Linked by Eugenia Loli on Sat 12th Aug 2006 19:07 UTC
OpenBSD OpenBSD strives to be the most secure UNIX derivation. Design principles, such as code auditing, extensive use of encryption, and careful configuration choices, combine to ensure OpenBSD's secure by default philosophy holds true. This article gives you a close look at the operating system so secure that it was once banned for use in a DEF CON competition, where crackers go after each other's systems.
Thread beginning with comment 151779
To read all comments associated with this story, please click here.
NX without NX
by joecool on Sat 12th Aug 2006 20:40 UTC
joecool
Member since:
2006-02-19

One other thing that this article doesn't mention that is quite interesting is that OpenBSD's implementation prevents arbitrary execution of memory even on hardware that doesn't support the NX (no execute) bit. This is invaluable to help prevent buffer overflow exploits.

Reply Score: 5

RE: NX without NX
by Rahul on Sat 12th Aug 2006 21:08 in reply to "NX without NX"
Rahul Member since:
2005-07-06

Fedora has that too amoung many other security features

http://fedoraproject.org/wiki/Security/Features

Reply Parent Score: 2

RE[2]: NX without NX
by psygbert on Sun 13th Aug 2006 06:21 in reply to "RE: NX without NX"
psygbert Member since:
2006-05-29

that's also included in openbsd (and they're the first to implement it on the base system as far as free unix-like os is concern e.g. propolice, nx bit), yes there may be pax or any other protections patches in linux but the question is "is it included in the base?", the big answer is NO. if you want security, it must be from the base, from the ground up. (anyway i agree w/ you, fedora did a very good job in securing their distro). but other thing openbsd have that "might" not have on other major linux distros are the following:

W^X, .rodata segment, guard pages, randomized malloc()and mmap()
atexit() and stdio protection
privilege separation of common services "by default" (e.g. syslogd, dhcpd, tcpdump)
strlcpy() and strlcat()
chroot jailing of common services "by default" (e.g. httpd, bind)
and the constant code auditing (w/c i think linux does not have)

Reply Parent Score: 3

RE[2]: NX without NX
by cg0def on Sun 13th Aug 2006 08:31 in reply to "NX without NX"
cg0def Member since:
2006-02-12

NX is a pretty old concept even in hardware ( VAX ) and like it was already mentioned OpenBSD is hardly the only OS to support it. Also while OpenBSD is very nice for firewalls and servers ( in most cases ) the security audits at the distro level are hardly what needs to be done. This results in a slow distribution cycle and old versions of pretty much ever software gets included. Now this might be now that big of a deal with web admins but as a developer I would surely like to use gcc 4.x ( and it is stable and secure enough ).
But I must admit that while I don't use OpenBSD on my workstation it is on my firewall/router ...

Reply Parent Score: 1

RE[3]: NX without NX
by psygbert on Sun 13th Aug 2006 16:16 in reply to "RE[2]: NX without NX"
psygbert Member since:
2006-05-29

a new release every 6 months is fast enough for me and you can always use gcc4 from ports.

hmm older software? i think debian stable is using older softwares than openbsd stable branch ;)

Reply Parent Score: 5

RE[3]: NX without NX
by Gryzor on Sun 13th Aug 2006 19:39 in reply to "RE[2]: NX without NX"
Gryzor Member since:
2005-07-03

Old versions? What are you talking about? What do you prefer, the latest Apache from the Apache FTP Server or the "audited, patched, fixed" older version that comes with OpenBSD that "serves its purpose well".

The goal is to provide SECURE software, not the latest; many of the patches OpenBSD produces are not accepted by the original developers of the piece of software, so until that happens, they refuse to include a newer "unsecure" piece of software.

Apache is a very nice example of that...

Reply Parent Score: 3