A book on code auditing?
Would you and/or other members of the OpenBSD coders consider writing a book on secure, bug-free coding and auditing? Most programming books feature sample code that is written for pedagogical purposes. Quite often this runs contrary to how secure code should be written, leaving a gap in many a programmers knowledge. A book on audinting and how to avoid security pitfalls when coding would also make your life easier - less code to audit for OpenBSD, and more time top concentrate on nifty new features!!!
There is perhaps a split between the two issues you bring up. On the one side is secure coding, as in code written to be secure by the original author(s). On the other side, auditing, which is where an outsider (or an insider) later on goes and tries to clean up the mess which remains. And there is always a mess. Perhaps part of the problem is that a huge gap lies between these two. In the end though, I think that a book on such a topic would probably have to repeat the same thing every second paragraph, throughout the book: Understand the interfaces which you are coding to! Understand the interfaces which you are coding to! Most of the security (or simply bug) issues we audited out of our source tree are just that. The programmer in question was a careless slob, not paying attention to the interface he was using. The repeated nature of the same classes of bugs throughout the source tree, also showed us that most programmers learn to code by (bad) examples. A solid systems's approach should not be based on "but it works". Yet, time and time again, we see that for most people this is the case. They don't care about good software, only about "good enough" software. So the programmers can continue to make such mistakes. Thus, I do not feel all that excited about writing a book which would simply teach people that the devil is in the details. If they haven't figured it out by now, perhaps they should consider another occupation (one where they will cause less damage).
Making the rest secure
OpenBSD has a well deserved reputation for security "out of the box" and for the fact the inbuilt tools are as secure as they're ever likely to be. However, the Ports system is, perhaps, an example of where the secure approach currently has limitations - an installation of OpenBSD running popular third-party systems like INN can only be so secure because the auditing of INN, and other such software, is outside the scope of the BSD audit.
My question is, has the OpenBSD team ever proposed looking into how to create a 'secured ports' tree, or some other similar system, that would ensure that many of the applications people specifically want secure platforms like OpenBSD to run could be as trusted as the platforms themselves?
We have our hands already pretty full, just researching new ideas in our main source tree, which is roughly 300MB in size. We also lightly involved ourselves in working with the XFree86 people a while back for some components there. Auditing the components outside of this becomes rather unwieldly. The difficulty lies not only in the volume of such code, but also in other issues. Sometimes communication with the maintainers of these other packages is difficult, for various reasons. Sometimes they are immediately turned off because we don't use the word Linux. Some of these portable software packages are by their nature never really going to approach the quality of regular system software, because they are so bulky.
But most importantly, please remember that we are also human beings, trying to live our lives in a pleasant way, and don't ussually get all that excited about suddenly burning 800 hours in some disgusting piece of badly programmer trash which we can just avoid running. I suppose that quite often some of our auditors look at a piece of code and go "oh, wow, this is really bad", and then just avoid using it. I know that doesn't make you guys feel better, but what can we say...
OpenBSD, security, et al.
With the release of SGI's B1 code, and the attempts by many U*ixen to secure their contents via capabilities, ACL's, etc, ad nausium, how is OpenBSD approaching the issue of resource control?
On a side note, is OpenBSD likely to ever head in the direction of being a distributed kernel? And, if so, how would security and resource management be maintained? (It's hard enough on a central kernel system.)
On the first question, I think there is great confusion in the land of Orange Book. Many people think that is about security. It is not. Largely, those standards are about accountability in the face of threat. Which really isn't about making systems secure. It's about knowing when your system's security breaks down. Not quite the same thing. Please count the commercially deployed C, B, or even A systems which are actually being used by real people for real work, before foaming at the mouth about it all being "so great". On the other hand, I think we wil see if some parts of that picture actually start to show up in real systems, over time. By the way, I am surprised to see you list ACLs, which don't really have anything to do with B1 systems.
As to the second issue, I have no idea what a distributed kernel is, nor do I see how anything like that would improve security or quality of a system.
Forks and cooperation
A lot of people know that OpenBSD forked from NetBSD, and there's still some animosity between the two groups. Personally, I think that the competition has helped both groups (NetBSD now ships with far fewer open services, for example).
Egos are delicate things, but do you see any chance for greater cooperation in the future, or do you see more forking and division as inevitable?
Considering that NetBSD has maintained a black-hole route to the OpenBSD project networks for roughly four years, I don't see how any cooperation at higher levels are possible. However, there are developers who work on multiple projects. Some of them used to complain about having troubles from various groups. Nowadays, I think they've got it easier. Politics do not dictate developer relationships these days.
In Linux land, it appears that projects fork for financial reasons. In BSD land, it appears that the forks that have happened were purely political reasons. I don't know what will happen. It's been 5 years since the last fork in the BSD camp. Why are you guys so fork paranoid? Do you want everyone to vote for the same political party, too?
I have only been using OpenBSD for a short while now, so forgive me if this question is based upon some incorrect assumtions.
