Kurt Seifried, [email protected]
Counterpoint: Why OpenBSD will never be as secure as Linux
Well my mother just finished knitting me a new pair of asbestos booties so I thought it was high time I try them out. Set phasers to "flame". Please read the entire article before using them. Just remember, I could have copped out by making the title something like "Will Linux ever be as secure as OpenBSD?" or even "Which is more secure, Linux or OpenBSD?". But I didn't. As well you should check out the LASG/LSKB if you haven't already. I also know about ImmunixOS from WireX and the NSA's SELinux (go read last week's column!).
Let's face it, Linux is a great OS, I have more then a few machines running it, but due to a number of factors it's never going to be as secure as OpenBSD (which I also have running on several machines). But Linux will never be as secure as OpenBSD, for technical, political and marketing reasons. One of the most obvious differences between Linux and OpenBSD (assuming you look under the hood a bit) is the fact that OpenBSD has done an extensive code audit. The OpenBSD team has literally spent dozens of man years of effort auditing code, not only for security but for general correctness. Even the man pages for OpenBSD are clean and consistent. This is a very proactive form of security, OpenBSD fixes many problems before they become security issues. No such form of extensive code audit exists in the Linux world, and likely never will. Most vendors I have spoken with typically have a small security team of less then a half dozen people (usually much less). Even ignoring the fact that Linux vendors ship many more packages as standard then OpenBSD (which tends to rely on the ports collection for add on software) the basic components that both Linux and OpenBSD have (kernel, command shells, system utilities, etc.) are quite large, several hundred megabytes of source code in total. There simply are not enough competent Linux programmers to do a security audit on this code, let alone every vendor hiring enough people to fix their own versions/etc. Even when vendors do do code audits they typically face a problem, many programmers maintaining software are indifferent, or even hostile to people sending them security fixes, so it is very common for the original software to be insecure, and the vendor must maintain their own patch set. This problem affects OpenBSD far less as they maintain their own code base now, and it has significantly diverged in many areas (ssh and OpenSSH being a prime example). Even if Linux vendors wants to audit all their code there aren't enough Linux programmers capable of doing this. This means that Linux vendors are essentially doomed to reacting to security problems, applying patches and shipping out fixed versions of software, leaving users open to vulnerabilities for hours, days or even weeks in some cases.
This is far more important then it sounds, even with additional security products such as PitBull there may be ways for an attacker to exploit some bug in the kernel that allows them to bypass add-on security, this happened with PitBull for Solaris, PitBull was fine, the Solaris kernel was not. Generally speaking add on security products cannot completely protect the system, for example unless a firewall product replaces the TCP-IP stack of an OS any problems in the TCP-IP stack will still be exploitable.
This is an area where OpenBSD trounces Linux. OpenBSD not only ships OpenSSL, OpenSSH, IPSec, and several other cryptographic software packages, but they have actually been largely responsible for OpenSSH, which is an incredibly important piece of software now. While many Linux vendors do ship OpenSSL and OpenSSH there are several that do not (Caldera being a notable example). However no major Linux vendors ship IPSec support built in, while there is a project for Linux IPSec, it is difficult at best to install and configure, and at worst almost impossible (I know, I've used it). OpenBSD on the other hand ships by default with one of the best IPSec implementations available. OpenBSD also provides a different (better in many ways) key daemon, with support for various forms of authentication, an area where FreeS/WAN is weak. Additionally because the majority of Linux work is done from within the US (Linus Torvalds now lives there) there is almost no cryptographic support built into the Linux kernel. If you want to add crypto you must patch the kernel and rebuild it. Very few vendors, if any at all any (I'm not aware of a single one), ship any crypto built into the kernel such as IPSec support, or any form of cryptographic hooks (however many do ship OpenSSL/OpenSSH and other cryptographic components). Because OpenBSD is done from Canada, the export of public domain (usually interpreted as OpenSource) is not a problem, giving you out of the box support.
