Hacker News new | ask | show | jobs
by quisquous 3700 days ago
I'm lumping Linux in that group because my impression is that Linus is ambivalent about security--it seems to be just another feature to him (see http://www.washingtonpost.com/sf/business/2015/11/05/net-of-...). Additionally, with most of the popular distros, once I install the OS, I have to spend a bunch of time locking things down before I do anything else, whereas OpenBSD has pretty good defaults that I can build up from. Also, when Ubuntu, one of the most popular Linux distros, started capturing searches by default, that got me questioning their commitment to privacy.

That's not to say there aren't distros and contributors to Linux that care deeply about security--clearly there are. I just don't find the overall ecosystem nor the most popular distros nearly as focused on or as trustworthy on security and privacy. And as the stakes get higher with more of our lives going digital and more companies, states, and criminals trying to take advantage of that trend, I worry.

As for OpenBSD vs FreeBSD, I've had an easier time getting OpenBSD working on my hardware and OpenBSD seems to me more concerned with, focused on, and practically innovative on security--that is to say, they don't just introduce new security features that can be configured and used by someone smarter than me, the OpenBSD folks work hard to introduce new security tech that's on by default with no special knowledge required by the end user, i.e. pledge, W^X.
2 comments
nickpsecurity 3700 days ago
Then modify the claim to say "some Linux kernels/distros" instead of Linux as a whole. Meanwhile, thanks to CompSci, there's Linux's (eg Criswell's SVA-OS) and FreeBSD's (eg CheriBSD on CHERI) that run with way more security than OpenBSD. They push the state of the art. So, it's a mixed bag.

OpenBSD is actually no different. The developers care a lot about security and quality. Yet, the mere fact that I see OpenBSD desktops in Google images running shoddy applications shows many OpenBSD users make similar tradeoffs to what you described of Linux camp. It's just the kernel and select userland that gets their attention to quality due to limited staff (and their preferences).

link
neerdowell 3700 days ago
> Yet, the mere fact that I see OpenBSD desktops in Google images running shoddy applications shows many OpenBSD users make similar tradeoffs to what you described of Linux camp.

Are these "shoddy applications" not more secure on OpenBSD due to the various mitigations applied to userland software?

link
nickpsecurity 3700 days ago
We don't know. OpenBSD has so little market share that virtually nobody is testing those mitigations. However, many are similar to mitigations developed on other platforms and beaten. So, they'd probably be beaten with effort, too.

Don't you love reasoning by precedent? Makes these judgment calls so much easier. :)

link
neerdowell 3700 days ago
People are testing the mitigations. For example Qualsys' audit of OpenSMTPD[0] noted that a buffer overflow they found was not exploitable on OpenBSD as even a single byte overflow would smash the stack canary.

[0] https://www.qualys.com/2015/10/02/opensmtpd-audit-report.txt

link
nickpsecurity 3700 days ago
That's not trying to break the mitigations: it's simply testing if they stop an exploit which isn't designed to bypass the mitigations. Really easy to pull off. :) Below are examples of a clever scheme for stopping control flow attacks and a successful attempt to breaking it. When I say testing the mitigations, I mean work like what's in the second paper.

https://www.usenix.org/system/files/conference/usenixsecurit...

http://www.cs.berkeley.edu/~daw/papers/cfi-sec15.pdf

Note: Native Client, which protects Chrome, is a form of Control-flow Integrity. Hence, me using it as an example.

link
neerdowell 3700 days ago
I'm not seeing your point. A vulnerability was found in OpenSMTPD. That vulnerability could not be exploited on OpenBSD because there was no way to overflow the buffer without smashing the stack canary. If you had the same version of OpenSMTPD running on a generic Linux kernel or on Mac OS X, it was vulnerable. On OpenBSD it was not. Ergo, OpenSMTPD running on OpenBSD is more secure than OpenSMTPD running on other platforms that do not provide the same mitigations.

At least, that's the way I see it.

Now, are you saying that because it's possible to bypass the mitigations in some other cases, preventing that vulnerability (and others) doesn't matter?

Or, are you saying that it would be possible to craft an exploit that bypassed the stack protection for that particular vulnerability? In which case I would love to see your PoC.

Or something else?

link
hackuser 3700 days ago
> thanks to CompSci ...

Dumb question: Do you mean the field of computer science in general, or some specific tech or organization that uses that name? The former doesn't exactly make sense, but I've not heard of the latter and would be interested ...

link
nickpsecurity 3699 days ago
It's not a stupid question since I never define it. :) I had an extended discussion/debate with Kragen a while back on engineering software vs programming it. Many in academia and industry came up with methods to do software like a form of engineering with great results in practice. Sometimes even proving its properties. Whereas, programming was anything from throwing crap together to carefully constructing it in a way that uses a subset of engineering concept. I eventually realized we were tripping over definition of "software engineering" since people on his side of fence had that forever tied in their mind to groups pushing processes and Big Methodologies over good code. He kept referring to CompSci so I decided to use it to represent top work out of academia on engineering software to avoid red-flag phrase of "software engineering."

In any case, I can give you some links to illustrate engineering software vs merely programming it. The first gives the concept with good analogies showing why we need it and what the difference is. Others are examples of methods for doing it.

What is High-Assurance and Software Engineering? http://web.cecs.pdx.edu/~hook/cs491sp08/AssuranceSp08.ppt

Cleanroom Software Engineering http://www.engr.mun.ca/~dpeters/7893/Notes/presentations/Cle...

High-assurance CA with Altran/Praxis' method http://www.sis.pitt.edu/jjoshi/Devsec/CorrectnessByConstruct...

Hope these help illustrate what I mean by engineering software. Although, my use of the CompSci term includes anything else scientific or cutting-edge that's coming out of academia. I'll toss in one more showing secure browsing done right (maybe). :)

https://www.usenix.org/legacy/events/osdi10/tech/full_papers...

link
hackuser 3698 days ago
Thanks!
link
jevinskie 3700 days ago
An example of Linus' attitude:

> Nobody really objected to the patch series as a whole, but Linus hated the name of the configuration option; he asked that it be called CONFIG_LEGACY_VSYSCALLS instead. Or, even better, the change could just be done unconditionally. That led to a fairly predictable response from the PaX developer on how the kernel community likes to hide security problems, to which Linus said:

>> Calling the old vdso "UNSAFE" as a config option is just plain stupid. It's a politicized name, with no good reason except for your political agenda. And when I call it out as such, you just spout the same tired old security nonsense.

https://lwn.net/Articles/446528/

link