Markus Friedl announced the release of OpenSSH 3.6 today, five months after the release of version 3.5 [story]. Today's release includes a number of enhancements, including RSA blinding to avoid potential timing attacks against RSA keys, bandwidth limiting for 'scp', and a progress bar and improved error handling for 'sftp'.
OpenSSH 3.6 is available for download now, and will also be part of the upcoming OpenBSD 3.3 release available on May 1'st. Read on for the release announcement, including full details as to what's new in this verison.
An update on the current status of OpenBSD Symmetric Multiprocessor support was recently posted to the OpenBSD smp mailing list. At this time, it still looks to be quite a ways off in the future, with currently only i386-specific code that will detect and spinup a 2'nd processor, but not yet actually use it. Due to personal reasons, the effort has been mostly on hold for the past year, but a new synchronization effort between the SMP branch and the main kernel tree is tentatively aimed for next month.
Also addressed was the frequent question, "Why not just port SMP support from FreeBSD?" Niklas Hallqvist, the primay OpenBSD SMP developer, explained that there were too many differences between the two operating systems for this to be a possibility, though there was plenty of excellent code there to learn from. Instead, the project is pulling from NetBSD's SMP code [story], though this still is a major effort, tracking down each area that is different between the two kernels. Niklas explains that the primary issue is, "SMP support radically changes the system and is not a localized subsystem." He also discusses areas where the project can use coding help.
Theo de Raadt [interview] recently summarized four buffer overflow "solutions" that have been merged into the current OpenBSD tree. These solutions are PROT_* purity, W^X, .rdata, and propolice [story]. When asked how this affects current software, Theo explained, "Zero. It's invisible. We're just tightening up adherence to what POSIX specifies."
'PROT_*' purity "makes a best effort based on the MMU in question to enforce PROT_EXEC as an independent flag." 'W^X', or 'PROT_WRITE XOR PROT_EXEC' seperates the GOT and PLT segments of ELF binaries, preventing a normal unix process from accessing memory that is both writeable and executable. '.rdata' utilizes a read only segment of ELF binaries for the code segment of a program instead of using the read/write segment inherited from a.out binaries. And Propolice is described by Theo as "Stackguard on steriods." Read on for a complete description and explanation of each...
This article is about recent exposures of many OpenBSD kernel level vulnerabilities
and advances in their exploitation which leads to trusted and robust exploits. Case studies will be used to demonstrate these techniques, and reusable *BSD "kernel level shellcodes" -- with many cool features! -- will be presented.
OpenBSD creator Theo de Raadt [interview] announced that propolice, the "stack-smashing protector" has been merged into the OpenBSD kernel. Miod Vallat went on to explain, "We have choosen to enable propolice by default to ensure that it will get widely tested, in the hope that this will prove a worthy addition for our next releases. Expect some breakage in ports, though, that will get fixed as time permits."
You can read Hiroaki Etoh's original propolice announcement here. It is now simply referred to as the "stack-smashing protector", being a highly portable GCC extension that 1) reorders variables to prevent pointer corruption, and 2) inserts protection code into an application at compilation time to detect buffer overflows, preventing such bugs from being exploited. The buffer overflow protection portion of Hiroaki's GCC extension is based on StackGuard. Complete details into how this works can be found on the project's homepage.
Henning Brauer announced today that "altq's functionality has been merged into pf." The ALTQ project page explains that Alternate Queueing "provides queueing disciplines and other QoS related components required to realize resource-sharing and quality of service." Thus PF, the OpenBSD project's state
A new release of the "free, functional and secure" OpenBSD operating system has been made available to the public today. Version 3.2 offers numerous mprovements over its predecessor; hightlights include on-executable stack and heap on various architectures, a significant reduction in setuid binaries, the systrace tool, which allows fine-grained control for applications behaviour and rights at the system call level, a greatly enhanced and improved version of the pf packet filter and OpenSSH 3.5, as well as numerous other updates, improvements and fixes. Read on for the full announcement.
