1. 1

          No - they need to be merged. This is from the discoverer’s website.

        1. 1

          Is this a form of ROP protection? edit wait nope, misunderstood something.

          It it common for attackers to make fake stacks?

          1. 9

            Yeah. Your ROP chain requires a whole bunch of return addresses somewhere in memory. This restricts you to putting them on the stack, as opposed to some other heap buffer.

            Bonus link: http://hypervsir.blogspot.com/2015/01/a-software-solution-to-defend-against.html

            1. 1

              https://s3.amazonaws.com/cybersec-prod/secdev/wp-content/uploads/2017/06/25193948/ASLR-How-Robust-is-the-Randomness.pdf

              found this too but don’t think it adds much to the actual paper especially without a video of the presentation

              1. 3

                Given all the aspects in which it would seem to be technically superior, how come OpenBSD isn’t eating away at some of Linux’s market share?

                1. 12

                  Network effects. Default choices. AWS launches with linux support, so people pick linux, then they pick docker, etc etc etc.

                  Linux does solve a great many problems that OpenBSD does not. (Well, it offers a great many features and buttons and such which look like solutions. :)) I’m not sure that one operating system that solves all problems is the best approach, though. there’s a lot of disagreement about how even a desktop OS should work and how components should fit together.

                  1. 5

                    I had also heard that performance on newfangled hipster tasks (http service, MP scheduling, databases) was nontrivially worse, so I started trying to run an OpenBSD instance on AWS to run some side by side tests in order to invalidate those rumors. Apparently one guy once heard of a file you can UUCP from sunsite.unc.edu that enables 80-character mode so that you can give it a shot, but that was from a Byte magazine reader article so I cannot vouch for its veracity. I had to give up when my eyelids started twitching uncontrollably.

                    The reputation for security doubtless partially stems from the fact that installing the thing requires delivering the One True Ring to a locked basement cabinet guarded by leopards in an abandoned mausoleum underneath a nuclear waste disposal site in Afghanistan. Minimization of attack surface and all that. Somewhere, a Haskell core developer is putting down his glasses and rubbing his eyes in admiration.

                  2. 9

                    Hardware support is what keeps me from switching.

                    1. 7

                      And historically, perofrmance. I haven’t seen any good performance comparisons in the last few years (that I remember anyway), but several years ago there were several comparisons done that showed somewhat poor openbsd (and netbsd as I recall) scalability (multi-core performance, etc). Linux has often been one of the top performers in those types of benchmarks.

                      Go fast until the wheels fly off?

                    2. 5

                      The following HN comment from Brendan Gregg might be worth a read. It’s answering in detail basically the same question, just for Illumos rather than OpenBSD: https://news.ycombinator.com/item?id=12837972

                      1. 8

                        The reply is a touch acerbic, but makes some good points too I think. Like why not just give up when linux is 1000 developers ahead? Because half of them are wasting their time inventing ten different tracing frameworks. Ok, admittedly it would be nice for openbsd to have one perf tool, but I think we’re not so far behind as it may seem.

                        Also, for something like inteldrm, there’s a team of devs who keep churning the code, which causes kettenis some struggle when he tries to import it, but on the whole we get most of the benefits of that driver at a considerable manpower discount. The precise economics aren’t quite that simple, but not all of the effort spent on linux is locked in linux either.

                        1. 3

                          Sure, I agree on both of those points. Some effort will be wasted to duplication and churn, some will have little effect as it can be easily reused by other projects.

                          But if the larger developer base is at all positive, it will add up over the decades. E.g. 20 years ago the common wisdom would have been that the BSD TCP stack was both battle hardened and state of the art, while the one in Linux was flaky and scaled badly with load. It’s definitely the other way around these days (to a different extent for different BSDs), with a steadily increasing delta. And then repeat the same story over dozens of subsystems.

                          Clearly there are things that more manpower doesn’t help with. Like deleting code to reduce attack surface; I’m pretty sure that the larger the team, the harder that is to achieve :) It’s not that developers of non-Linux operating systems should just give up, or anything like that. But the assertion at the start of this thread on Linux’s technical inferiority doesn’t feel realistic to me.

