title: OpenBSD's Philosophy date: 2024-04-17 18:00 tags: OpenBSD security correctness
I have talked about OpenBSD before in this blog, and I recently
watched a talk by OpenBSD's leader Theo de Raadt about pledge ()
and
arc4random()
. He described OpenBSD's design philosophy so well, that
I wanted to write it down. You should definitely take some time to
hear Theo speak. He's entertaining, and his talks are super awesome!
So a long time ago (early 90s ?), a cracker (1) broke into Theo's OpenBSD's syslog. This got Theo to examine OpenBSD's source code to fix any lingering bugs, and he found a lot. He realized that trying to constantly examine source code to prevent bugs is a never ending process. He wanted to ensure code quality got better over time. He envision an operating system that that enforced code correctness like the below ASCII art shows.
__________________________
| Poorly written programs |
| crash on OpenBSD. |
| ---------------------- |
| | Correctly written | |
| | programs run well | |
| | on OpenBSD. | |
| ---------------------- |
---------------------------
He wondered if he could create features to slightly narrow the things that applications could do. When poorly written programs run on OpenBSD, they crash in deterministic ways, but correct programs work just fine. Theo also made sure that "mitigations", or checks to ensure a program's correctness, cannot be turned off on OpenBSD. If a user or a project manager has a problem with an application not working on OpenBSD due to a toggleable security feature, then the user or project manager will just turn off the feature. So to ensure that programs abide by the mitigations, OpenBSD enforces their security policies.
OpenBSD also makes it easy to use their security features. If they introduce a policy that is manatory, they try to make the API easy to use. If you create a security policy that is hard for the programmer to use, then the security policy won't be used.
When OpenBSD creates a new mitigation, their application porters port
3rd party software packages to OpenBSD. Typically these changes find
their way into the upstream packages. What's awesome is that usually
other operating systems start to use OpenBSD mitigations on their
systems 5 years after OpenBSD introduced them. Windows, Mac, and
Linux applications all benefit from the strict standards that OpenBSD
creates. Theo's talks gave two examples for this: pledge ()
and
arc4random ()
.
Here's a question for you. How do you get random data? Well you read
/dev/random
of course. Simple. Easy. Done. That used to be how
things were handled. Apparently reading from /dev/random
has some
limitations that Theo mentioned. Can you read from /dev/random
inside the kernel? Inside a library? In your libc? Reading from
/dev/random
is not perfect. Theo wanted to make something better.
OpenBSD created arc4random ()
as a better source of entropy. It is
a C function that almost any application can call (even the kernel),
most of the time. This lets many applications, libraries, etc. easily
use random numbers. What's surprizing to me is that many operating
systems use arc4random ()
or a function like it, so that more
applictions can easily request random data. This function (or one
like it) exists on your Android phone, iPhone, iMac, and sort of on
Linux thanks to OpenBSD.
What's pledge ()
? Oh ho, let me tell you! Let's take a look at a
typical program.
int main () {
initialize_stuff();
for (;;) {
;; let's run the program
}
}
Most programs have an initialization phase followed by a loop, in
which the application runs. The OpenBSD team realized that the
initialize phase uses most of the system calls. After the initialize
phase, the program typically needs less system calls. OpenBSD's
pledge ()
was created in response to this pattern present in most
programs.
pledge ()
is a security call, by which an application tells the
kernel, "I pledge to only do these things and no other." For example,
"I pledge to only output text". Or "I pledge to only access the
internet and output text." If the application tries to do something
that it has pledged not to do, then OpenBSD kills the application.
A really interesting blog post that talks about this is at justine's blog.
After watching two of Theo's talks, I am fairly convinced that his design goals are slowly working to make all POSIX operating systems more correct and secure. I used to dual boot Guix System and OpenBSD, but unfortunately my spare SSD busted. So for now I am only using Guix System. I personally prefer to use Guix System for my linode server (that powers this blog), because Guix makes it easy to manage servers.
I wish that the Guix developers could one day create Guix OpenBSD
System, but I have been told that Guix System assumes your libc is
glibc
and that OpenBSD cannot currently make isolated build
environments as well as Linux can. Also fun fact OpenBSD is not
currently working on reproducible builds. :)
My two only minor complaints with OpenBSD currently are:
If you want to try OpenBSD, give it a shot! It works really well on most lenovo laptops and most desktop machines.