DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 21st January 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default The insecurity of OpenBSD

From http://allthatiswrong.wordpress.com/...ty-of-openbsd/

Quote:
Firstly, I would to apologize for, and clarify the title of this article. I wanted to use a title which would hold attention and encourage discussion while remaining true to the argument I make. I certainly don’t mean to imply that OpenBSD is a horribly insecure operating system – it isn’t. I do however need to highlight that OpenBSD is quite far removed from a secure operating system, and will attempt to justify this position below.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 21st January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

My summation of the article:

"Oh, all that is wrong can be boiled down to an improper attitude about security and a missing complex ACL structure overlayed on the filesystem. Any ACL system, really. This lack of a fun ACL is so critical, I will repeat variations of this about sixty times, just in case you didn't get it."

"Vulnerabilities everywhere else don't matter, as all systems have vulnerabilities. As long as I can get a filesystem with an ACL."

I assume we'll see a whole host of nasty, vicious rebuttals on misc@. I'm glad I use a threaded mail reader so I can avoid it all.
Reply With Quote
  #3   (View Single Post)  
Old 21st January 2010
marc's Avatar
marc marc is offline
Port Guard
 
Join Date: Jul 2008
Location: Poland
Posts: 25
Default

Well, I think you don't need any ACL and tons of untested addons when you have an audited code and well designed, secure OS ...
Reply With Quote
  #4   (View Single Post)  
Old 22nd January 2010
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

I think we have a new Jem Matzan ...
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #5   (View Single Post)  
Old 22nd January 2010
allthatiswrong allthatiswrong is offline
New User
 
Join Date: Jan 2010
Posts: 4
Default

Quote:
Originally Posted by jggimi View Post
My summation of the article:

"Oh, all that is wrong can be boiled down to an improper attitude about security and a missing complex ACL structure overlayed on the filesystem. Any ACL system, really. This lack of a fun ACL is so critical, I will repeat variations of this about sixty times, just in case you didn't get it."

"Vulnerabilities everywhere else don't matter, as all systems have vulnerabilities. As long as I can get a filesystem with an ACL."

I assume we'll see a whole host of nasty, vicious rebuttals on misc@. I'm glad I use a threaded mail reader so I can avoid it all.
Hello, I am the author of the article.

I think you may have missed the point of my article, and also grossly oversimplified, and thus dismissed my argument.

Which is not limited to ACL's, but also MAC, and other methods of actually locking down the system in the event of an intrusion.

I'm happy to discuss that argument, but so far all I have seen are dismissals, not rebuttals.

Quote:
Originally Posted by marc View Post
Well, I think you don't need any ACL and tons of untested addons when you have an audited code and well designed, secure OS ...
So when you need to run software that has not been audited, and someone breaks in and their is no sufficient way to limit what they can do, this is fine?
Reply With Quote
  #6   (View Single Post)  
Old 22nd January 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Nowadays applications are becoming the biggest security issue
From a discussion on the openbsd ports mailing list about "ethereal/wireshark" at http://article.gmane.org/gmane.os.openbsd.ports/35284/
Quote:
Originally Posted by Marc Espie
]People, wake up. Network security was enough a few years ago. It's all about
applications and secure development these days. At least if you want to
matter 5 years from now...
Just look at the Internet Explorer fiasco, both the French and German governments advise people to use another browser/application. We all have read about web servers being cracked, using flaws in the CMS. SQL injection, cross site scripting attacks, all at the applicaton level.

I myself, although I am 57, take a very radical stand. I don't think that keeping renovating the Unix/Linux/BSD building, an ACL here, a MAC there will bring us much further. I rather would see a new building, designed from the ground up with security as one of its leading design principles.

Just look at sendmail, still a design from the time when the Internet was a friendly place where scientists exchanged information. Off course sendmail could be an open relay at those times, no problem at all. Spam still was some kind of meat, and not junk you find in your trash mail folder.

Under pressure of the popularization of the internet, all kind of extra security measures had to be added to sendmail.

As a reaction you see Bernstein come up with qmail, postfix by Venema both designed with security in mind. IMHO we need architects like Bernstein and Venema but then for a new secure OS.

