GeodSoft logo   GeodSoft

Linux, OpenBSD, Windows Server Comparison: OpenBSD Security

Default Installs

So far we've looked primarily at problems that expose systems to unnecessary dangers which can be fixed by knowledgeable administrators. We have not looked explicitly how the default installs compare. It's very easy to rate the systems default installs, because only OpenBSD is specifically designed to be secure by default. There is no contest. For an operating system installed from the standard disks, using all default options, OpenBSD is far ahead of the leading Linux distributions, and even further ahead of any Windows system. A review of OpenBSD will show some of the prime characteristics of a system designed to be secure by default. Here we are looking at a general purpose operating system and so Linux comparisons will be to widely used general purpose distributions such as Red Hat. There are specialty Linux distributions such as Trustix and EnGarde that specifically configure Linux to be very secure.

OpenBSD Origins

OpenBSD has a well deserved reputation as the most secure general purpose operating system available. There are several reasons for this. For starters, creating a stable and secure system was the primary goal and reason for OpenBSD's creation. OpenBSD was an outgrowth of NetBSD. NetBSD is known for running on more hardware platforms than just about any other operating system. FreeBSD split from NetBSD because the developers wanted to optimize the system for performance on Intel processors. As a result, FreeBSD is widely regarded as the fastest OS that runs on Intel systems. OpenBSD split later with the goal of creating a reliable and secure OS. When someone or an organization has a clear and realistic goal and does not have conflicting priorities, the goal can normally be accomplished.

Strictly speaking, a system can only be optimized for a single factor. Reliability and security are not separate. Rather, reliability is a prerequisite for security. The large majority of security problems are the result of bugs. A bug is a system doing something unexpected or failing to do the expected, often in response to an infrequent or unexpected event. Historically, the most frequent and dangerous security problems on most systems have been buffer overflows: a service running as root, an administrator or the system, does something unexpected, for example, allows the execution of arbitrary code, in response to an unexpected event, such as the arrival of excessive data. Eliminating bugs is the first prerequisite of a secure system.

The BSD family of OSs is relatively small and simple compared to many of their competitors. This means there are less lines of code to have bugs. One key characteristic that sets OpenBSD apart from most other systems are periodic and systematic code audits. To quote from the OpenBSD site, http://openbsd.org/security.html, "Our security auditing team typically has between six and twelve members who continue to search for and fix new security holes. We have been auditing since the summer of 1996. The process we follow to increase security is simply a comprehensive file-by-file analysis of every critical software component. We are not so much looking for security holes, as we are looking for basic software bugs, and if years later someone discovers the problem used to be a security issue, and we fixed it because it was just a bug, well, all the better." The same OpenBSD page states that thousands of bugs were fixed in late 1996 and early 1997. Each release of OpenBSD, which comes every six months, includes new features and enhancements, but the focus remains on quality so OpenBSD's growth is evolutionary.

Secure by Default

In part, because it's not a commercial system, OpenBSD can take a secure by default stance. Their security page states "All non-essential services are disabled." OpenBSD has less services turned on by default than nearly any other system available. When I first wrote my web pages on Hardening OpenBSD Internet Servers, 2.7 was the current release. I identified 10 services that were turned on by default and I thought could be disabled on a machine intended as a web, FTP, e-mail, DNS or other Internet server or firewall. In 2.8, two of these were no longer on by default.

In the mid nineties, when OpenBSD was first developed, the Internet was much less hostile, and its was expected that UNIX machines would network locally, with other UNIX machines via services that are now widely regarded as LAN services, and not suitable for use across the Internet. The Portmap service is a key component on which many of these services depend and is still on by default; a comment describes it as "Nearly always needed". On the other hand, a very common service, NFS has been turned off by default since I've been familiar with OpenBSD (2.6). This is equivalent to Windows disk sharing.

Secure by default tends to be a problem for any system that attempts to be "easy to use" including most commercial systems because such systems appear to be less functional than ones with all common services enabled. For example, on the first Red Hat Linux system I installed in 1999, httpd was up and running when I first looked for it. In contrast I had to learn how to control services on OpenBSD before I could run a web server.

Part of the secure by default hope and assumption is that if services are not already turned on, people will learn something about them before turning them on. At a minimum they must have a knowledge of the function, a desire to turn it on and learn how to do that much.

It just happened that I wanted to run a web server on the Linux machine. It's likely that most Linux machines, even those set up as servers, won't be intentionally running user maintained web sites. Some users would never be aware that their PC was running a web server. Services that are turned on but not used are just an intruder invitation, especially those that run as root. Apache on Red Hat Linux 6.1 was not running as root.

Where a server, such as a web server is on by default but not used, it may never get turned off and you can be sure that it won't be updated if a security issue is found. Any administrator knowledgeable enough and dedicated to actively upgrade services when a security issue is found, would have already turned off all unused services.

Secure by default not only routinely turns off services that would otherwise be on, but it also typically does not install software that would otherwise be included in default installs. This will include specific services that are less used but it will also include support libraries that are not needed by those servers which are installed. Thus when an administrator adds a new function to a secure by default system, they are likely to find that they must also locate and install support libraries or functions that are not on the system.

A secure by default system is likely to have many file and directory related security settings that prevent ordinary (non root) users from doing things that are allowed on most systems. Examples include not allowing users to su to root unless they are in the wheel group or view systems files not needed for the ordinary use of the system.

"Four years without a remote hole"

The OpenBSD web site opens with a claim that attracts some attention including claims that it's not true or someone just found a bug that invalidates the claim. The statement is "Four years without a remote hole in the default install!" They do not provide a detailed explanation what this means so lets analyze it. I think "Four years without" is clear enough that it's not likely to provoke substantive discussion.

I've seen some claims that there was a bug in some piece of software that is commonly installed and is thus a "default" at the sites it's installed. I don't think that's what "in the default install!" means at all. I think it means in the software that will be running following an install from the standard media taking all the default options.

Commonly used software that is not on by default includes NFS, FTP, telnet, DNS and IP Filter (now removed from the CVS source tree for license reasons). Bugs or holes in any of these would not count because they are not "default install".

"remote" means network access. If a user is already logged in, either at the console or from a remote location but now acting locally via ssh, telnet or rsh, it doesn't count. It means via a network protocol. If for example, sshd which is on by default, had a buffer overflow that could be exploited via the network, without using it to log on, either with encrypted keys or a username and password, that might break the four year run.

Finally what does "hole" mean? I don't think it means bug. If you look at the OpenBSD Security Advisories under 2.8 you will find "May 29, 2001: Sendmail signal handlers contain unsafe code, leading to numerous race conditions." Sendmail is on by default and if hole meant bug then OpenBSD would need to change the opening web statement.

UNIX Signal Handler and Open Source Software Fixes

In the May 31, 2001 issue of the SANS Security Alert Consensus mailing list the lead article begins "An interesting research paper by Michal Zalewski of Bindview was released this week detailing various problems in the signal handler design of Unix applications. We expected to see some vulnerability advisories based on this problem in the near future; however, they've already started -- Sendmail (a widely deployed mail server on Unix) has released an updated version to fix the problems outlined in the paper."

The paper itself is dated May 16-17, 2001. It appears however that the authors did not publicly announce the problem until they posted an announcement to the Bugtraq mail list on May 28. The SANS Alert refers to Bugtraq archive. Apparently Michal Zalewski contacted key UNIX vendors so that they could fix their products before making a public announcement.

Also note that the OpenBSD fix is available with the announcement the day after the problem is publicly announced. I couldn't find any release dates on the Sendmail site. I would guess that OpenBSD was already working behind the scenes with authors of Sendmail and coordinated the timing so that the fix would appear just after the public announcement.

Later in the SANS Alert under the Sendmail specific item, they say the denial of service attacks would be possible and that root compromise was a possibility. There was no suggestion that any actual exploits or denial of service attacks had been developed let alone successfully used against anyone yet. Like most bugs, there is some idea of what definitely can be done with it but it's harder to know what the limits to the problem are. Someone more imaginative than those currently examining the problem might see additional ways to exploit the problem than those who first to study it.

This is a good example of how the open source model can work. Someone identifies a problem and notifies key parties behind the scenes. Fixes are developed and released at about the same time as the problem is announced. No black hat ever has a chance to exploit the problem.

Actually that is not true. There are millions of UNIX computers most of which use Sendmail as their mail transfer agent. Sendmail is on by default on nearly all systems with which it's included. It will be interesting to see how long it takes the various Linux vendors to have patches for their distributions. Of course even though some patches are out now and others will be soon, most systems will never be updated. That's no different than with commercial software. Once the vendors or open source authors have announced the problem and released fixes, they've done their job.

