted Computing is like comparing apples and black holes.
Re:oh ya, right (Score:2)
Not very effective were they?
A swarm of patches that Microsoft itself can't patch its own computers?
For some years, OpenBSD has had the annoying habit of closing holes about six months before the exploits are discovered. It's called being proactive
Re:oh ya, right (Score:2)
MS nominally put their products on hold for a month, but that is all. The OpenBSD design philosopy is paranoid - Microsoft need to have the same for their core components, and to make sure that other layers can't just quietly bypass security measures for performance.
A fast webserver doesn't really do you much good if it is 0wn3d by some H4k0rz. The wird thing is that the underlying security mechanisms (identifiers, rights and objects)in NT/2K are really quite good. Regrettably, usability sucks and support for the security mechanisms by applications (especially Microsoft's own) was non-existant. Once you have busted an app with "Functions as part of the operating system", you own the kernel.
Personally, I believe in plurality and I like spreading an app between different Linux dists, FreeBSD or OpenBSD. I would also include Win2K on thatm except that essentially you pay based on connections, which can make it really pricey. However, the idea is that one system may be broken into, but not all.
Facing the external internet though, I still prefer OpenBSD.