Network edge devices such as routers and firewalls and some web servers exposed directly to the Internet present a unique security challenge to an administration team. This is because they are on the fringes of the network and are responsible for protecting the inner network devices.
If a fringe-of-the-network device is compromised, attackers could run rampant through the network attacking the less secure devices inside the inner network, such as Windows servers. Protecting these devices is of paramount importance to the system administration and network administration teams. Therefore, necessary care should be placed into the selection of the operating system for such a device.
This article will explore OpenBSD OS and why you should select it for your next web server project.
What is OpenBSD?
OpenBSD is regarded as the most secure general-purpose operating system to date. OpenBSD was forked in 1995 from NetBSD (read more on the complete history below) and is widely regarded as the most secure Unix-like operating system available. OpenBSD aims to be secure by default, meaning that one does not need to be a security expert to have a highly secure system. It is regarded as being more secure than other *BSD versions such as FreeBSD or NetBSD, Linux distributions, Microsoft Windows, or even Mac OS. OpenBSD has only had two remote code execution vulnerabilities in the entire operating system’s history.
OpenBSD touts per-process resource limits, Pledge and Unveil to restrict access to the file system, and system calls, making it far more secure than Linux. Theoretically, the only thing more secure than OpenBSD is some of the research microkernel projects used in real-time systems.
OpenBSD Operating System Latest Version and Features
OpenBSD 7.0 is the 51st and most current release and was made available on October 14, 2021. There are a total of 11,325 packages available, including PHP 7.3.30, 7.4.23, and 8.0.10, and MariaDB 10.6.4.
Some major external programs included in OpenBSD 7.0 are:
- LLVM/Clang 11.1.0.
- Xenocara (based on X.Org 7.7 with xserver 1.20.13 + others).
- Perl 5.32.1.
Some built-in programs for OpenBSD 6.9 include:
- OpenSSH 8.8.
- Libressl 3.4.1.
- OpenSMTPD 7.0.0.
OpenBSD is also the hosting project of the packet filter (PF) firewall for use in firewall distros PFsense, OpenSense, and the Tmux terminal multiplexer. All of these programs are included in the base install.
OpenBSD follows a blistering six-month release cycle with releases in April or May and October or November, helping to keep your data safe. In addition, releases are supported for one year.
Keeping OpenBSD updated had been difficult following version 6x release cycles. With the release of sysupgrade and syspatch, upgrading to a new version and installing security patches for the current version are now easier.
Yes, a one-year support cycle is fewer than the ten years of an RHEL (Red Hat Enterprise Linux) release, which is the gold standard in long-term support, but OpenBSD can be used on servers successfully. Even the -CURRENT version, the version where main development happens, is kept bootable and working at all times. This makes releases stable. -STABLE branch, which is a -RELEASE with errata version, is also stable.
What Systems Does OpenBSD Run On?
- Most AMD64 (x86_64) systems, from Dell servers to Lenovo laptops.
- Old 32 bit hardware to include processors as old as the 486 from AMD and Intel.
- More exotic systems, including POWER 8 and 9 based servers from IBM, and SPARC64 servers from Sun Microsystems, Fujitsu, and Oracle.
|Architecture Name||Example Machines|
|alpha||Digital Alpha-based systems.|
|arm64||64-bit ARM systems.|
|armv7||ARM-based devices, such as BeagleBone, PandaBoard, CuBox-i, SABRE Lite, Nitrogen6x, and Wandboard.|
|hppa||Hewlett-Packard Precision Architecture (PA-RISC) systems.|
|i386||Standard PC and clones based on the Intel i386 architecture and compatible processors.|
|landisk||IO-DATA Landisk systems (such as USL-5P) are based on the SH4 CPU.|
|loongson||Loongson 2E and 2F-based systems, such as the Lemote Fuloong and Yeeloong, and Gdium Liberty.|
|luna88k||Omron LUNA-88K and LUNA-88K2 workstations.|
|macppc||Apple New World PowerPC-based machines, from the iMac onwards.|
|octeon||Cavium Octeon-based MIPS64 systems.|
|powerpc64||IBM POWER-based PowerNV systems.|
|riscv64||64-bit RISC-V systems.|
|sparc64||Sun UltraSPARC and Fujitsu SPARC64 systems.|
History of OpenBSD
OpenBSD traces its roots back to the original AT&T UNIX of the 1970s, specifically the branch created at the University of California at Berkeley.
Two modern open-source BSDs were created from work at UC Berkeley: NetBSD and FreeBSD. Both projects started about the same time from a version of BSD UNIX called BSD 4.4-Lite 2.
