I'm lumping Linux in that group because my impression is that Linus is ambivalent about security--it seems to be just another feature to him (see http://www.washingtonpost.com/sf/business/2015/11/05/net-of-...). Additionally, with most of the popular distros, once I install the OS, I have to spend a bunch of time locking things down before I do anything else, whereas OpenBSD has pretty good defaults that I can build up from. Also, when Ubuntu, one of the most popular Linux distros, started capturing searches by default, that got me questioning their commitment to privacy.
That's not to say there aren't distros and contributors to Linux that care deeply about security--clearly there are. I just don't find the overall ecosystem nor the most popular distros nearly as focused on or as trustworthy on security and privacy. And as the stakes get higher with more of our lives going digital and more companies, states, and criminals trying to take advantage of that trend, I worry.
As for OpenBSD vs FreeBSD, I've had an easier time getting OpenBSD working on my hardware and OpenBSD seems to me more concerned with, focused on, and practically innovative on security--that is to say, they don't just introduce new security features that can be configured and used by someone smarter than me, the OpenBSD folks work hard to introduce new security tech that's on by default with no special knowledge required by the end user, i.e. pledge, W^X.
Then modify the claim to say "some Linux kernels/distros" instead of Linux as a whole. Meanwhile, thanks to CompSci, there's Linux's (eg Criswell's SVA-OS) and FreeBSD's (eg CheriBSD on CHERI) that run with way more security than OpenBSD. They push the state of the art. So, it's a mixed bag.
OpenBSD is actually no different. The developers care a lot about security and quality. Yet, the mere fact that I see OpenBSD desktops in Google images running shoddy applications shows many OpenBSD users make similar tradeoffs to what you described of Linux camp. It's just the kernel and select userland that gets their attention to quality due to limited staff (and their preferences).
> Yet, the mere fact that I see OpenBSD desktops in Google images running shoddy applications shows many OpenBSD users make similar tradeoffs to what you described of Linux camp.
Are these "shoddy applications" not more secure on OpenBSD due to the various mitigations applied to userland software?
We don't know. OpenBSD has so little market share that virtually nobody is testing those mitigations. However, many are similar to mitigations developed on other platforms and beaten. So, they'd probably be beaten with effort, too.
Don't you love reasoning by precedent? Makes these judgment calls so much easier. :)
People are testing the mitigations. For example Qualsys' audit of OpenSMTPD[0] noted that a buffer overflow they found was not exploitable on OpenBSD as even a single byte overflow would smash the stack canary.
That's not trying to break the mitigations: it's simply testing if they stop an exploit which isn't designed to bypass the mitigations. Really easy to pull off. :) Below are examples of a clever scheme for stopping control flow attacks and a successful attempt to breaking it. When I say testing the mitigations, I mean work like what's in the second paper.
Dumb question: Do you mean the field of computer science in general, or some specific tech or organization that uses that name? The former doesn't exactly make sense, but I've not heard of the latter and would be interested ...
It's not a stupid question since I never define it. :) I had an extended discussion/debate with Kragen a while back on engineering software vs programming it. Many in academia and industry came up with methods to do software like a form of engineering with great results in practice. Sometimes even proving its properties. Whereas, programming was anything from throwing crap together to carefully constructing it in a way that uses a subset of engineering concept. I eventually realized we were tripping over definition of "software engineering" since people on his side of fence had that forever tied in their mind to groups pushing processes and Big Methodologies over good code. He kept referring to CompSci so I decided to use it to represent top work out of academia on engineering software to avoid red-flag phrase of "software engineering."
In any case, I can give you some links to illustrate engineering software vs merely programming it. The first gives the concept with good analogies showing why we need it and what the difference is. Others are examples of methods for doing it.
Hope these help illustrate what I mean by engineering software. Although, my use of the CompSci term includes anything else scientific or cutting-edge that's coming out of academia. I'll toss in one more showing secure browsing done right (maybe). :)
> Nobody really objected to the patch series as a whole, but Linus hated the name of the configuration option; he asked that it be called CONFIG_LEGACY_VSYSCALLS instead. Or, even better, the change could just be done unconditionally. That led to a fairly predictable response from the PaX developer on how the kernel community likes to hide security problems, to which Linus said:
>> Calling the old vdso "UNSAFE" as a config option is just plain stupid. It's a politicized name, with no good reason except for your political agenda. And when I call it out as such, you just spout the same tired old security nonsense.
I think this line was meant mainly to refer to his closed source iPhone, OS X, and Windows use. Perhaps he means his Linux usage is one of the more mainstream distributions that readily facilitates installation of binary kernel blobs (e.g. wifi, video), or 3rd party closed source software.