                          1. 2

                            That interesting comment reminds me a lot of the Worse is Better effect that got UNIX to dominance in the first place. There were better systems including some focused on good docs, reliability, and high security. I write about them a lot. ;) They lost with them being in close to legacy mode or gone depending on the product/project. The Linux situation, esp as Brendan Gregg describes it, looks like a repeat of that with Linux doing it to the other UNIX’s. I already knew this seeing the likes of SGI, IBM, and Oracle get on the Linux bandwagon despite having proprietary UNIX’s to push. In contrast, OpenBSD is trying the UNIX version of The Right Thing. It will fail in broad sense because that always happens.

                            It’s destined to a niche of those that care about The Right Thing. You’ve all done a great job keeping it up despite your filter on the kind of contributors you accept and not giving into market’s crap that much. I saw Theo backtrack a bit with VMM admitting OpenBSD might have to do a little more for marketability. Still, the project will probably need a like-minded sponsor with lots of money and/or talent to break past what we’ve seen so far since The Right Thing is always swimming upstream vs Worse is Better which sometimes creates tsunami’s. Those of us focused on quality might always be also-rans in larger scheme of things. (shrugs)

                        2. 5

                          Linux is easier to use.

                          How do you search for a package in OpenBSD? How do you get a description in your search results? You can search package names by downloading the index.txt file from the packages directory on a mirror. But anything more sophisticated you have to use the ports tree and the janky makefile system with non-intuitive syntax and cryptic errors to do any interesting searches.

                          It’s actually possible to download and install a Linux distro that comes with a desktop environment, installs quickly, and works fine right away. When I was first getting into non-Windows operating systems in middle school, I tried out OpenBSD because the whole secure OS thing sounded cool to me. I screwed with it for hours, felt like I was getting nowhere, then gave up and installed Linux Mint.

                          I run OpenBSD now, but I’m also a systems programmer / SRE at a database company, so I’m not exactly an “average user” that represents the trend of the market.

                          1. 6

                            pkg_info -Q is what you want. That said - it looks like it doesn’t respect the -d or -c flags (I have a diff to make it work with it though)

                            1. 3

                              yep. i use pkg_info, i browse the ports mailing list, read the website, and also look at my mirror of choice from time to time.

                              i just use cwm that’s in base. i had previously used gnome and xfce from packages. i reckon my willingness to read documentation mostly gets me to where i need to be… other things figured out by trial and error, mailing list, and searching the internet.

                              1. 2

                                You make it seem like reading the documentation is a bad thing? This should be the preferred approach.

                                On linux the preferred approach is asking half assed questions on stack overflow.

                                1. 1

                                  i don’t think it’s a bad thing. i’m implying that everyone saying openbsd is difficult to install or use aren’t reading these things and i don’t really understand why.

                              2. 2

                                Ahhhh. I’m somewhat amazed that I didn’t know that. But I will still call it unintuitive. See, I expected something like pkg_search, or to find something searching for “search” in man pkg_info. Searching “OpenBSD search for package” on Google returns a bunch of ancient results about ports. It IS mentioned in the packages FAQ though, but the preview text on Google mentions ports specifically. So I must have searched for it, seen those results, rolled my eyes, looked in the man pages, seen nothing, and decided to just download the index file.

                                Compare to most Linux package managers, which when run with no arguments tell you the commands to install and search. The word “search” specifically is much more well known than “query” because of Google.

                                So even though I’m a bit lazy and it’s clearly my fault for not knowing this as a sophisticated user, I think helping rather than blaming the user isn’t the right strategy towards getting adoption. Linux is really good about that, OpenBSD not so much.

                                1. 2

                                  or to find something searching for “search” in man pkg_info.

                                  Query is close. I guess it’s a difference in terminology.

                                  Searching “OpenBSD search for package” on Google

                                  This seems to be a common trend among Linux users, google is consulted with more authority than local documentation. I personally do the same thing.. when finding issues with linux machines I always go to google first.. the crap documentation (often lacking entirely) has trained me to do so!

                                  I think helping rather than blaming the user isn’t the right strategy towards getting adoption. Linux is really good about that, OpenBSD not so much.

                                  Where was there lack of help and who is doing blaming?