All modern BSD operating systems can trace their roots back to 4.4 BSD and the early FreeBSD and NetBSD projects. A few examples include:
- IOS on Apple smartphones.
- Apple OS X.
- Operating system used on Sony Playstations 3 and 4.
- Four main BSD projects FreeBSD, OpenBSD, NetBSD, and Dragonfly BSD.
- Numerous offshoots like hardened BSD, pfsense, FreeNAS/TrueNAS, and GhostBSD.
OpenBSD is a fork of an early version of NetBSD. The creator of OpenBSD, Theo de Raadt, was a contributor to the NetBSD project.
He thought that security should be a top concern of the project and was very vocal about it. Unfortunately, Raadt’s increasingly vocal arguments eventually led to him losing access to the repository of the NetBSD project.
His response was to fork NetBSD 1.0 and start the OpenBSD project in October 1995.
5 Reasons Why OpenBSD is the Right Choice
OpenBSD runs on a wide variety of hardware, from AMD64 servers, laptops, and desktops to MIPS routers and ARM system-on-a-chip solutions. It also runs on POWER and SPARC servers as well as older relics from the past like DEC VAX computers.
OpenBSD supports so many different hardware platforms for a few different reasons:
- Its lineage from NetBSD supported many platforms.
- The developers of OpenBSD desire to continue to support many platforms.
A very positive side effect of the wide range of hardware support is it helps track down bugs that could otherwise be overlooked.
The OpenBSD platforms include 32-bit and 64-bit processors, small and large endian machines, and many different designs. Supporting unusual platforms has helped produce a higher-quality code base.
Since OpenBSD supports so many older hardware architectures, it needs to be conservative with resource utilization such as CPU and RAM. Processors as old as an Intel 486 are supported amongst x86 processors, and while these machines support very little RAM and processing power, OpenBSD still runs on them. Dmesg of OpenBSD can even run on a 486 clone.
OpenBSD is regarded as having the most extensive documentation of any operating system. Documentation errors are treated as serious bugs.
OpenBSD is free in both senses of the word: free in cost and freedom to use as you wish.
OpenBSD is released under the terms of the BSD and ISC licenses and a few other permissive licenses for some content. The license for the OpenBSD version of the ISC license in part reads:
Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.”
This makes the ISC more friendly than the GPL used by Linux because changes are not required to be upstreamed. For example, the OpenBSD implementation of OpenSSH is used everywhere, from Linux to Windows 10.
Correct code is secure code, so to say. Some operating systems would not consider a use after free (referring to memory that has been allocated, unallocated, then used again in the C language) a serious bug, but it will be addressed on OpenBSD. This is relevant, as C is not a memory-safe language. It is as close to the hardware you can get without resorting to assembly language and is the lowest level language for portable programming.
Some software crashes more frequently on OpenBSD than other operating systems. Behavior that is permitted on other OS is not allowed on OpenBSD. This made OpenBSD frustrating to use as a desktop OS in the past. Today, developers improve the code regularly, fixing the crashes so that all operating systems benefit. The Chromium project by Google is an example of this.
Some bugs have only been found when porting to new or obscure architectures. That is why new architectures like PowerPC 64 bit were added in release v6.8, why v6.9 and v7.0 had support for the Apple M1 arm64 processor, and v7.0 sees support for RISC-V (an architecture that based on the Reduced Instruction Set Computer architecture like ARM processors are).
OpenBSD is the most secure OS on the planet. There are several features of OpenBSD that aid in it being a highly-secure operating system.
Here are a few unique security tools pioneered and only in use by OpenBSD by default. Though some are such good security ideas, they have been ported to other operating systems but not enabled by default.
OpenBSD Style Privilege Separation
Suppose you have a server running another OS besides OpenBSD that is compromised via SQL injection. If that SQL server was running as a regular user, the attacker could wreak havoc on the system. OpenBSD runs its built-in web server as the user www, a locked-down account. Furthermore, it is run inside a chroot jail. Finally, it is run with a shell that does not permit logins. The attacker can not even access a shell prompt to run commands.
Other operating systems support chroots but rarely use them and certainly not by default. Flatpack in Linux and jails in FreeBSD are examples of the rest of the open-source world copying OpenBSD.
Write XOR Execute
The next security feature that OpenBSD pioneered is known as write XOR execute (W ^ X). The address space of a process or the kernel can be writable or executable, but not both. OpenBSD was the first operating system to pioneer this feature in version 3.3 in 2003.
