Talk:OpenBSD/Rewrite

OpenBSD

OpenBSD 5.9 desktop
Developer	The OpenBSD Project
OS family	Unix-like (BSD)
Working state	Current
Source model	Open-source
Initial release	1 October 1996; 27 years ago (1996-10-01)
Latest release	7.5 (5 April 2024; 24 days ago (2024-04-05)) [±]
Package manager	OpenBSD package tools[1]
Platforms	Alpha, x86-64, i386, MIPS64, PowerPC, SPARC 32/64, Zaurus, and others[2]
Kernel type	Monolithic
Userland	BSD
Default user interface	Modified pdksh, FVWM X11
License	BSD, ISC, ATU,[3] and other custom licenses[4]
Official website	www.openbsd.org

OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution (BSD), a Research Unix derivative developed at the University of California, Berkeley. The project behind OpenBSD also maintains other software utilities, most notably OpenSSH, which are available as packages for other operating systems.^[5] OpenBSD was forked from NetBSD in 1995 by Theo de Raadt after sharp disagreements over the running of the NetBSD project; today, it is among the most widely-used BSD variants, its software utilities also appearing in many other operating systems.

OpenBSD is known for its emphasis on security: it is designed to be secure by default, with many security features and frequent audits of its source code.^[6][7] Similar to other BSD variants, OpenBSD is also developed with an emphasis for documentation, with new code expected to meet the project's stringent documentation standards.^[7]

OpenBSD is distributed as a complete operating system, providing the kernel, device drivers, and userland utilities, unlike Linux, which is distributed as a kernel. OpenBSD is licensed under multiple permissive licenses, the project preferring the ISC license, but also adopting the BSD license.

History

Background

A diagram showing the history of Unix and its descendants, which include OpenBSD

OpenBSD was descended from Berkeley Software Distribution (BSD), an operating system built upon the original Unix system developed at Bell Labs, part of AT&T Corporation. Holding a monopoly at the time, AT&T was banned from directly selling its software, so it would often license Unix to universities: the University of California, Berkeley (UC Berkeley) received a license. The university formed BSD with the Unix source code, which their Computer Systems Research Group (CSRG) developed from 1977 to 1994.

The CSRG's funding withered towards the end of BSD's development, so the CSRG released BSD to the public in 1992 under the BSD license, renouncing most of their rights to BSD. AT&T, still developing Unix at the time, saw the release as infringement, challenging UC Berkeley and Berkeley Software Design, the corporation that sold licenses to BSD from 1991 to 1992, in court. The university presented a strong defense, even proving that AT&T took significant parts of BSD in developing Unix and violated the BSD license as a result. The final settlement mandated the CSRG to delete only a small part of BSD, allowing the CSRG to release the final version of BSD under the BSD license. BSD received newfound attention from the lawsuit, spawning numerous BSD variants.^[8][9]

Birth and early development

Theo de Raadt was a founding developer of NetBSD, a BSD variant forked in 1993 from 386BSD. de Raadt remained one of NetBSD's core developers until December 1994, when he was asked to resign as a core developer after sharp disagreements with other developers on the running of the project.^[a][10][11]

In October 1995, de Raadt forked NetBSD to form OpenBSD, storing the code on a public read-only Concurrent Versions System (CVS) repository.^[11][5] The initial release, OpenBSD 1.2, was released in July 1996, while the first major release, OpenBSD 2.0, was released in October 1996.

Features

Security

Further information: OpenBSD security features

An diagram of W^X memory protection

Numerous memory protection features are included in OpenBSD at the kernel level to ensure memory safety, shielding the system against memory attacks such as buffer overflows. W^X, or Write XOR Execute, prevents arbitrary code execution by allowing a program's memory to be written to or executed, but not both. This prevents an attacker from injecting code into memory and executing the code. OpenBSD protects the stack via ProPolice, which prevents attackers from injecting malicious code into the stack by detecting changes within the stack, terminating the program if it detects an unexpected change.^[b][6] OpenBSD prevents a program from writing to memory owned by another program by placing a "guard page" next to the memory allocated by the program, which cannot be written to. Various other memory protection features are included in OpenBSD, some of them preemptive against uncommonly-exploited or theoretical vulnerabilities.^[12]