OpenBSD's kernel design seems to be of the monolithic species. OpenVMS (no relation) and NT are two prominent operating systems that use a microkernel archetecture. The microkernel design seems to me to be fundamentally more secure, since there is less priveledged code. Further, if one of the servers is compromised, the damage is minimezed.
My question is this: Is the OpenBSD design fundamentally secure, or is it only a very well done implementation of a basically flawed design?
I don't think it makes any difference, whatsoever. I think your computer science teachers are still teaching you from books written in the 80's, when the word "micro-kernel" was associated with a future utopia. We do not think that NT is a microkernel, and are you really so sure that OpenVMS is? A microkernel is not a kernel that does things through loadable modules. As well, I don't think it makes any difference, as long as a system does what it is supposed to do.
Where Did You Learn Your Code Audit Discipline?
Did the drive to audit code come from the need or the design of BSD? Or was it initially a whim? More imporantly, where did you learn it from? Is their some "mentor" you looked too for ridge design? I have to admire your team's daunting code reviewing...I wonder if I'll ever have that kind of meticulous coding nature.
The auditing process developed out of a desire to improve the quality of our operating system. Once we started on it, it becames fascinating, fun, and very nearly fanatical. About ten people worked together on it, basically teaching ourselves as things went along. We searched for basic source-code programmer mistakes and sloppiness, rather than "holes" or "bugs". We just kept recursing through the source tree everytime we found a sloppiness. Everytime we found a mistake a programmer made (such as using mktemp(3) in such a way that a filesystem race occured), we would go throughout the source tree and fix ALL of them. Then when we fix that one, we would find some other basic mistake, and then fix ALL of them. Yes, it's a lot of work. But it has a serious payback. Can you imagine if a Boeing engineer didn't fix ALL of the occurances of a wiring flaw? Why not at least try to engineer software in the same way?
Linux has FreeSco, a product that fits on a 3.5 inch floppy disk and acts as a router and NAT (Network Address Translation). I always thought something like this would be ideal for OpenBSD. After all, I would rather trust OpenBSD than Linux for this.
Are there any plans to produce something like this? Something with a very simple user interface that is quick and easy to get set up? I'd love to play with OpenBSD and do it by hand but I simply do not have the time.
I must say that I am not a fan of these floppy-based routers. Essentially, you are taking one of the most unreliable pieces of storage known to man, and trying to build security infrastructure on it. That's madness. Just buy a small disk. Perhaps somethings based on a CD plus some other (non-floppy) persistant storage might be sane. But please. Not floppies. Are you mad?
Any advise for code auditers? Can you share any tips or techniques you have found useful in uncovering bugs? What do you first look for in a fresh piece of code? What about a mature piece of code?
I suppose the biggest tip would be to become a better programmer. In particular, study what functions that programs are calling, and ensure that the calling code is following the rules of those functions 100%. How many of you understand the complete & correct semantics of every function in libc, or even just the libc functions being called by the program you are looking? (I mean, we went through our entire source tree, and about half the strncat() and strncpy() calls were subtly wrong, even if it only meant they copied a character extra and then zero'd it out -- it is still sloppy).
When you know exactly what the APIs are, you'll spot the bugs very easily. In my mind, it is the same as any other job that requires diligence. Be careful. Humans learn from examples, and yet, in this software programming environment, the tremendous complexity breeds non-obvious mistakes, which we carry along with us, and copy into new chunks of code. We've even found in manual pages where functions were mis-described, and when we found those, lots of programmers had followed the instructions incorrectly...
Dual Processor Support
Although there has been some indication that people are interested in running OpenBSD on machines with dual or quad processors, it appears that there are not enough resources and volunteers available to make this a reality. Although I use OpenBSD for my web server, I am by no means an expert, at this, but I'm curious nonetheless.
From what I've heard, multiprocessing support is going to be a very tricky thing to implement, because it gives rise to so many possible exploits, particularly with regards to race conditions. I also understand that it would take a remarkable amount of effort and time to rewrite much of the code base for SMP without compromising the OS's integrity.
With that in mind, what kind of resources would you need before you could seriously consider attempting dual or quad processor support? And, if you were given unlimited access to those resources, how long would it take before a -stable release would be ready? I would really like to see this feature get implemented, although I know that at this point your developer team is busy enough as it is.
At this time, we are not working on SMP. It's a lot of work, and not considered the most interesting thing to our developers. Sorry.
Thanks for your work, Theo. I use OBSD every day as a workstation and as a firewall, and the Cop-chasing-script-kiddie t-shirt is the best.
If you could time warp back to the beginning of OpenBSD's development (ignoring the scism that brought you to that point), what would you do differently? Would you have chosen a more commercial focus? Pushed SMP development earlier? Run around in circles waving your hands in the air?
On another note, what's your feeling about commercial use of OpenBSD? i.e., do you support it, tolerate it, or what? (better example, I make a set-top box running OpenBSD, and I need the OS to do "X". If I called you and said, "Theo, I need OpenBSD to support 'X'", would I be told to piss up a rope, write it myself, or would the OpenBSD team do it for a price?)