But just like you I still expect to use OpenBSD for a long time as network firewall and router
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 22nd January 2010
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Quote:
Originally Posted by allthatiswrong View Post
I think you may have missed the point of my article, and also grossly oversimplified, and thus dismissed my argument,
Do you honestly believe you've contributed anything that hasn't been discussed to death on the mailing lists before?
Reply With Quote
  #8   (View Single Post)  
Old 22nd January 2010
allthatiswrong allthatiswrong is offline
New User
 
Join Date: Jan 2010
Posts: 4
Default

Quote:
Originally Posted by BSDfan666 View Post
Do you honestly believe you've contributed anything that hasn't been discussed to death on the mailing lists before?
Well, I had hoped to.

The reason I tried to make an actual argument, was that I got tired of perhaps someone bringing it up, and then a thousand OpenBSD users pooh-poohing it with the same old claims.

I hoped by actually writing an argument to invalidate those claims, it would at the least encourage discussion.
Reply With Quote
  #9   (View Single Post)  
Old 22nd January 2010
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

Hello and welcome.

From your article:
Quote:
The OpenBSD approach to security is primarily focused on writing quality code, with the aim being to eliminate vulnerabilities in source code. To this end, the OpenBSD team has been quite successful, with the base system having had very few vulnerabilities in "a heck of a long time". While this approach is commendable, it is fundamentally flawed when compared to the approach taken by various extended access control frameworks.
These options are not mutually exclusive. A large number of security issues are due to "stupid mistakes" such as not checking return codes and the like. Writing quality code is not just the OpenBSD approach for a secure system, but it is necessary for a secure system.

Whether or not ACL's, MAC labels, and whatnot are good security features is a entirely different discussion. If you are going to implement such feature, then they must be writing with quality code or else there will be security holes.

In any case, ACL's are not a magic bullet for a secure system, point in case being the MS Windows Nt/2000/XP/Vista/7 systems, which all have ACLs are are not exactly widely known for their security
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
Old 22nd January 2010
marc's Avatar
marc marc is offline
Port Guard
 
Join Date: Jul 2008
Location: Poland
Posts: 25
Default

Quote:
Originally Posted by allthatiswrong View Post
Which is not limited to ACL's, but also MAC, and other methods of actually locking down the system in the event of an intrusion.

So when you need to run software that has not been audited, and someone breaks in and their is no sufficient way to limit what they can do, this is fine?
Quote:
* strlcpy() and strlcat()
* Memory protection purify
o W^X
o .rodata segment
o Guard pages
o Randomized malloc()
o Randomized mmap()
o atexit() and stdio protection
* Privilege separation
* Privilege revocation
* Chroot jailing
* New uids
* ProPolice
* ... and others
I didn't know that EVERY OS has such sophisticated security mechanisms built in, not added as a regular package / set of patches ... If that's not sufficient [combined with user knowledge] then what is?
I think you dramatized the whole thing a bit just because OBSD doesn't use these specific mechanisms [i.e ACL, MAC, etc].

Regards
Reply With Quote
Old 22nd January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by allthatiswrong View Post
I think you may have missed the point of my article, and also grossly oversimplified, and thus dismissed my argument.
I don't believe I missed your point, which was that ACL/MAC are the overarching panacea for mitigating the damage of an intrusion. I happen to disagree with that assessment.
Quote:
I'm happy to discuss that argument, but so far all I have seen are dismissals, not rebuttals.
I would normally be delighted, but:
  • Many people have been rebutting your arguments, both on misc@ and on your wordpress blog.
  • I don't wish to repeat their arguments, nor do I think I would be able to add much significantly new or unique in any line-by-line argument.
  • See below for an argument which I'm not sure has been mentioned, yet.
Quote:
So when you need to run software that has not been audited, and someone breaks in and their is no sufficient way to limit what they can do, this is fine?
There are many different kinds of intrusions that ACL and MAC will not mitigate. Root level intrusions come to mind, as do DBMS intrusions such as SQL injection.

Should I need an ACL for some reason on an OpenBSD platform, there is one: AFS, which has a multi-layer ACL. OpenBSD has the Arla AFS client built in to the base system, and the OpenAFS server available in the ports tree, with authentication for both managed via the built in Heimdal Kerberos service. An ACL can be useful for policy governance.

