What’s OpenBSD? Overview & Latest Features

Network edge devices reminiscent of routers and firewalls and a few web servers exposed on to the Web present a novel security challenge to an administration team. It is because they’re on the fringes of the network and are chargeable for protecting the inner network devices. 

If a fringe-of-the-network device is compromised, attackers could run rampant through the network attacking the less secure devices contained in the inner network, reminiscent of Windows servers. Protecting these devices is of paramount importance to the system administration and network administration teams. Subsequently, essential care must be placed into the choice of the operating system for such a tool. 

This text will explore OpenBSD OS and why you must select it to your next web server project.

OpenBSD is thought to be essentially the most secure general-purpose operating system so far. OpenBSD was forked in 1995 from NetBSD (read more on the whole history below) and is widely thought to be essentially the most secure Unix-like operating system available. OpenBSD goals to be secure by default, meaning that one doesn’t must be a security expert to have a highly secure system. It’s thought to be being safer than other *BSD versions reminiscent of FreeBSD or NetBSD, Linux distributions, Microsoft Windows, and even Mac OS. OpenBSD has only had two distant code execution vulnerabilities in your entire operating system’s history.

OpenBSD touts per-process resource limits, Pledge and Unveil to limit access to the file system, and system calls, making it much more secure than Linux. Theoretically, the one thing safer than OpenBSD is a number of the research microkernel projects utilized in real-time systems. 

OpenBSD 7.0 is the 51st and most current release and was made available on October 14, 2021. There are a complete of 11,325 packages available, including PHP 7.3.30, 7.4.23, and eight.0.10, and MariaDB 10.6.4.

Some major external programs included in OpenBSD 7.0 are: 

• LLVM/Clang 11.1.0.
• Xenocara (based on X.Org 7.7 with xserver 1.20.13 + others).
• Perl 5.32.1.

Some built-in programs for OpenBSD 6.9 include: 

• OpenSSH 8.8.
• Libressl 3.4.1.
• OpenSMTPD 7.0.0.

OpenBSD can also be the hosting project of the packet filter (PF) firewall to be used in firewall distros PFsense, OpenSense, and the Tmux terminal multiplexer. All of those programs are included in the bottom install. 

OpenBSD follows a blistering six-month release cycle with releases in April or May and October or November, helping to maintain your data secure. As well as, releases are supported for one 12 months. 

Keeping OpenBSD updated had been difficult following version 6x release cycles. With the discharge of sysupgrade and syspatch, upgrading to a new edition and installing security patches for the present version are actually easier. 

Yes, a one-year support cycle is fewer than the ten years of an RHEL (Red Hat Enterprise Linux) release, which is the gold standard in long-term support, but OpenBSD will be used on servers successfully. Even the -CURRENT version, the version where essential development happens, is kept bootable and dealing in any respect times. This makes releases stable. -STABLE branch, which is a -RELEASE with errata version, can also be stable. 

• Most AMD64 (x86_64) systems, from Dell servers to Lenovo laptops.
• Old 32 bit hardware to incorporate processors as old because the 486 from AMD and Intel.
• More exotic systems, including POWER 8 and 9 based servers from IBM, and SPARC64 servers from Sun Microsystems, Fujitsu, and Oracle. 

OpenBSD traces its roots back to the unique AT&T UNIX of the Nineteen Seventies, specifically the branch created on the University of California at Berkeley. 

Two modern open-source BSDs were created from work at UC Berkeley: NetBSD and FreeBSD. Each projects began concerning the same time from a version of BSD UNIX called BSD 4.4-Lite 2. 

All modern BSD operating systems can trace their roots back to 4.4 BSD and the early FreeBSD and NetBSD projects. A couple of examples include:

• IOS on Apple smartphones.
• Apple OS X. 
• Operating system used on Sony Playstations 3 and 4.
• 4 essential BSD projects FreeBSD, OpenBSD, NetBSD, and Dragonfly BSD.
• Quite a few offshoots like hardened BSD, pfsense, FreeNAS/TrueNAS, and GhostBSD.

OpenBSD is a fork of an early version of NetBSD. The creator of OpenBSD, Theo de Raadt, was a contributor to the NetBSD project. 

He thought that security must be a top concern of the project and was very vocal about it. Unfortunately, Raadt’s increasingly vocal arguments eventually led to him losing access to the repository of the NetBSD project. 