                                  1. 3

                                    I realize query and search are close, but search is definitely the layman terminology.

                                    Googling isn’t just a Linux strategy, that’s what Windows and Mac users do too. Apple in particular is pretty good about making their support pages show up on Google.

                                    I didn’t originally mean people blaming the user directly, but rather a UX that “blames the user” in its design, and for OpenBSD I mostly see this in docs or commands. Not being able to find the -Q flag in the man page by searching (querying?) for search is poor UX. It implicitly becomes the users fault for not reading the whole manual. There are no examples either, where surely a common operation like search would be demonstrated. And OpenBSD commands don’t self document or provide assistance, whereas Linux commands will often list the most common usage if you don’t type a valid command. Using OpenBSD feels a bit RTFM, wheras on Linux stumbling around in an interactive session is much more viable, as most things try and point you in the right direction.

                                    This goes both ways, on OpenBSD it’s way more likely that if you can’t figure something out, it actually is documented somewhere. But that documentation could be more accessible and searchable.

                                    But also user blaming happens directly on misc@. I am part of no other community that ever makes me think “wow these people are such outrageous stuck up assholes, I’m not even sure I want to be a a part of this anymore.” Mostly OpenBSD people are intelligent, articulate, and kind. For example, I’ve had nothing but good experiences talking with OpenBSD folks on lobsters. But wow some of the stuff on misc makes my blood boil.

                                    I’ve considered contributing to OpenBSD docs to make them more accessible, especially FAQs / new user guides, but my experiences on misc have always stopped me. I worry that I’ll be shot down for going against the OpenBSD philosophy, and I won’t even be rightly told why, just be told I’m a moron. It sucks, because I love OpenBSD and I want to share it and make it easier for people to learn about, but I feel discouraged from contributing.

                                    1. 1

                                      again i feel the direct opposite here.

                                      i was able to find everything i needed without asking for help and without googling for the most part.

                                      still don’t understand how you missed -Q in the pkg_info man page because it’s right at the top in synopsis.

                                      maybe i’m a stuck up asshole too.

                                      1. 1

                                        maybe i’m a stuck up asshole too.

                                        I don’t think so.

                                        still don’t understand how you missed -Q in the pkg_info man page because it’s right at the top in synopsis.

                                        I wanted to search, I scanned the first line for search, /searched for search, moved on. I’m just too impatient. But a lot of people are too impatient, and worse a lot of people just don’t care enough to persist.

                                        1. 1
                              3. 3

                                i’m an average to below average user and i use openbsd as my daily driver.

                                i don’t program and my knowledge of computers is intermediate at best.

                                i also work in a non-tech field.

                                i think it’s the easiest and most straight-forward OS to use.

                                so, obviously i disagree with this.

                                1. 3

                                  I wonder what you’re doing on lobste.rs :)

                                  1. 2

                                    Interesting! So, how do you look for packages you need to install? How’d you get going with a desktop environment?

                                2. 3

                                  The file system isn’t great…

                                  1. 11

                                    Please. Greatest filesystem of the 80s. Best decade, best filesystem.

                                    1. 2

                                      That was Files-11 on OpenVMS with versioning and stuff. Especially integrated with high-uptime stuff like clustering and distributed lock manager. Or NonStop’s Guardian with its crazy reliability. Or first system (SCOMP) certified to high security that added ring and segmented protection to them with system-wide security policy.

                                      I do agree it was one of best decades for applied IT with all kinds of awesome shit happening based on what CompSci had worked on in 1960’s-1970’s with better hardware available. A lot of things started coming together that couldn’t before.

                                  2. [Comment removed by author]

                                    1. 8

                                      Or they need to run certain applications that are only available on Linux, or they need drivers that are only available on Linux, or they want a filesystem that has more features than UFS/FFS, etc.

                                      OpenBSD picked a niche and perfected itself in that niche. I think it is a shining example that picking one problem and solving it well, is often better than being a jack of all trades, master of none.

                                      (Which does not mean that it cannot be used as a general purpose OS with some care.)