Some Linux distros are just starting to include this feature, while OpenBSD has provided it for almost two decades.
Similarly, guard pages were incorporated into OpenBSD in 2003. Guard pages insert an unreadable and unwritable page in memory at the end of each page of memory to detect overruns.
Address Space Randomization
OpenBSD started implementing address space randomization in 2003 and finished the work in 2013, now known as position independent executable (PIE). With this feature, code is not required to be in the same place each time a program executes. An attacker cannot attack with a known offset to access data.
For example, let’s say you have programs A and B. If program B has a memory leak and attackers know that program A is loaded before B in memory, they may crash program A by writing to its memory space using the exploit in program B.
By default with OpenBSD, if program A starts before program B, it does not mean that B will follow A in memory. In fact, a large gap could be placed between the two programs, or alternately, program C could be placed between A and B. Even if a third-party piece of software has a bug such as an Apache web server, crashing that program will not allow the attacker to exploit anything.
Another unique way PIE manifests itself inside OpenBSD is the recently famous way the kernel relinks itself upon each boot starting in v6.2. The unique assembly language code has to be placed at the beginning of the file and is always kept in the same place. The assembly language code is followed by a randomly-sized gap, and then following the gap, all the .o C language object files are randomly arranged. An attacker cannot predict the distances between functions and variables. If a pointer is leaking information inside the kernel, it will not disclose any other pointers or objects.
PIE executables are a hot trend in security. Researchers have been trying to run PIE executables on Linux with some success, but this was pioneered in OpenBSD years ago. The feature of an OpenBSD kernel reorganizing itself each boot is just now gaining support in the Linux world and has not even been merged yet.
Pledge and Unveil
Pledge and Unveil are two sides of the same coin: Pledge is used for system calls and Unveil is used for limiting filesystem access. The unique coupling of Pledge and Unveil makes it hard for a program to be usefully compromised. Even if a program does become compromised, the hacker can only write to one file or one directory or only call certain systems. Pledge was first available in OpenBSD release 5.9 and Unveil was first available in release 6.4. Pledge and Unveil are unique to OpenBSD and are some of its strongest assets.
Many programs need to start with more privileges than they need to actually run. Think through if a process really needs access to the network to do every step or just one part of the program.
Bob Beck, one of the creators of Pledge, says that OpenBSD’s NTP service has three processes:
- The NTP process pledges STDIO and inet.
- The process for handling DNS pledges STDIO and dns.
- The master process to pledge settime.
This is useful to processes that start as root and then drop their privileges to a regular user account or limited account specific to daemons. Pledge can bring security features to non-setuid processes too, which are processes that do not start as root.
The network program (NC) is one such program because it can do several network functions, each with a specific Pledge. The web browser Chrome has been pledged on OpenBSD as well.
SELinux and Capsicum for FreeBSD have similar frameworks, but they aren’t used nearly as aggressively or enabled by default. OpenBSD, on the other hand, pledges everything in the base and even some third-party software.
Perhaps the easiest way to explain Unveil is with the Chromium Browser. Starting in OpenBSD version 6.5, Unveil was set up only to have access to the users’ Downloads directory. Therefore, saving a file must be done in the Downloads directory.
However, this means you cannot save a file in a different folder, such as the Pictures folder, or even read the directory itself. This is an inconvenience for the user, but it keeps rogue web processes or browser exploits from reading the SSH directory where private SSH keys are kept.
OpenBSD Use Cases
Here are a few popular OpenBSD use cases:
- As a desktop or workstation operating system, since OpenBSD includes a customized highly-secure version of X.org and drivers for AMD or Intel graphics.
- As a mail server with the included mail serving software OpenSMTPD (OpenBSD Simple Mail Transfer Protocol Daemon) shipping with the operating system.
- As a web server with the included httpd or with industry-standard Apache or Nginx.
- As a firewall device with the included built-in PF firewall.
- As a router with the included PF and OpenBGP (OpenBSD Border Gateway Protocol Daemon) software.
Why You Should Use OpenBSD Today
OpenBSD is one of the three leading BSD distributions (along with FreeBSD and NetBSD) and is the most security-conscious of the BSD operating systems. It runs on a wide variety of hardware such as commodity servers and laptops, older hardware from the turn of the millennium, and exotic hardware from Sun, Oracle, and IBM. OpenBSD has an extreme focus on security and code correctness and some key features such as Pledge and Unveil. It has only ever suffered two remote holes in the default install since the project’s inception, proving how secure OpenBSD is.
When selecting an operating system where security is goal number one and the highest priority, OpenBSD is the king of the castle.