He may also be calling Linux insecure due to it being less uncompromisingly about security. Same could be said about FreeBSD--they aren't necessarily insecure, but they are not as explicitly focussed on that.
OpenBSD invests a great deal here. They have their own fork of Xorg (or was that XFree86?) that runs not as root. As far as I know that's unique amongst libre *nixen.
EDIT: this is what I get for starting a response, getting coffee and resuming my reply. We don't have to speculate what the author of is post intended, and his response is better than mine ;-)
> OpenBSD invests a great deal here. They have their own fork of Xorg (or was that XFree86?) that runs not as root. As far as I know that's unique amongst libre *nixen.
It's a standard feature of Xorg nowadays, but it's only a feature of vanilla Xorg for a few years.
AMD only added KMS to their proprietary driver last year, and Nvidia this year (and IIRC only in a beta driver so far); and systemd makes the permission handling a lot easier. So Ubuntu will transition to it eventually, but didn't have all puzzle pieces until too recently for even 16.04 LTS.
IMHO, I found it unconvincing. It soured me on the rest of the episode and its not really my watch as soon as its out podcast anymore. I guess since every segment is basically a FreeBSD segment no matter what OS they are talking about, it had to go that way.
why not freebsd? the freebsd project seem to focus exclusively on post-attack with jails and trustedbsd mac. fbsd has not implemented any of the modern exploit mitigation techniques. i mean, even os x has had full aslr since 2012 lol.
some years ago fbsd was forked to hardenedbsd which has aslr, mprotect restrictions, non-exec pages on cpus w/o NX, randomized lib loading order, etc. i guess the freebsd project is too busy fighting meritocracy cus none of it has been merged as far as i can tell.
as for linux, plenty has been written on linus' stance on what he considers to be a "security circus"; and the mantra on lkml is still that "a bug is a bug". just watch oss-sec and see distro people wading through kernel commit logs (hyperbole) cus sec-related bugs usually aren't reported downstream
> FreeBSD lacks basic low-level exploit mitigation, such as Address Space Layout Randomization (ASLR)
the whitepaper you linked was published in 2014 by Shawn Webb, one of the people behind the hardenedbsd fork. that same year a submission for review was opened on phabricator[1] re. merging their aslr work in mainline fbsd.
it was closed on 2015-10-19:
> Closing this revision. FreeBSD is free to pull from HardenedBSD.
another aslr review request was then created on 2016-03-10 by Konstantin Belousov[2]:
> This revision needs review, but there are no reviewers specified.
that same day he sent a call for testing to freebsd-arch[3].
there is also a bugzilla ticket[4] for the people waiting for freebsd to catch up with 2001.
FreeBSD lacks (or disables) most mitigations OpenBSD (and usually Windows, or some Linux distros) have, like ASLR, stack protector, W^X, PIE applications by default, libc.so symbol randomization, pledge()'d ports, etc.
I love FreeBSD, and use it a lot, and I wish these were all implemented, but until then, it pains me that FreeBSD has less mitigations enabled than Windows and good Linux distros.
Since OpenBSD can be backdoored[1] with the same ease that the Linux kernel could be backdoored, I have no idea why all the fuss. Debian is pretty thorough in NOT including proprietary software if that's what we're talking about.
As far as I'm concerned, it's good to have options and the OpenBSD developers have created software that I use daily (OpenSMTPd, SSH, PF, etc.) and for that, I'm thankful!
ps. I know that developing IPSEC backdoors is not easy by any means. But the subsequent Theo De Raadt answer, was that he can't tell if there are backdoors or not. That was my point.
No, no with the same ease.
Every OpenBSD commit is throughly reviewed, and there is only a bunch of commiters. Compared with linux, with thousands of commiters and tons of code added every day, OBSD is way more difficult to backdoor.
Not having a formal kernel module system does not actually mean the kernel is secure. Exploits to create module loading systems out of kernel vulnerabilities are approximately as old as stack overflow exploits.
NX enforced kernel W^X, SMEP/SMAP, always-on stack protector and a limited attack surface (..say, from pledge(2)), only serve to make such theoretical attacks impractical against OpenBSD.
That's not to say there aren't distros and contributors to Linux that care deeply about security--clearly there are. I just don't find the overall ecosystem nor the most popular distros nearly as focused on or as trustworthy on security and privacy. And as the stakes get higher with more of our lives going digital and more companies, states, and criminals trying to take advantage of that trend, I worry.
As for OpenBSD vs FreeBSD, I've had an easier time getting OpenBSD working on my hardware and OpenBSD seems to me more concerned with, focused on, and practically innovative on security--that is to say, they don't just introduce new security features that can be configured and used by someone smarter than me, the OpenBSD folks work hard to introduce new security tech that's on by default with no special knowledge required by the end user, i.e. pledge, W^X.