Yet another area where OpenBSD shines and Linux is almost completely lacking. OpenBSD supports several cryptographic acceleration products, allowing you to build very powerful (and cheap) IPSec gateways for example. While there is some SSL acceleration hardware available for Linux this is essentially an easy problem to solve (most web load balancers can handle the encryption, and keep sessions organized properly). There is as far as I know no IPSec capable hardware acceleration products for Linux. As well OpenBSD is currently working towards allowing hardware to accelerate other cryptographic software such as ssh, which will become an increasingly large problem (how much CPU would you have to add to a server to support 1000 users using ssh instead of telnet?). As well with OpenSSH's support for large file transfers (via scp and sftp) load on servers using the SSH protocol will only increase.
On the cryptographic front OpenBSD has Linux beat, hands down. The chances of Linux gaining this support is unlikely for a number of reasons, US crypto export policy, and a lack of programmers that are capable of writing the software to name a few. This is not something that will change for a long time (if ever).
Linux vendors care about having happy customers. OpenBSD developers don't. The Linux market has become a very competitive space, with around a dozen "major" distributions, and literally dozens (if not hundreds) of smaller players. The major distributions generally pursue similar markets, home desktop users, corporate/educational desktop users and corporate/educational servers. Almost every commercial vendor has invested significant effort in graphical installation programs, desktop software like Gnome and KDE, and other usability/entertainment/productivity software. There is absolutely nothing wrong with this, as more people use Linux the installation must become easier, and things like word processors are needed. However it means that Linux vendors have to spend a lot more effort pleasing users, several distributions now ship on multiple CD's because of all the add on software they include. Although customers complain about security, very few will actually take a secure product instead of an insecure product with more features (even if they may not need those features). Unless a sizable portion of customers start putting their money where their mouth is vendors will not change significantly.
In comparison OpenBSD 2.8's install files (all of them) are just over 90 megs, installed (with everything) it requires around 200 megs of space. The only things enabled by default in OpenBSD are those that the developers deem "safe". For example Telnet is disabled by default, and OpenSSH is enabled. Sendmail is configured to run in local queue mode, it can send mail but not receive (you must add the "-bd" option in rc.conf to enable it). As OpenBSD's webpage puts it:
Four years without a remote hole in the default install!
Which is not something any Linux vendor can claim (or ever will in all likelihood). A typical installation of Linux will result in a half dozen or more network services being started, and while some vendors are starting to improve it is unlikely many will since disabling things results in frustrated users and increased support costs (although one wonders about the cost of rebuilding machines after they are broken into).
We need to teach people how to program well, and then maybe we can teach them how to program securely. We then need these programmers to either completely rewrite major portions of the software most Linux vendors ship, or audit the existing stuff (in both cases a task that is unlikely to be done). Since this is basically impossible we need to look at other solutions. ImmunixOS and SELinux are two solutions to this problem, and when installed, maintained and used correctly they do help, a lot. However this will not benefit the vast majority of Linux users. OpenBSD users on the other hand have an extremely clean and secure code base to work from, that is proactively being audited on a continuous basis. Linux has dug itself into a very deep hole, and appears to be digging downwards at an ever faster rate. Even with add on software like PitBull LX, or NSA's SELinux kernel modifications there are still potential security holes that could allow an attacker to bypass any Mandatory Access Controls, RBAC, Type Enforcement as was the case with PitBull for Solaris (Solaris had a flaw that allowed attackers to compromise the system despite PitBull). Without a high level of assurance in the actual source code of the Linux kernel and associated files there will always be a hint of doubt about the security of the system as a whole. This is why Linux can never be as secure as OpenBSD.
Reference links:
http://www.openbsd.org/ - OpenBSD
http://www.openbsd.org/security.html - OpenBSD security page
http://www.openbsd.org/crypto.html - OpenBSD crypto page
http://seifried.org/lasg/ - Linux Administrators Security Guide
Last updated 8/11/2001
Copyright Kurt Seifried 2001