DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
Old 10th April 2013
barti barti is offline
Shell Scout
 
Join Date: Jul 2012
Posts: 122
Default I think I now got the point.

Thank you for the explanation.


But still , I think if you could find a "cve" for system security it will be similar to this cve.


plone is way more secure then joomla.
Reply With Quote
Old 11th April 2013
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

Teacher jggimi thanks so much for the infrastructure example !
I will never favour any OS to OpenBSD even though I am not smart enough to fully benefit from its unique features ........
Reply With Quote
Old 11th April 2013
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

rocket357 thank you for all clarification!
Reply With Quote
Old 11th April 2013
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 422
Default

Quote:
Originally Posted by daemonfowl View Post
I am not smart enough to fully benefit from its unique features ........
If you believe that is true, then it is.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
Old 3rd October 2015
Monti Monti is offline
Port Guard
 
Join Date: Apr 2015
Location: In'Da House
Posts: 10
Default

Just found the "The insecurity of OpenBSD" and was curious to see if there was a comment on the article here on deamonforums. I'm pretty new to BSD in general and have been evaluating if I should go with OpenBSD or FreeBSD, at least as a starter. Being inspired by the philosophy I am leaning towards OpenBSD, so I'm trying to get a better understanding and finding the arguments that would tell me that I should.

Regarding this thread I would like to thank you Rocket, Ocicat, and Jiggmi for your perspectives. Enlightening and useful reminders going forward. Really appreciate it.
Reply With Quote
Old 4th October 2015
backrow backrow is offline
Real Name: Anthony J. Bentley
Shell Scout
 
Join Date: Jul 2009
Location: Albuquerque, NM
Posts: 124
Default

Quote:
Originally Posted by Monti View Post
Just found the "The insecurity of OpenBSD" and was curious to see if there was a comment on the article here on deamonforums.
A few thoughts.

It states that only the base system is audited. By and large, this is true. But the author implies base auditing is useless because it doesn’t guarantee the security of ports. This misses two points: first, the base system is very full‐featured and there is a lot you can do with just base software. You can run mail, web, routing, DNS, and much more without any packages. That’s great, especially for people who are running a machine specifically for such services.

Secondly, OpenBSD provides many security benefits that do help you even if you’re running ports. LibreSSL provides a good base for any application using SSL and removes functionality for insecure ciphers even in ports programs. Nearly every program in ports is compiled with PIE. The stack protection and ASLR affects ports programs. And so on.

Finally, the guy spends the bulk of the article decrying the lack of MAC and ACLs. He gives a cursory mention of OpenBSD’s main argument against them—that they are too complex, leading people to misconfigure them or disable them entirely—but promptly ignores it. He also implies that lack of these features is a dealbreaker, when in fact most situations simply don’t need them. (I mean, have you ever used ACLs?)
__________________
Many thanks to the forum regulars who put time and effort into helping others solve their problems.
Reply With Quote
Old 7th October 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 118
Default

AFAIK, OpenBSD does not offer features such as jails in FreeBSD due to huge code base changes.

On top of that, not many user know how to use systrace properly.

Last edited by Peter_APIIT; 11th October 2015 at 01:36 AM. Reason: Add info
Reply With Quote
Old 26th February 2016
jjstorm jjstorm is offline
Package Pilot
 
Join Date: Nov 2014
Location: Buenos Aires, AR
Posts: 141
Default

Quote:
Originally Posted by backrow View Post

Finally, the guy spends the bulk of the article decrying the lack of MAC and ACLs. He gives a cursory mention of OpenBSD’s main argument against them—that they are too complex, leading people to misconfigure them or disable them entirely—but promptly ignores it. He also implies that lack of these features is a dealbreaker, when in fact most situations simply don’t need them. (I mean, have you ever used ACLs?)
I plan on using OpenBSD as a desktop and will expand into other areas as I learn about them. Although I have never myself configured SElinux or Apparmor, they do come with a default profile that provides some confinement of processes.

Web browsers and other third party programs that need access to the internet are increasingly being used as portals for zero day exploits.

How can OpenBSD protect from a zero day attack coming through a third party app such as firefox for example? Can the app be confined in some other way? Is this where privilege separation comes into play?
Reply With Quote
Old 26th February 2016
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,119
Default

Quote:
Originally Posted by jjstorm View Post
Is this where privilege separation comes into play?
No, privilege separation is a key component of application design. Simply put, the application runs separate processes, one with privileges, one (or more) without. See slides 7-12 of this 2009 presentation on OpenBGPd for a good description of how privilege separation was designed into that application.

Last edited by jggimi; 26th February 2016 at 08:28 PM. Reason: slide numbers
Reply With Quote
Old 26th February 2016
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,119
Default

jjstorm, you mentioned two Linux-specific security governance mechanisms that are unrelated to privilege separation. Unlike privilege separation, those are optional add-on mitigations.

Optional security usually remains optional. Take a look at this 2015 presentation about OpenBSD's new pledge(2) risk mitigation function. A video is available.

An application which has used the pledge() syscall has reduced its own privileges. The Chromium browser has been pledged for 5.9-release, for example. While pledge() is not privilege separation, it does share some of the same intent. Theo de Raadt plans to present on the relationship between pledge() and privilege separation at the dotSecurity conference in April.

As for Firefox, since you mentioned it, it has not been pledged. But it will use W^X (Write XOR Execute) memory allocation at 5.9-release. This is another risk mitigation technique. It doesn't separate privileges into separate processes, and doesn't reduce its own privileges, but it does ensure that memory used for program execution is read-only.

Last edited by jggimi; 26th February 2016 at 09:47 PM. Reason: clarity
Reply With Quote
Old 26th February 2016
jjstorm jjstorm is offline
Package Pilot
 
Join Date: Nov 2014
Location: Buenos Aires, AR
Posts: 141
Default

Quote:
Originally Posted by jggimi View Post
jjstorm, you mentioned two Linux-specific security governance mechanisms that are unrelated to privilege separation. Unlike privilege separation, those are optional add-on mitigations.

Optional security usually remains optional. Take a look at this 2015 presentation about OpenBSD's new pledge(2) risk mitigation function. A video is available.

An application which has used the pledge() syscall has reduced its own privileges. The Chromium browser has been pledged for 5.9-release, for example. While pledge() is not privilege separation, it does share some of the same intent. Theo de Raadt plans to present on the relationship between pledge() and privilege separation at the dotSecurity conference in April.

As for Firefox, since you mentioned it, it has not been pledged. But it will use W^X (Write XOR Execute) memory allocation at 5.9-release. This is another risk mitigation technique. It doesn't separate privileges into separate processes, and doesn't reduce its own privileges, but it does ensure that memory used for program execution is read-only.
Excellent, so with pledge(), the applications, working together with the kernel, restrict themselves. A major advantage over apparmor and SElinux is that it cannot be turned off.

Last edited by jjstorm; 26th February 2016 at 11:58 PM.
Reply With Quote
Old 27th February 2016
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,119
Default

The pledge(2) function is itself a syscall, with API support via the unistd.h header file. Section 2 of the man pages is for system calls and error numbers. Section 3 man pages are for C library functions.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Security vulnerability in sudo allows privilege escalation J65nko News 0 5th March 2013 03:52 PM
Security Intel CPUs affected by VM privilege escalation exploit J65nko News 9 18th June 2012 11:51 PM
Performing network flow separation? beaute FreeBSD Security 0 27th May 2010 01:40 PM


All times are GMT. The time now is 01:17 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2016, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick