Can OpenBSD really eliminate buffer over-runs?
John McCormick
Published: 28 Apr 2003 07:54 BST
Tackling one of the most commonly reported causes of vulnerabilities, the OpenBSD project recently announced that a major effort has been put into place to eliminate buffer overrun vulnerabilities in its popular open source operating system. As reported by ZDNet, project leader project leader Theo de Raadt told a Canadian IT security conference that the OpenBSD project had specifically hardened OpenBSD to improve resistance to buffer overflow attacks. In his presentation, de Raadt said, "By combining five technologies, we can make buffer overflows basically unexploitable."
Steps toward buffer overrun security
In his presentation, de Raadt explained that the first step involved "stack-gap randomisation." In other words, the team randomised the location in memory where the software will place the stack by adding a randomly sized gap at the top of the stack. Next, they altered the way addresses are stored within the stack and added a way to detect attacks on the stack. They did this by putting buffers closer to the return addresses in the stack, resulting in lower flags and pointers, making them harder for a hacker to hit. The attack detection was accomplished by adding a "canary" that will indicate whether any addresses have been altered.
Finally, the OpenBSD project broke main memory into two pieces. The first one is devoted to executing code and the second one is isolated as a writable section. The assignment of all pages to one section or another means that no page will be both writable and executable at the same time.
Another part of the work involves eliminating a lot of setuid binaries, reducing them from nearly 40 in some early versions to just eight, each of which has up to 300 lines of code.
For more details on these changes, you can read de Raadt's presentation. As befits material relating to an open source project, the presentation has been created in MagicPoint, an open source presentation program. To view it, you will need to save a local copy of the file (in Windows, right-click on the link and select "Save File As") and then download a copy of MagicPoint. Alternatively, you can view the file in text format (or even with Microsoft PowerPoint) and simply ignore the extraneous characters.
When to expect the changes
The next version of OpenBSD is scheduled to ship May 1, and de Raadt said that most of the buffer overrun security changes will be included in this new version. A few others, such as the ability to split memory on 32-bit PowerPC and x86 chips, won't be completed in time for the scheduled release date. Support for split memory in 32-bit processors is scheduled to follow in six months.
How significant are buffer overruns?
One third of the past 14 OpenBSD 3.2 Security Advisories involved buffer problems. Another nine buffer overrun problems were reported for OpenBSD 3.1, and the SANS/FBI list of the top ten most exploited Unix (and Linux) vulnerabilities is filled with "buffer overflow" problems.
Of course, this heavy incidence of buffer overruns isn't unique to OpenBSD or even to Unix. The top ten Windows vulnerabilities list presents a similar picture. The bottom line is that buffer overruns are the cause of many security flaws and software vulnerabilities, and any work done to limit the problem is a step forward.
The OpenBSD project
Although the OpenBSD project is based in Canada, it was supported by the US Department of Defense in the form of a $2.3 million (USD) DARPA grant. For those who don't know, DARPA also funded the development of the Internet. However, only a few days after the OpenBSD project leader announced the major effort to secure the open source operating system, DARPA pulled the remainder of its grant.
Because it is Canadian-based, OpenBSD can ship with cryptographic tools that US companies may not be able to include by default due to export restrictions. You can find an explanation of the kinds of cryptographic tools that ship with OpenBSD on the organisation's Crypto Page.
The inclusion of strong cryptography tools goes hand in hand with the basic philosophy behind the installation, which is that not everyone is a security expert or should have to become one. This point of view has led OpenBSD.org to emphasise secure-by-default installation settings.
Final word
OpenBSD is already one of the most secure operating systems available, and if the team can really pull off this buffer overrun security initiative, it will go to the top of the list for administrators looking to deploy tightly secured systems. But only time will tell. I'm not alone in pointing out that people have been fighting with PC memory allocation problems for decades, and by now, buffer overrun problems are so pervasive it is virtually impossible to eliminate all of them or block them from being exploited.
I suspect that there will continue to be buffer overrun exploits after the next version of OpenBSD ships. And if that happens, it will be important to remember that even if OpenBSD eliminates only half the successful buffer overrun attacks, the effort will have been a success -- one that may cause other vendors to follow its lead.
Editor's Note: On a much less serious note, the OpenBSD operating system is also notable for its inclusion of songs with every release. These can be found here as part of our IT Anthems coverage.
For a weekly round-up of the enterprise IT news, sign up for the Enterprise newsletter.
Tell us what you think in the Enterprise Mailroom.
Did you find this article useful?
73 out of 116 people found this useful
- Share this article:
