OpenBSD

Last edited: April 4, 2021

Despite popular belief, OpenBSD's security is actually lacking in a lot of ways.

Half-Baked Mitigations

Many of OpenBSD's exploit mitigations are half-baked or even useless. This is a non-exhaustive list of a few of them.

• One of OpenBSD's popular features is its "W^X" however, OpenBSD's W^X is not a complete implementation — it does prevent a process from creating a memory mapping with both writable and executable permissions, but it does not prevent a process from transitioning a writable memory mapping to executable. This means that it's not very hard to bypass.
  
  An attacker can simply write code to a writable memory mapping, create a ROP chain to transition the mapping to executable and then execute their shellcode from there. Many exploits in the wild have been shown to do this instead of purely relying on ROP since that takes more effort.
  
  Complete W^X implementations are already found in other operating systems like Windows' ACG, iOS' code signing and so on. Even Linux is working on it with the S.A.R.A. LSM, albeit a few decades late. The idea of W^X was not novel to OpenBSD either — the first complete implementation was present in PaX ~20 years ago which itself has roots in the OpenWall project.
• Another of OpenBSD's mitigations is TRAPSLED. This aims to neutralise NOP sleds, but this mitigation doesn't really do anything since the adoption of ASLR. TRAPSLED can be useful for some non-security use cases, but it is absolutely not an exploit mitigation.
• RETGUARD is a supposed mitigation against ROP, but it is trivially bypassed with an arbitrary read. It is not a solid mitigation for ROP unlike proper mitigations, such as Clang's ShadowCallStack, Intel CET shadow stacks, PaX RAP, etc. Meaningful defenses against ROP are again, already found in other operating systems like Windows' CET, iOS' PAC and Android's ShadowCallStack.

Missing Mitigations

As well as developing half-baked mitigations, OpenBSD also lacks plenty of modern mitigations completely. Again, this is a non-exhaustive list and there are still plenty more examples than the ones listed here.

• OpenBSD has no reliable protection against code reuse attacks. It only has a few mitigations that aren't very effective as discussed above. It lacks both forward and backward-edge protection. Meanwhile, Windows has a coarse-grained, forward-edge Control Flow Integrity (CFI) implementation known as Control Flow Guard as well as backward-edge protection via Intel CET's shadow stacks; iOS and M1 Macs use an improved implementation of ARM's Pointer Authentication Codes (PAC), ensuring backward and forward-edge protection; Android uses Clang's fine-grained, forward-edge CFI and ShadowCallStack.
• Verified boot is an important security feature that eliminates privileged malware persistence by verifying the integrity of the entire base operating system. This is most commonly used on mobile devices with Android and iOS both having solid implementations, but desktop operating systems have made substantial progress on this as well; mainly macOS, Windows and ChromeOS, whereas any form of verified boot is nonexistent on OpenBSD.
• Trusted Path Execution (TPE) prevents an attacker from executing arbitrary code from the filesystem and can be used as a supplement to proper W^X to prevent dynamic native code execution in both memory and the filesystem, but — like the lack of actual W^X — OpenBSD also has no TPE.
• OpenBSD has no Mandatory Access Control (MAC) system like AppArmor or SELinux which prevents you from fully locking down user space. In comparison to, for example, Android in which it uses a strict, full system SELinux policy to confine every single process in user space and is a core part of the security model. Pledge and Unveil, while being great sandboxing tools, are not a replacement for a proper MAC system. It still fully trusts the applications as it has to be implemented within its source code and it isn't nearly as fine-grained as a good SELinux setup.
• OpenBSD also lacks any form of GUI isolation which will make sandbox escapes incredibly easy. It uses Xenocara, a fork of X11 which is notorious for being insecure and not implementing GUI isolation and OpenBSD does not support Wayland.

Lack of Innovations

OpenBSD hasn't really innovated much and many of its (real) mitigations were developed long before OpenBSD implemented them, such as W^X and ASLR which were developed by PaX (PAX_MPROTECT and PAX_ASLR). OpenBSD tries to hide this fact with sly wording, such as: "ASLR: OpenBSD 3.4 was the first widely used operating system to provide it by default.".

The Good Things

Although despite the many issues with it, some of OpenBSD's mitigations are pretty solid like their malloc implementation and OpenBSD excels in their cryptography and standalone tools, just not really when it comes to general OS security.

Other Security Researcher Views on OpenBSD

Many security experts also share these views about OpenBSD.

This website especially goes very in-depth into the issues with most of OpenBSD's mitigations: https://isopenbsdsecu.re/

Alternative

A more promising alternative to OpenBSD is HardenedBSD. There are advantages and disadvantages of HardenedBSD over OpenBSD. HardenedBSD has many mitigations OpenBSD does not, such as CFI, SafeStack, SEGVGUARD, a proper W^X implementation and more, but it lacks things OpenBSD has, such as LibreSSL, a hardened memory allocator, etc.

Go back