Why OpenBSD will never be as secure as Linux

Kurt Seifried, [email protected]


Counterpoint: Why Linux will never be as secure OpenBSD


Set flame guns to kill. Please read the entire article before flaming me, as many of your concerns/etc will probably be answered next week. OpenBSD and Linux, two decidedly different operating systems. OpenBSD claims to be "secure by default", and has undergone an extensive code audit, so the question is: have I been hit in the head with a blunt object, or what? Security is an extremely complex subject with a variety of definitions. This article is an attempt to educate people, I personally consider OpenBSD to be a reasonably "secure" operating system, in some ways more secure then your average Linux distribution. However people have a wide variety of needs when it comes to security, and some of these needs are not met by Linux more so then OpenBSD. There are a variety of security products and software suites for Linux currently available and a number of security projects in the works that will have a significant effect. Depending upon your exact needs, budget, level of expertise and so on there is almost surely a security solution for Linux that will fit your needs.


SubDomain, StackGuard & FormatGuard

WireX ships a hardened version of Linux using a number of security enhancements. The most obvious would be SubDomain, which allows you to specify which files a program may access and in what manner (read, write, execute or list). This allows you to tightly contain software, you do not need to make any changes to the software or go through the problems associated with using chroot() (which for packages like Sendmail can be extremely complex). There is no equivalent to SubDomain in OpenBSD. Other benefits of WireX include StackGuard and FormatGuard, while it can be argued that because OpenBSD's code has been audited it doesn't need StackGuard or FormatGuard but the simple fact remains that buffer overflows and format strings attacks are still being discovered in OpenBSD. The beauty of these three technologies from WireX is that you do not need a huge amount of expertise or time to implement, and SubDomain can protect software available in binary only formats.


Openwall kernel patch

The Openwall kernel patch is a relatively simple set of kernel patches that once compiled in will prevent or stop a number of problems. A non-executable user stack area prevents various buffer overflows, and while it can be circumvented it definitely raises the bar for attackers. Restricting links and FIFO's in tmp is another feature, and again while OpenBSD has audited it's code and removed most of the /tmp vulnerabilities there are no guarantees about software in the ports package or binary only software. Once this software is installed you do not need to do anything more, there is no configuration required or additional setup when you install new software, removing any chance of accidentally forgetting to protect software/etc.


Argus PitBull LX

PitBull LX is a commercial product for Linux that comes as a binary kernel (and kernel headers if you want to create your own custom kernel) and various utilities to configure the security settings. The primary benefit PitBull LX offers is Mandatory Access Controls, one of the main differences between this and Discretionary Access Controls (what Linux has by default) is that not even root can tamper with files in a MAC capable system. Additionally controls can be placed on network devices and even ports themselves, you can specify that port 53 and all the files necessary for running BIND are one security domain, if Bind is compromised it will not be able to do anything outside it's domain (i.e. write to /etc/passwd). Controls can also be placed on IPC (inter process communication) objects, allowing for fine configurations of processes, files, network objects and so on. This capability, while complicated and non-trivial allows for a certain flexibility lacking in OpenBSD.



NSA SELinux is a set of kernel patches and modified utilities that allow for extremely granular control of security settings that are similar (but different) then PitBull LX. SELinux provides "Type Enforcement", "Role-based Access Control" and "Multi-level Security" (not to be confused with multi-level marketing). Basically anything you can imagine is possible. You want to restrict port 80 to a certain process? You can do that. Want to restrict a certain process from accessing files? You can do that. Completely lock down the system so that even with root level access very little damage can be done? You can do that. Unfortunately this software is extremely non-trivial, and has a steep



LIDS is a far less complicated project then PitBull LX or NSA SELinux. LIDS provides a variety of features ranging from increased filesystem protection to a number of capabilities that allow an administrator to "lock" a system into a certain configuration that then requires a significant amount of effort (i.e. console access or a reboot) to modify. For example the "CAP_SYS_ADMIN" capability lets you restrict the setting of the machines domainname, hostname, turning swap on or off, the configuration of serial ports and so on. While OpenBSD does have a somewhat similar system in the form of BSD securelevel LIDS is more flexible in many respects.


Medusa DS9

Yet another security system for Linux that allows an administrator to control access to files, various process actions, system calls and more. One interesting feature of Medusa DS9 is the ability to redirect access from one file to another instead, as well as useful in a security setting it can be used with chrooting or for debugging programs. Like LIDS, NSA SELinux, PitBull, SubDomain and so on Medusa allows for increased control of processes and files on a given system, again no comparable software is available for OpenBSD.



As you can see there is a large selection of security software Linux, ranging from simple items like the Openwall kernel patch to very configurable security suites like PitBull LX. These solutions are simply not available for OpenBSD, so if you have needs beyond the basic User/Group/Other filesystem restrictions for example you are basically out of luck. Restricting access to port 80 for example, while easily achieved in Linux with NSA SELinux or PitBull LX is basically impossible in OpenBSD. Protecting binary software can be done in Linux with a variety of tools, doing so in OpenBSD is very difficult (there is little you can do). Even with some of the most secure source code in the world OpenBSD will not be capable of providing the same levels of security and trust that a Linux system with the appropriate software (i.e. NSA SELinux or PitBull) can. For a system to be both secure and trusted you need both secure code and additional items that provide Mandatory Access Controls, RBAC, Type enforcement and so on. This is why OpenBSD will never be as secure as Linux.



Reference links:

20010912-immunixos-7.html - ImmunixOS 7 - Secure Linux

http://www.wirex.com/ - WireX communications

http://www.openwall.com/linux/ - Linux kernel patch from the Openwall Project

http://www.argus-systems.com/product/overview/lx/ - PitBull LX

http://www.nsa.gov/selinux/ - NSA Security Enhanced Linux

http://www.lids.org/ - Linux Intrusion Detection System

http://medusa.fornax.sk/ - Medusa DS9



Last updated 8/11/2001

Copyright Kurt Seifried 2001