Cryptography is deeply embedded into OpenBSD, integrating into the system not only cryptography at the software level, but also at the hardware level, using a system's hardware cryptographic facilities whenever possible. OpenBSD provides a cryptographic library providing numerous functions, such as ciphers, key-agreement protocols, public key certificate functions, and a cryptographically secure pseudorandom number generator for generating secure entropy.^[13] OpenBSD has an application programming interface providing a uniform interface to hardware cryptographic functions on various platforms.^[6]

OpenBSD supports IPsec, a protocol for encrypting Internet Protocol packets.^[14] pf was implemented into OpenBSD as a built-in firewall, with OpenBSD team successfully porting pf into other operating systems.

Privilege separation is incorporated into OpenBSD, which separates a program into individual units accorded only the privileges they need to operate, limiting the fallout when part of the program is compromised. Programmers developing code for OpenBSD may also use the pledge system call, which limits the system calls a specific program can make to the ones declared in the program.^[15]

Common on almost all Unix-like systems is a simple file system permission scheme, which specifies for each file the permissions for reading, writing to, and executing a file. OpenBSD extends this scheme by adding numerous flags, providing more fine-grained control over file permissions, with the securelevel of the system controlling the overall restrictiveness of the filesystem. A higher securelevel restricts the system's maintainability, but hardens the system against attacks.^[16][17][c]

The OpenBSD project also maintains numerous software utilities included in OpenBSD designed to keep the system secure by default. OpenSSH is a Secure Shell (SSH) protocol implementation to facilitate encrypted console connections; OpenSSH is also used by many other open source operating systems. In response to Heartbleed and other vulnerabilities in OpenSSL, the OpenBSD team forked OpenSSL and overhauled the code to form LibreSSL.

Software and system management

The OpenBSD base installation provides only the essential software packages needed for basic tasks. OpenBSD provides tools to manually build and compile third-party software, including the GNU Compiler Collection, but OpenBSD also contains automated build tools such as make to run Makefile build scripts.^[18]

OpenBSD provides two dedicated systems of building software packages: ports and packages. The OpenBSD project maintains a repository of software packages in the ports system, in which the build process is simplified. OpenBSD provides a package manager based on the ports system, which simplifies the process when only simple configuration of packages is needed.

OpenBSD handles startup scripts and system services via the rc system. Task scheduling is handled via the Cron daemon, although internal task scheduling is handled with a separate service.^[19] OpenBSD includes the syslog service, providing a common interface for programs to log events.^[20] OpenBSD supports the Network Time Protocol (NTP) via OpenNTPD, which is maintained by the project. It can fetch the current time from an NTP server, or host an NTP server providing access to the system clock via a local network or the Internet.^[21][22]

Storage

OpenBSD retains the original Unix File System (UFS) incorporated in BSD. OpenBSD supports two versions of UFS: UFS1, the default for smaller partitions up to about one terabyte,^[d] and UFS2, for partitions up to 8 zettabytes (10²¹ terabytes).^[22] OpenBSD supports software RAID levels 0, 1, 4, and 5; partition-level encryption, the Network File System, and soft updates.^[23]

Networking

The OpenBSD network stack is based on the 4.4BSD network stack. OpenBSD integrates its own IPsec stack,^[24] but implements the KAME project's implementation of IPv6.^[25]

Development and release

Code auditing

Release

Notes and references

Notes

1. Adam Glass, representing the team of core developers, stated that they would welcome future contributions from de Raadt, but did not deem it appropriate for him to remain as a core developer.^[10]
2. ProPolice inserts a "canary value" of 32 bits between each function frame within the call stack of a program. If ProPolice detects that a canary value has been modified, the program is terminated. This greatly increases the difficulty of arbitrary code execution: the attacker must guess the correct value and insert it into the stack, which is extremely difficult as there are 2³² − 1 possible canary values.^[6]
3. OpenBSD's file system permission scheme also prevents rootkit attacks as rootkits must adapt to the securelevels of the system in order to compromise the whole system.^[16]
4. About 2⁴⁰ bytes, which is equal to one tebibyte. UFS1 is only capable of storing up to 2³¹ - 1 blocks.^[22]