Markus Friedl announced the release of OpenSSH 3.5 today, the first release since version 3.4 which was made available in late June after the discovery of an input validation error [story]. This error resulted in the "One remote hole in the default install, in nearly 6 years!" referred to on the OpenBSD home page [story]. OpenSSH 3.4 has had no known security holes.
OpenSSH 3.5 is available for download now, and will also be part of the upcoming OpenBSD 3.2 release available on November 1'st. Read on for the release announcement, detailing what's new in this verison.
Can Erkin Acar recently announced the availability of "a small curses-based utility for real-time display of pf states and rules." The format of the generated output is quite similar to that of 'top', though in this case displaying information about PF, the packet filter introduced in OpenBSD 3.0. The utility is named 'pfTop'.
I tested the utility on my 64-bit Sparc Ultra 1 which runs OpenBSD 3.1, and was quite impresesed, in spite this being a very early release of the tool. While the program is running, pressing 'h' displays a help screen listing the available commands, and 'v' switches through seven different views of the available information. Details on compilation and a small view of the generated output follow.
A patch was recently submitted to the OpenBSD -misc mailing list introducing a Unified Buffer Cache (UBC). The patch is currently only for the i386 and is the beginning of a port from the NetBSD UBC code. Ted, the author, tagged on the following disclaimer, "I did this mainly for self-interest, and because I want UBC and I want it now. :). Since it's done, I figured I could share, but don't think that the OpenBSD developers have anything to do with this." That said, Ted has noticed a performance boost with his patch.
Learn more about NetBSD's UBC implementation (which the above patch is based upon) in this interesting USENIX paper titled, UBC: An Efficient Unified I/O and Memory Caching Subsystem for NetBSD. The paper explains, "Modern operating systems allow filesystem data to be accessed using two mechanisms: memory mapping, and I/O system calls such as read() and write(). In traditional UNIX-like operating systems, memory mapping requests are handled by the virtual memory subsystem while I/O calls are handled by the I/O subsystem. Traditionally these two subsystems were developed separately and were not tightly integrated." The aim of Ted's patch is to integrate these two subsystems.
After the recent hole found in OpenSSH [earlier story], the OpenBSD home page has been updated with a new slogan: "One remote hole in the default install, in nearly 6 years!" All in all, not a bad track record... (Previously the tagline had read "Five years without a remote hole in the default install!")
Check out the OpenBSD errata page to see the various security fixes applied over time, as well as a list of other known problems.
OpenBSD creator Theo de Raadt recently discussed the possibilty of removing 'pppd' from the OpenBSD source tree "because after a year+ of notices about the licenses in it not being completely correct, not not much has happened to get this fixed." The OpenBSD web site offers a review of licenses and a thorough explanation of applicable copyright policy.
Theo further explained the issue with pppd, "Most of the licenses in there are not acceptable. Some do not explicitly permit modification. Some do not explicitly permit any use (including sale)." He went on to request that OpenBSD users contact the pppd authors to help get the licensing issues cleaned up, saving pppd from being removed.
Much of the resulting thread follows.
On an OpenBSD mailing list, Kevin Lyda recently asked about a 1997 patent "on keeping state in a firewall". The patent #5,606,668, dated February 25, 1997 is titled "System for securing inbound and outbound data packet flow in a computer network", the abstract describing a packet filter.
Responses to how this patent might affect OpenBSD's packet filter, PF, and other firewall solutions were generally vague. However, OpenBSD creator Theo de Raadt offered, "We're not sure, but like everyone in the industry, we are not worried." He went on to explain that this is because the patent in question is quite specific, "See, a patent has many terms to it. And when they attack based on a patent, every single term must match our implimentation. We must be doing it exactly like their patent says. Most early patents had many many terms. New ones have only a few."
OpenBSD 3.1 is out of the door! Many on the OpenBSD mailing lists have already reported receiving the new CDs. From Todd Miller's announcement email:
"It is our pleasure to officially announce the release of OpenBSD 3.1. This year OpenBSD turns 7 years old. In celebration of this milestone, we invite you to enjoy our 11th release on CD-ROM (and 12th via FTP)."
With this release, the OpenBSD home page has increased its security claim to, "Five years without a remote hole in the default install!"