OpenBSD 3.2 Is Back on Track

An eWeek Labs Analyst's Choice, the security-focused operating system offers strong base of features, but upgrade path is difficult.

IT staff can make almost any software system secure with enough pain and wizardry, but getting great security with hardly any effort at all is true magic.

Thats the attraction of the Internets most secure operating system, OpenBSD. The latest release of OpenBSD, Version 3.2, started shipping Nov. 1.

Relative to its security history, OpenBSD had a bad summer: The default installation of OpenSSH (Open Secure Shell) in OpenBSD 3.1 was found to have a remotely exploitable hole. However, this new release (which, of course, includes the fixed OpenSSH 3.5) again shows how the OpenBSD development team leads the market in terms of security.

We get a lot of public relations from software vendors (and were not just talking about Microsoft Corp.) on how various new security efforts will turn things around for them. Fine and good, but time, and nothing else, is the true judge of success. The only evidence of a security turnaround that counts is a drop in the number of remote holes discovered in the code.

OpenBSDs track record—one remote hole in the default install in nearly six years of market exposure—is so far ahead of everyone elses that it stands alone.

OpenBSD does have some significant problems, including a general lack of ISV and hardware vendor backing and the short period of time (one year) that the OpenBSD development team officially supports each release of OpenBSD. In addition, the operating systems update mechanisms can be quite disruptive. Nevertheless, the development teams approach to security is so effective (and, sadly, so rare) that eWeek Labs is honoring OpenBSD 3.2 with an Analysts Choice award.

It literally is our choice when the stakes are high: We are using seven different OpenBSD 3.2-based servers as part of the site infrastructure for eWeeks latest OpenHack security test. There is nothing better out there to get a security-sensitive system up and running. This is particularly true for those deploying firewalls and routers—OpenBSDs built-in packet filter, called pf, provides powerful traffic blocking, port forwarding and network address translation features.

OpenBSD 3.2 can be downloaded for free, or bootable CDs can be ordered at for $40. It runs on several different families of CPUs, but it doesnt support SMP (symmetric multiprocessing). This is a major factor that keeps it out of the higher-end server space—while it can run on SMP machines, it will use only the first CPU.

Although OpenBSD isnt an operating system that many ISVs make a point of supporting, the CD contains a fairly large set of prepackaged open-source server applications that are pre-compiled and ready to install.

OpenBSD installs incredibly quickly—we could go from a blank drive to a functional yet secure Web server or domain name server in 10 minutes flat. The system also has a highly centralized configuration, providing a single place to turn included server packages on or off.

In addition to making it simple to understand whats running and what isnt, OpenBSD has a security policy ingenious in its simplicity: Leave as many features as possible either disabled or uninstalled by default. Why this obvious and simple security best practice isnt more widely adopted is a mystery to us. (The Linux vendors hands are black with guilt in comparison.)

OpenBSD 3.2 also takes greater advantage of the memory protection features built into modern CPUs to block buffer overflow attacks. It now sets program stack memory to be nonexecutable, and on SPARC and Alpha CPUs it also sets program data to be nonexecutable.

The development team has continued to do its intensive code auditing and has been able to significantly reduce the number of executables that have the setuid bit set, effectively reducing the number of programs that need to be run with root privileges to work.

"The impact of many security holes has been significantly reduced. We had 40 exposed setuid programs in 3.1; we now have about nine," said OpenBSD Project Manager Theo de Raadt, in Calgary, Alberta. "Thirty-one of those 40 are not setuid any more, or the setuid is at a trivial level."

Its this kind of attention to detail, this systematic addressing of even minor security risks, that sets OpenBSD apart.

However, despite all this attention to detail, one thing that OpenBSD really lacks is an easy way to maintain the great security that you get from a fresh install. The operating system has no software update tools, other than downloading another cut of the code and re-compiling the kernel and user programs. This can take 12 hours or more and is extremely disruptive to the system.

Unfortunately, this wont change any time soon. "We dont have the manpower to take care of that. Were going to keep doing things the way we are now," said de Raadt, who emphasized the importance of refreshing the whole system every six months or so, something thats tricky to do even with patching tools.

"We may start making stable snapshots. We would put it out two months after the release and continue for six months. ... I think anyone that considers the stable branch to have all the fixes after six months is crazy," de Raadt said.

OpenBSD isnt a do-it-all Unix such as Linux or Solaris, but it is a great tool for those edge-of-the-network spots where things have to be done right the first time.

West Coast Technical Director Timothy Dyck is at