Citations

1. "Package Management". OpenBSD Frequently Asked Questions. Retrieved 1 June 2016.
2. "Platforms". OpenBSD. Retrieved 29 March 2016.
3. "src/sys/dev/microcode/atmel/atu-license - view - 1.3". cvsweb.openbsd.org. Retrieved 20 May 2016. Redistribution [...] is permitted provided that the following conditions are met: [...] Firmware is redistributed in object code only.
4. "src/sys/dev/microcode/tigon/tigon-license - view - 1.5". cvsweb.openbsd.org. Retrieved 20 May 2016.
5. Matzan (2007), p. 3.
6. Korff, Hope & Potter (2005), ch. I, §2 ("BSD Security Building Blocks"), subsection "Inherent Protections".
7. Lucas (2013), Introduction, section "OpenBSD’s Strengths".
8. Lucas (2013), Introduction, section "What is BSD?".
9. Unix System Laboratories; Regents of the University of California; Berkeley Software Design (1994). "Settlement Agreement" (PDF). Retrieved 20 July 2016.
10. Glass, Adam (23 December 1994). "Theo De Raadt". netbsd-users (Mailing list).
11. Lucas (2013), Introduction, section "The Birth of OpenBSD".
12. Lucas (2013), §10, subsection "OpenBSD Memory Protection".
13. "crypto(3)", OpenBSD man page, 12 November 2015 {{citation}}: templatestyles stripmarker in |title= at position 1 (help). Also accessible on OpenBSD via the command man crypto.
14. de Raadt et al. (1999), pp. 2–3.
15. Bundesmann, Jan (2016). "Eingeschränkte Privilegien: Unix-Derivat OpenBSD 5.9 veröffentlicht" [Restricted privileges: Unix derivative OpenBSD 5.9 released]. Heise Online (in German). Retrieved 12 August 2016.
16. Korff, Hope & Potter (2005), ch. I, §2 ("BSD Security Building Blocks"), subsection "Filesystem Protections".
17. Lucas (2013), Introduction, subsection "Securelevels".
18. Lucas (2013), §13 ("Software Management"), subsection "Introduction".
19. Lucas (2013), §15 ("System Maintenance"), subsection "Scheduled Tasks".
20. Lucas (2013), §15 ("System Maintenance"), subsection "Log File Maintenance".
21. Lucas (2013), §15 ("System Maintenance"), subsection "System Time".
22. Lucas (2013), §8 ("Disks and Filesystems"), subsection "The Fast File System".
23. Lucas (2013), §9 ("More Filesystems").
24. de Raadt et al. (1999).
25. Jeker (2008), p. 2.

Works

Books

• Korff, Yanek; Hope, Paco; Potter, Bruce (2005). Mastering FreeBSD and OpenBSD Security. Sebastopol, CA: O'Reilly Media. ISBN 978-0-596-00626-6. {{cite book}}: Invalid |ref=harv (help)
• Lucas, Michael W. (2013). Absolute OpenBSD (2nd ed.). San Francisco, California: No Starch Press. ISBN 978-1-59327-476-4. {{cite book}}: Invalid |ref=harv (help)
• Matzan, Jem (2007). The OpenBSD 4.0 Crash Course. Sebastopol, California: O'Reilly Media. {{cite book}}: Invalid |ref=harv (help)
• Rosen, Kenneth H.; Host, Douglas A.; Klee, Rachel; Rosinski, Richard R. (2007). UNIX: The Complete Reference (2nd ed.). New York City: McGraw-Hill. ISBN 978-0-07226-336-7. {{cite book}}: Invalid |ref=harv (help)

Articles

• de Raadt, Theo; Hallqvist, Niklas; Grabowski, Artur; Keromytis, Angelos D.; Provos, Niels (1999). Cryptography in OpenBSD: An Overview. USENIX Annual Technical Conference. Monterey, CA. {{cite conference}}: Invalid |ref=harv (help)
• Jeker, Claudio (2008). OpenBSD – network stack internals. AsiaBSDCon. Tokyo, Japan. {{cite conference}}: Invalid |ref=harv (help)