What's important here is that a problem was found by white hats via code review and analysis and that it was circulated in a way that key parts of the UNIX community released fixes before the black hats knew of the problem. With any proprietary product only the employees can look at the code. Once a current product is tested and released, no one is likely to look at existing code until someone reports a problem. Of course as some critics say, the vast majority of open source users do not review the code they use. What matters is that for any significant code, a lot more than the one or two authors directly involved do read the code.

IP Filter Bug

The speed of the Sendmail fix is not unusual for an OpenBSD response to any security related issue. Another recent security issue that affected OpenBSD was the fragment caching vulnerability in IP Filter. The OpenBSD Security Advisory said: "Apr 23, 2001: IPF contains a serious bug with its handling of fragment caching."

My recollection when I first read about it a week or two after the advisory was that it did sound serious. Serious enough that I pursued installing the patch. I had some difficulty with the OpenBSD patch and had to update from the IP Filter site. I believe the patch was posted about five days after the problem was first publicly discussed. As a point of contrast, not relevant to the systems being compared, but still rather interesting, Hewlett-Packard announced their fix to this problem on Jan. 23, 2002, or nine months to the day after the OpenBSD announcement.

Unlike the signal handling issue, this was not handled quietly behind the scenes but announced publicly by the person who found the problem. Once again though, it was found by someone not associated with the source code, reading the code and seeing the implications.

After I'd read most of the relevant matter and upgraded my IP Filter, my conclusion was that a more accurate description would be "an interesting theoretical bug" rather than a "serious bug". I understand why it was called serious and this emphasizes how seriously security is taken by the OpenBSD authors lead by Theo De Raadt. See below for why I did not consider this a serious bug.

It also returns us to the definition of a "hole" versus a "bug". I believe a hole means a bug that was actually exploited to in some way harm an OpenBSD system before a fix was posted on the OpenBSD site. Granted, if some system were compromised by this problem on May 30, as a practical matter, there would have been no way that the administrator could have been expected to learn of the problem and apply the fix in time to do any good. The system authors though, can't be responsible whether administrators fix their sites within a week or a month or never.

So what does "Four years without a remote hole in the default install!" really mean? It means that no one who has installed OpenBSD with default options has actually experienced a network based intrusion in four years. Since the OpneBSD authors can only go on what they know, it means no one who has reported such an intrusion. As OpenBSD is only used those who are more than casually concerned about security in the first place, it's very likely if such an intrusion had occured, it would have been reported. Even though OpenBSD is not widely used, it is an impressive record. I know in my Internet explorations, I've seen statements to the effect that many would be intruders, as soon as they determine a target system is OpenBSD, move onto other targets.

In the past four years there are less than 75 OpenBSD Security Advisories. Most of them are with peripheral products that are distributed with OpenBSD, like IP Filter and most sound a lot less serious than the IP Filter problem which I prefer to characterize as theoretical.

A quick look at my web site will leave little doubt that I'm aware of and concerned with security issues. Enough so that if I screw up, I can't blame anyone but myself. I think the practical implications of many bugs reported as serious security issues is greatly overstated. Had I understood the IP Filter problem as well, before I set about trying to fix it as I did afterwards, it's unlikely that I would have bothered, even though I consider my firewall to be my second most important security measure (after backups).

OpenBSD Daily Security Audit

The *BSD family, including OpenBSD, comes with a feature lacking in other operating systems I've worked with. It has a daily security audit that is turned on by default. Every night, an e-mail to root is composed that analyzes all kinds of security related settings. If any system files have changed or any security related permissions on key files or directories changed, any suid programs added to or modified on the system, any world writable directories created or any of several other changes that might indicate a security issue, an automated e-mail to root describes the changes. It's similar to having a system preinstalled with a Tripwire like system.

This can be turned off by a system administrator but I can't think why one would. As the system runs entirely locally, a very knowledgeable intruder should be able to defeat it, but not without considerable risk of triggering one or more alerts. Turning the system off would stop these. There are enough checks, that when you customize an OpenBSD system and tighten security, it normally takes several days of tuning, to make all the auditing system settings match the new system and thus stop sending security related warning messages. Until the actual system and auditing system are synchronized a new set of warnings is sent each night.

transparent spacer

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in http://GeodSoft.com/terms.htm (or http://GeodSoft.com/cgi-bin/terms.pl). These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.

 


What's New
How-To
Opinion
Book
                                       
Email address

Copyright © 2000-2014, George Shaffer. Terms and Conditions of Use.