Last edited by jggimi; 22nd January 2010 at 06:48 PM.
Reply With Quote
Old 22nd January 2010
allthatiswrong allthatiswrong is offline
New User
 
Join Date: Jan 2010
Posts: 4
Default

Quote:
Originally Posted by Carpetsmoker View Post
These options are not mutually exclusive. A large number of security issues are due to "stupid mistakes" such as not checking return codes and the like. Writing quality code is not just the OpenBSD approach for a secure system, but it is necessary for a secure system.

Whether or not ACL's, MAC labels, and whatnot are good security features is a entirely different discussion. If you are going to implement such feature, then they must be writing with quality code or else there will be security holes.
Hi!

I agree completely that writing secure code is a necessary component of a secure operating system. By itself however, it is not enough. Also with ways to mitigate exploits, it is not enough.

On a secure system, I should be able to run insecure software or have untrustworthy users, and control the damage that can be done. This is simply not true for OpenBSD.

Quote:
In any case, ACL's are not a magic bullet for a secure system, point in case being the MS Windows Nt/2000/XP/Vista/7 systems, which all have ACLs are are not exactly widely known for their security
Well, it is important not to confuse ACL's with MAC, which Windows does not really have a complete implementation of.

I will also note that NT actually provides very powerful methods of securing systems, and certainly could restrict the damage that an attacker could do, although nowhere near as much as with MAC.

Quote:
Originally Posted by jggimi View Post

Hi!
  • Many people have been rebutting your arguments, both on misc@ and on your wordpress blog.
  • I don't wish to repeat their arguments, nor do I think I would be able to add much significantly new or unique in any line-by-line argument.
  • See below for an argument which I'm not sure has been mentioned, yet.
Unfortunately, I have seen mostly dismissals, and rehashing of the same tired old arguments that I actually addresses in my article.

Some interesting discussion was taking place in my blog, but even then it is the same arguments.

MAC is bolted on/can be easily turned of, is insecure, adds no meaningful security etc.

All untrue.

Quote:
There are many different kinds of intrusions that ACL and MAC will not mitigate. Root level intrusions come to mind, as do DBMS intrusions such as SQL injection.
Of course, and I address this in my article.

For most cases however, MAC provides meaningful security.

It is also interesting to note that the more serious database platforms generally implement at least some from of RBAC/MAC.

Quote:
Should I need an ACL for some reason on an OpenBSD platform, there is one: AFS, which has a multi-layer ACL. OpenBSD has the Arla AFS client built in to the base system, and the OpenAFS server available in the ports tree, with authentication for both managed via the built in Heimdal Kerberos service. An ACL can be useful for policy and governance.
1. An ACL is not the same thing as MAC.
2. You can' seriously be suggesting running a DFS locally as a substitution for a MAC implementation because it has an ACL?
Reply With Quote
Old 22nd January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
2. You can' seriously be suggesting running a DFS locally as a substitution for a MAC implementation because it has an ACL?
My point was that an ACL is available, while your blog said one was not. But I am seriously suggesting running AFS for an organization that needs an ACL, if AFS itself adds value.

Personally, I find ACLs, unless carefully designed, nearly always difficult to manage, and due to that difficulty, often poorly managed. (MACs are far more intrusive, by design, and have commensurate complexity and management concerns, but let us stay focused on ACLs.)

Here is a real world example regarding ACLs:
One of my tasks for a large, commercial customer is to find a way to eliminate, dismantle, or circumvent the ACL structure that was intended to govern access to major document repository, but has only gotten in the way of the repository's functionality. The ACL was implemented at senior management's request, and is now to be either eliminated, dismantled, or circumvented -- at senior management's request. It impacts 2400 users across two continents. The impact of the current ACL is so intrusive into business operations that senior management is willing to expend capital to duplicate the entire infrastructure, minus the ACLs, if that is what is required.
Would I use OpenBSD if I needed an ACL? Perhaps, but only if AFS provided additional advantages, which it might. But I am a strong proponent of the right platform for the right reasons, driven downward by a business or organization: goals & objectives -> requirements -> application -> architecture -> infrastructure -> platform. And, when the infrastructure includes a network, I look to see if OpenBSD can add value to it. It may not be the appropriate application platform, but it might be useful in an adjunct capacity.
Reply With Quote
Old 22nd January 2010
allthatiswrong allthatiswrong is offline
New User
 
Join Date: Jan 2010
Posts: 4
Default

Quote:
Originally Posted by jggimi View Post
Personally, I find ACLs, unless carefully designed, nearly always difficult to manage, and due to that difficulty, often poorly managed. (MACs are far more intrusive, by design, and have commensurate complexity and management concerns, but let us stay focused on ACLs.)
An argument against complexity only works for specific implementations.