His response was to fork NetBSD 1.0 and begin the OpenBSD project in October 1995.

OpenBSD runs on a wide range of hardware, from AMD64 servers, laptops, and desktops to MIPS routers and ARM system-on-a-chip solutions. It also runs on POWER and SPARC servers in addition to older relics from the past like DEC VAX computers. 

OpenBSD supports so many alternative hardware platforms for just a few different reasons:

• Its lineage from NetBSD supported many platforms.
• The developers of OpenBSD desire to proceed to support many platforms.

A really positive side effect of the big selection of hardware support is it helps track down bugs that would otherwise be ignored.

The OpenBSD platforms include 32-bit and 64-bit processors, small and huge endian machines, and many alternative designs. Supporting unusual platforms has helped produce a higher-quality code base.

Since OpenBSD supports so many older hardware architectures, it must be conservative with resource utilization reminiscent of CPU and RAM. Processors as old as an Intel 486 are supported amongst x86 processors, and while these machines support little or no RAM and processing power, OpenBSD still runs on them. Dmesg of OpenBSD may even run on a 486 clone.

OpenBSD is thought to be having essentially the most extensive documentation of any operating system. Documentation errors are treated as serious bugs.

OpenBSD is free in each senses of the word: free in cost and freedom to make use of as you would like. 

OpenBSD is released under the terms of the BSD and ISC licenses and just a few other permissive licenses for some content. The license for the OpenBSD version of the ISC license partly reads: 

Permission to make use of, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.” 

This makes the ISC more friendly than the GPL utilized by Linux because changes aren’t required to be upstreamed. For instance, the OpenBSD implementation of OpenSSH is used all over the place, from Linux to Windows 10.

Correct code is secure code, so to say. Some operating systems wouldn’t consider a use after free (referring to memory that has been allocated, unallocated, then used again within the C language) a serious bug, but it can be addressed on OpenBSD. That is relevant, as C isn’t a memory-safe language. It’s as near the hardware you’ll be able to get without resorting to assembly language and is the bottom level language for portable programming.

Some software crashes more continuously on OpenBSD than other operating systems. Behavior that’s permitted on other OS isn’t allowed on OpenBSD. This made OpenBSD frustrating to make use of as a desktop OS previously. Today, developers improve the code frequently, fixing the crashes so that each one operating systems profit. The Chromium project by Google is an example of this.

Some bugs have only been found when porting to latest or obscure architectures. That’s the reason latest architectures like PowerPC 64 bit were added in release v6.8, why v6.9 and v7.0 had support for the Apple M1 arm64 processor, and v7.0 sees support for RISC-V (an architecture that based on the Reduced Instruction Set Computer architecture like ARM processors are). 

OpenBSD is essentially the most secure OS on the planet. There are several features of OpenBSD that aid in it being a highly-secure operating system. 

Listed below are just a few unique security tools pioneered and only in use by OpenBSD by default. Though some are such good security ideas, they’ve been ported to other operating systems but not enabled by default.

Suppose you could have a server running one other OS besides OpenBSD that’s compromised via SQL injection. If that SQL server was running as a daily user, the attacker could wreak havoc on the system. OpenBSD runs its built-in web server because the user www, a locked-down account. Moreover, it’s run inside a chroot jail. Finally, it’s run with a shell that doesn’t permit logins. The attacker can’t even access a shell prompt to run commands. 

Other operating systems support chroots but rarely use them and definitely not by default. Flatpack in Linux and jails in FreeBSD are examples of the remainder of the open-source world copying OpenBSD.

The subsequent security feature that OpenBSD pioneered is generally known as write XOR execute (W ^ X). The address space of a process or the kernel will be writable or executable, but not each. OpenBSD was the primary operating system to pioneer this feature in version 3.3 in 2003. 

Some Linux distros are only starting to incorporate this feature, while OpenBSD has provided it for nearly twenty years.

Similarly, guard pages were incorporated into OpenBSD in 2003. Guard pages insert an unreadable and unwritable page in memory at the tip of every page of memory to detect overruns. 

OpenBSD began implementing address space randomization in 2003 and finished the work in 2013, now generally known as position independent executable (PIE). With this feature, code isn’t required to be in the identical place every time a program executes. An attacker cannot attack with a known offset to access data. 

