OpenBSD

The OpenBSD project produces a complete, free, cross-platform Unix-like operating system based on BSD (Berkeley Software Distribution). According to its website, it seeks to emphasize: "portability, standardization, correctness, proactive security and integrated cryptography." An example of developments coming from OpenBSD is the widely used program OpenSSH.

The OpenBSD project maintains portable versions of many subsystems as packages for other operating systems. Due to the project's preferred BSD license, many components are reused in proprietary and company-sponsored software projects. Apple's macOS firewall code is based on the OpenBSD PF firewall code, Android's Bionic C standard library is based on OpenBSD code, LLVM uses the OpenBSD regular expression library, and Windows 10 uses OpenSSH (OpenBSD Secure Shell) with LibreSSL.

The word "Open" in the name OpenBSD refers to the availability of the operating system's source code on the Internet, although the word "Open" in the name OpenSSH means "OpenBSD". It also refers to the wide range of hardware platforms that the system supports.

History

In December 1994 Theo de Raadt, a founding member of the NetBSD project, was asked to resign from the NetBSD core team due to disagreements and conflicts with other team members. In October 1995, De Raadt founded OpenBSD, a new project forked from NetBSD 1.0. The initial release, OpenBSD 1.2, was released in July 1996, followed by OpenBSD 2.0 in October of the same year. Since then, the project has released a version every six months, each with one year of support.

On July 25, 2007, OpenBSD developer Bob Beck announced the creation of the OpenBSD Foundation, a Canadian non-profit organization formed to "act as a single point of contact for individuals and organizations in need of a legal entity to deal with when they want to support OpenBSD.”

Security

Until June 2002, the OpenBSD website featured the tagline:

«No remote security failure in the default installation in the last 6 years».

This should have been changed to:

«A single security hole in the default installation, in more than 8 years»,

after a hole was found in OpenSSH and subsequently by:

«Only two security holes in the default installation, in more than 10 years»,

on finding a bug in the IPv6 module.

Some people have criticized this slogan as almost nothing is enabled in the default OpenBSD installation, and stable releases have included software in which security holes were later found. The OpenBSD development team maintains that the tagline refers to a default installation of the operating system, and that it is correct by its definition.

One of the fundamental innovations of the OpenBSD project is to introduce the concept of the "Safe By Default" operating system. According to the science of computer security, it is standard and also essential to activate as few services as possible on machines that are in production. Even without taking this practice into account, OpenBSD is considered a secure and stable system.

As part of a string cleanup, all occurrences of strcpy, strcat, sprintf and vsprintf in the code have been replaced with safer variants such as strlcpy, strlcat, snprintf, vsnprintf and asprintf. In addition to its permanent code audits, OpenBSD contains strong cryptography.

More recently, many new technologies have been integrated into the system, further increasing its security. Since version 3.3, ProPolice is enabled by default in the GCC compiler, ensuring additional protection against stack overflow attacks. In OpenBSD 3.4, this protection was also enabled in the kernel. OpenBSD also implements the W^X (pronounced W XOR X) system, which is a highly detailed memory management scheme, which ensures that memory is either writable or executable, but never both, thus providing another layer of protection against buffer overflows. Privilege separation, privilege revocation and completely random library loading also contribute to increasing system security.

In May 2004, OpenBSD/sparc went further in stack protection, adding StackGhost.

A static dimension analyzer was added to the compiler, which tries to find common programming bugs at compile time. Systrace can be used to protect system ports.

OpenBSD uses a password encryption algorithm derived from Bruce Schneier's Blowfish. This system takes advantage of the inherent slowness of Blowfish encryption to make password checking very CPU intensive, making parallel processing extremely difficult. This is expected to thwart decryption attempts by brute force.

Because of all these features, OpenBSD is widely used in the computer security industry as an operating system for firewalls and intrusion detection systems. The OpenBSD packet filter, pf, is a powerful firewall developed because of problems with the ipf license. OpenBSD was the first free operating system to be distributed with a built-in packet filtering system.

Philosophy

The OpenBSD philosophy can be reduced to 3 words:

«Free, Functional and Secure» (Free, Functional and Insurance).

Free refers to its license, functional refers to the state in which it is decided to end the versioning of the programs, and safe for his extreme review and supervision of the code included in his releases.

Hardware compatibility

Supported platforms and devices are listed in the OpenBSD Supported Platforms Notes. Other configurations may also work, but they just haven't been tested or documented yet. Approximate automatically extracted lists of supported device ids are available in a third-party repository.

In 2020, a new project was introduced to automatically collect information about tested hardware configurations.