Your ACL example sounds absolutely horrible, but this is not a problem with the technology itself, or perhaps even that implementation of the technology. Its hard to say without knowing more details...it could have just as easily been poor design and management.

Using SELinux as an example, many people say this is too complex and disable. EVen if this is true, it is an argument against that particular implementation. GRSecurity, AppArmor and RSBAC all are easier to administer, and have saner error messages and policies.

The technology can be implemented in a way that is easy to administer without sacrificing functionality. The problem here is that the OpenBSD team refuses that any increase in security is provided.
Reply With Quote
Old 22nd January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

We're going to have to agree to disagree, then. Note that, should I ever have an application that requires a MAC environment (I haven't yet, but I never say never), the platform of choice will not be OpenBSD:
Quote:
Originally Posted by eWeek, 2003
The OpenBSD project has made a decision against trusted-operating-system-style mandatory access controls that place kernel-enforced limits on what particular processes or users can do. "People who use such things build systems which cannot be administered later," said Theo de Raadt, OpenBSD project leader, in Calgary, Alberta. "I am holding the fort against such complexity."
Reply With Quote
Old 23rd January 2010
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

That blog is just a hog wash. To quote one of kind souls from misc AT openbsd in order to have secure operating system you have to design secure hardware. i386 hardware is crap by design.
Any further discussion is waist of time.

Security of OS and hardware is a very deep topic. Many very smart people were thinking about that. It is true that OpenBSD doesn't belong to the group of secure operating systems due to its Unix heritage. Unix was never meant to be truly secure operating system if for no other reasons then for its portability.

People who are interested in secure operating systems should try to find as many documents as possible written by the scientists of RAND corporation and NSA. Basically
we common humans know about security about as much as it leaked from NSA and RAND. That is the real truth.

Last edited by Oko; 24th January 2010 at 12:18 AM.
Reply With Quote
Old 24th January 2010
marc's Avatar
marc marc is offline
Port Guard
 
Join Date: Jul 2008
Location: Poland
Posts: 25
Default

Quote:
Originally Posted by Oko View Post
People who are interested in secure operating systems should try to find as many documents as possible written by the scientists of RAND corporation and NSA. Basically
we common humans know about security about as much as it leaked from NSA and RAND. That is the real truth.
Probobly only if 'secure' means 'closed' in the same time. It is also a matter of who you trust as a consumer / customer / end user, or who you don't trust as a talented engineer [then you are probobly able to construct your own HW+SW set].
To me it's some sort of a consensus, or golden mean if you want.

Regards
Reply With Quote
Old 25th January 2010
Oliver_H's Avatar
Oliver_H Oliver_H is offline
Real Name: Oliver Herold
UNIX lover
 
Join Date: May 2008
Location: Germany
Posts: 427
Default

>Probobly only if 'secure' means 'closed' in the same time.

Security by obscurity is just a dream. Closing up a system just makes you think it's more secure.
__________________
use UNIX or die :-)
Reply With Quote
Old 25th January 2010
marc's Avatar
marc marc is offline
Port Guard
 
Join Date: Jul 2008
Location: Poland
Posts: 25
Default

Quote:
Originally Posted by Oliver_H View Post
>Probobly only if 'secure' means 'closed' in the same time.

Security by obscurity is just a dream. Closing up a system just makes you think it's more secure.
Exactly. That's what I was trying to say and that's why I disagree with Oko in this particular matter.
Reply With Quote
Old 26th January 2010
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by marc View Post
Exactly. That's what I was trying to say and that's why I disagree with Oko in this particular matter.
Try to find the documents written by RAND and NSA people. That is not security by obscurity. You didn't understand my post properly. The documents are not in the public domain as they are part of U.S. military secrets. At least documents that I looked contain some of the deepest and cleanest computer security analysis I have ever seen. You can
ask Theo and the bunch what do they think about it. I am not talking here M$ bullshit. I am talking serious military stuff.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 06:24 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick