Tackling one of the most commonly reported causes of vulnerabilities, the OpenBSD project recently announced that a major effort has been put into place to eliminate buffer overrun vulnerabilities in its popular open source operating system. As reported by News.com, OpenBSD project leader Theo de Raadt told CanSecWest attendees that the project had specifically hardened OpenBSD to improve resistance to buffer overflow attacks. In his presentation, de Raadt said, “By combining five technologies, we can make buffer overflows basically unexploitable.”
Steps toward buffer overrun security
In his presentation, de Raadt explained that the first step involved ”stack-gap randomization.” In other words, the team randomized the location in memory where the software will place the stack by adding a randomly sized gap at the top of the stack. Next, they altered the way addresses are stored within the stack and added a way to detect attacks on the stack. They did this by putting buffers closer to the return addresses in the stack, resulting in lower flags and pointers, making them harder for a hacker to hit. The attack detection was accomplished by adding a “canary” that will indicate whether any addresses have been altered.
Finally, the OpenBSD project broke main memory into two pieces. The first one is devoted to executing code and the second one is isolated as a writable section. The assignment of all pages to one section or another means that no page will be both writable and executable at the same time.
Another part of the work involves eliminating a lot of setuid binaries, reducing them from nearly 40 in some early versions to just eight, each of which has up to 300 lines of code.
Read de Raadt's presentation
For more details on the changes made to OpenBSD, you can read de Raadt’s presentation. But to view it, you will need to save a local copy of the file (to do this in Windows, just right-click on the link and select "Save File As") and then download a copy of MagicPoint (an open source presentation program). Alternatively, you can view the file in text format (or with Microsoft PowerPoint) and simply ignore the extraneous characters.
When to expect the changes
The next version of OpenBSD is scheduled to ship May 1, and de Raadt told CanSecWest attendees that most of the buffer overrun security changes will be included in this new version. A few others, such as the ability to split memory on 32-bit PowerPC and x86 chips, won't be completed in time for the scheduled release date. Support for split memory in 32-bit processors is scheduled to follow in six months.
How significant are buffer overruns?
One third of the past 14 OpenBSD 3.2 Security Advisories involved buffer problems. Another nine buffer overrun problems were reported for OpenBSD 3.1, and the SANS/FBI list of the top 10 most exploited UNIX (and Linux) vulnerabilities is filled with “buffer overflow” problems.
Of course, this heavy incidence of buffer overruns isn’t unique to OpenBSD or even to UNIX. The top 10 Windows vulnerabilities list presents a similar picture. The bottom line is that buffer overruns are the cause of many security flaws and software vulnerabilities, and any work done to limit the problem is a step forward.
The OpenBSD project
Although the OpenBSD project is based in Canada, it was supported by the U.S. Department of Defense in the form of a $2.3 million (USD) DARPA grant. For those who don't know, DARPA also funded the development of the Internet. However, only a few days after the OpenBSD project leader announced the major effort to secure the open source operating system, DARPA pulled the remainder of its grant.
Because it is Canadian-based, OpenBSD can ship with cryptographic tools that U.S. companies may not be able to include by default due to export restrictions. You can find an explanation of the kinds of cryptographic tools that ship with OpenBSD on the organization’s Crypto Page.
The inclusion of strong cryptography tools goes hand in hand with the basic philosophy behind the installation, which is that not everyone is a security expert or should have to become one. This point of view has led OpenBSD.org to emphasize secure-by-default installation settings.
OpenBSD is already one of the most secure operating systems available, and if the team can really pull off this buffer overrun security initiative, it will go to the top of the list for administrators looking to deploy tightly secured systems. But only time will tell. I’m not alone in pointing out that people have been fighting with PC memory allocation problems for decades, and by now, buffer overrun problems are so pervasive it is virtually impossible to eliminate all of them or block them from being exploited.
I suspect that there will continue to be buffer overrun exploits after the next version of OpenBSD ships. And if that happens, it will be important to remember that even if OpenBSD eliminates only half the successful buffer overrun attacks, the effort will have been a success—one that may cause other vendors to follow its lead.