For instance, let’s say you could have programs A and B. If program B has a memory leak and attackers know that program A is loaded before B in memory, they could crash program A by writing to its memory space using the exploit in program B. 

By default with OpenBSD, if program A starts before program B, it doesn’t mean that B will follow A in memory. The truth is, a big gap could possibly be placed between the 2 programs, or alternately, program C could possibly be placed between A and B. Even when a third-party piece of software has a bug reminiscent of an Apache web server, crashing that program won’t allow the attacker to use anything. 

One other unique way PIE manifests itself inside OpenBSD is the recently famous way the kernel relinks itself upon each boot starting in v6.2. The unique assembly language code must be placed at first of the file and is at all times kept in the identical place. The assembly language code is followed by a randomly-sized gap, after which following the gap, all of the .o C language object files are randomly arranged. An attacker cannot predict the distances between functions and variables. If a pointer is leaking information contained in the kernel, it can not disclose every other pointers or objects.

PIE executables are a hot trend in security. Researchers have been attempting to run PIE executables on Linux with some success, but this was pioneered in OpenBSD years ago. The feature of an OpenBSD kernel reorganizing itself each boot is just now gaining support within the Linux world and has not even been merged yet.

Pledge and Unveil are two sides of the identical coin: Pledge is used for system calls and Unveil is used for limiting filesystem access. The unique coupling of Pledge and Unveil makes it hard for a program to be usefully compromised. Even when a program does turn out to be compromised, the hacker can only write to at least one file or one directory or only call certain systems. Pledge was first available in OpenBSD release 5.9 and Unveil was first available in release 6.4. Pledge and Unveil are unique to OpenBSD and are a few of its strongest assets.

Many programs need to begin with more privileges than they need to truly run. Think through if a process really needs access to the network to do every step or only one a part of this system.

Bob Beck, one in all the creators of Pledge, says that OpenBSD’s NTP service has three processes: 

1. The NTP process pledges STDIO and inet.
2. The method for handling DNS pledges STDIO and dns.
3. The master process to pledge settime.

This is beneficial to processes that start as root after which drop their privileges to a daily user account or limited account specific to daemons. Pledge can bring security measures to non-setuid processes too, that are processes that don’t start as root. 

The network program (NC) is one such program because it will probably do several network functions, each with a particular Pledge. The net browser Chrome has been pledged on OpenBSD as well. 

SELinux and Capsicum for FreeBSD have similar frameworks, but they aren’t used nearly as aggressively or enabled by default. OpenBSD, then again, pledges every part in the bottom and even some third-party software. 

Perhaps the simplest approach to explain Unveil is with the Chromium Browser. Starting in OpenBSD version 6.5, Unveil was arrange only to have access to the users’ Downloads directory. Subsequently, saving a file should be done within the Downloads directory.

Nevertheless, this implies you can not save a file in a distinct folder, reminiscent of the Pictures folder, and even read the directory itself. That is an inconvenience for the user, nevertheless it keeps rogue web processes or browser exploits from reading the SSH directory where private SSH keys are kept.

Listed below are just a few popular OpenBSD use cases:

• As a desktop or workstation operating system, since OpenBSD features a customized highly-secure version of X.org and drivers for AMD or Intel graphics. 
• As a mail server with the included mail serving software OpenSMTPD (OpenBSD Easy Mail Transfer Protocol Daemon) shipping with the operating system. 
• As an internet server with the included httpd or with industry-standard Apache or Nginx.
• As a firewall device with the included built-in PF firewall.
• As a router with the included PF and OpenBGP (OpenBSD Border Gateway Protocol Daemon) software.

OpenBSD is one in all the three leading BSD distributions (together with FreeBSD and NetBSD) and is essentially the most security-conscious of the BSD operating systems. It runs on a wide range of hardware reminiscent of commodity servers and laptops, older hardware from the turn of the millennium, and exotic hardware from Sun, Oracle, and IBM. OpenBSD has an extreme deal with security and code correctness and a few key features reminiscent of Pledge and Unveil. It has only ever suffered two distant holes within the default install for the reason that project’s inception, proving how secure OpenBSD is. 

When choosing an operating system where security is goal primary and the best priority, OpenBSD is the king of the castle.