The licence on our code is pretty clear. We want vendors to use our code. We want commercial operating systems to ship with OpenSSH. Not shipping with an SSH varient causes great grief, and it is time that ends.
Same goes for OpenBSD. We would prefer if companies building commercial network appliances used OpenBSD, rather than writing their own operating systems. Typically, these companies are very comfortable with solving the problems within their application space. Yet, there is a history of these companies writing their own cruddy operating systems, and at the same time writing worse applications.
It would be better if routers, firewalls, telephone switches, fileservers, and whatever else used reliable components, designed by people who care.
So go ahead, use any parts of OpenBSD as parts of commercial systems.
Full Disclosure And Version Numbering
First of all, I want to thank you for the hard work you've done building OpenBSD. It truly is a wonderful package.
Much of the security in OpenBSD lies under the hood in the work you've done cleansing the source of unsafe library calls. While this work is appreciated, I've become more and more concerned lately about the fact that these changes are not necessarily documented and certainly not reflected in the version number of an application or utility.
Version numbers reflect a snapshot in the life of a codebase. They're used to reference unsafe editions or particularly stable builds. Major number reflect code branches, but minor numbers reflect specific states of the code -- such is the expectation of a user or an administrator when a version number is detected. Without granularity of versioning, I have no reason to trust or distrust a given application by its number; I must personally audit its source -- and end up giving it a number of my own.
You and your team are code auditing masters. Rather than pollute the namespace by making indistinguishable your securely built modified code and the original(and, by extension, your secure code and numerous unnamed distributions' "just get it to compile" modifications), wouldn't it be appropriate for OpenBSD to apply a name extension to any package which it has modified, and in the interests of full disclosure, to provide a reasonable CHANGELOG of the fixes contained therein?
Two numbers exist for every component of OpenBSD. One number is the release that the piece came in, ie. 2.8.
The other number exists in each source file that was built. And that number is also in each binary that was built from those files. You can use the what(1) command to determine the revisions of source files which make up each binary.
As to the "original" you talk about, there is no original. OpenBSD uses it's own components. I don't know what packages you are talking about. cat is cat. ftpd is ftpd. tar is tar. It's the one that came with a certain release. In the systems approach, the version numbering that other groups do is sometimes invalid, because pieces (such as libraries) are all part of the picture.
Was the last plane you were on using front wheel version 2.7 or 2.9? You don't care. You do however care greatly that a "systems approach" was used to ensure that it was whole. And in the OpenBSD case, that means pick a version, and install the patches.
Asking for more means that you want us to do less work on the system, and more version numbering.
Where does the money go?
I've seen reports of estimated CD sales per release at being as high as 10000. Add in t-shirt/poster sales and donations and a relatively considerable sum of money is flowing around OpenBSD. Combine this with the fact that checks are to be written to Mr. de Raadt and I get curious as to how the finances are handled. Not that I'm suggesting any misappropriation is occurring, I would just like to know who is in charge of the money and whether or not the OpenBSD project is registered as a non-profit organization (and if it is then checks should be made out to - and the CD image should be copyrighted to - that organization). Also, I would like to see a small financial report put out (as would be required if it were a non-profit organization in Alberta) so that users can see where their money is going. Plus, I would also like know exactly how many CDs are sold per release.
I greatly appreciate the work that the OpenBSD project developers have put in, and I plan on continuing to use, purchase, and donate to OpenBSD (and maybe even contribute when I get the technical skills) regardless of the answer to this question: Where exactly does the money go?
We've not yet sold 10,000 CDs in a release. Hopefully we will soon. The project ends up with a bit less than 50% of the revenues from CD sales. The tshirt business is doing OK, but you make a lot less selling textiles. With posters we operate just above break-even. Even though some are sold on the web, most turn out to be free handouts at most conferences. That is how I planned the posters to operate.
We have thought about becoming a non-profit organization, but it is not really a good idea. It would not provide any real benefit -- to you -- as the masses. Especially in Canada, there are costs and serious responsibilities associated with doing such a thing. We would be giving up a lot of freedom, and would need to hire someone to do a lot of accounting. Also, since many of our donations come from outside Canada, we still could not really generate taxable benefits to you. (And I must ask, why are people so cheap, that they only give donations when it provides a partial reduction in their taxes, rather than a real donation? I actually find that pretty fake.)
Money from the project goes to various things. First off, it ensures that I can work full time on OpenBSD, and not need another job. I am also hoping to do the same for other developers in the project, who have indicated that they are interested in doing so. Secondly, certain grimey, unenjoyable, and very important development tasks sometimes put a bit of money in developer pockets. Some OpenSSH work was funded by matching OpenBSD money against donations from a Van Dyke. Thirdly, the project buys a fair amount of hardware: In powerpc land alone, 4 machines this year. Fourth, shipping costs to conferences sometimes severely cut into profits from sales. And finally, when developers get together to do hacking, project money sometimes pays for various things, like airplane tickets, accomodation, and sometimes even some beer. And beer results in ideas, which results in new code.
Before you ask: yes, we'll be doing Slashdot interviews with people from other *BSD projects in the near future - Robin