                                      1. 6

                                        Even as someone who likes the FSF, I doubt many Linux users are there because of (rather than despite, or indifferent to) the GPL. It’s not hard for me to imagine an alternate universe without the BSD lawsuits where FreeBSD or something got popular as the mainstream free hobbyist Unix in the 1990s, and I seriously doubt FSF diehards would have been able to keep more than a handful of people from going with that bandwagon, had it developed (and had they actually wanted to).

                                      2. 1

                                        Same reason as many other similar situation throughout the industry. People know something else, a lot is built on other systems, marketing, and once you have a certain amount of people using tech X it’s really hard to use something else.

                                        Another side effect that kicks in with Linux Distributions, Operating Systems and Programming languages is that at many places if you introduce a technology that isn’t the currently dominant one you will be personally blamed for every single bug or different obstacle it has. It will often be blamed on it, despite also existing on the dominant OS.

                                        Something related is that sadly a lot of software that companies and people end up using at some point is written in unnecessarily non-portable ways. I once worked at a company that used a software running a bash script (stored inside a string in a program) and it had a typical non-portable #!/bin/bash instead of #!/usr/bin/env bash. As usually I’d report that and even create a pull request on a huge (in terms of stars, in the tens of thousands) and very hyped software, expecting it would be accepted. After being baffled that the authors didn’t even know about /usr/bin/env and what it does, a link to Wikipedia didn’t help either the conversation stalled. Since that project was being used by the front end developers I kept patch sets for such things around.

                                        And while those tiny things are really not hard in general these tiny things add up. I know the problem even exists if you don’t use Ubuntu, but for example Alpine in the Linux world.

                                        Having these kind of portability issues leads to the dominant technology in a field to quite often not be the best. The most famous example is how long Internet Explorer stuck, despite Opera and the Mozilla browser, until Firefox came along.

                                        When there is a lot of users and developers even pretty bad technology can stick, because there will be widely used workarounds for problems, there will be progress on fronts, even when the architecture is flawed, etc. Change is rarely that quick, especially when many parties are involved and put their money and effectively lives on it.

                                        Of course that doesn’t mean that Linux is bad and OpenBSD is great, just that technical superiority or being a bit better than others usually is far from a good indicator for dominance in a field. Especially if marketing and politics have a big presence, but even without. People simply need to have heard of it and a good reason to switch and get into something new to them and settle there. When there is no direct financial effect, that is significant enough people tend to not just switch utilities from one moment to the next. And even when you know OpenBSD really well and are convinced its better introducing that in an existing company might not be an option. Of course you can always switch, but why give up a safe, well-paying job with great coworkers for an operating system?

                                        1. 1

                                          Docker / namespaces

                                          1. 2

                                            Are there classes of exploit that this is better at defeating than KASLR? It’s definitely neat but I don’t understand the attack vectors well enough to understand why this is useful.

                                            Does OpenBSD to Kernel ASLR too or is this an alternative to implementing it?

                                            1. 3

                                              (Speaking in general, not directly related to OpenBSD). KASLR doesn’t really defeat exploitation of the kernel due to kernels having info leaks as features and the extremely limited amount of kernel virtual address space. Take a look at this article for a deeper look.

                                              1. 1

                                                are forum posts really articles now?

                                                1. 4

                                                  I posted most of my designs and essays on Schneier’s blog since there used to be highly-skilled, security engineers with diverse backgrounds. Got great peer review with lots of designs. One time, a reader mentioned one on Qubes mailing list with Joanna dismissing it like you did on same grounds. I slammed her for that pointing out what matters is the actual content plus source. Not where it’s posted. On top of calling out related work that was better designed that she should’ve imitated. Although she dismissed my proposals, I noticed she ended up adding a trusted path and blasting Xen folks about security just like I said she would.

                                                  All starting in design discussions of microkernel-based systems in the comments of a blog. Yeah, good content can show up anywhere. One day we might even see a PhD-grade post on 4chan. I’m not holding my breath on that one but it’s possible. Judge the content not the location unless you have to blacklist a location out of necessity. 4chan comes to mind again. ;)

                                                  1. 3

                                                    yeah i reckon you’re both right and i’m just being an old man

                                                    1. 3

                                                      I chalked it up to differing opinions and perspectives. :)

                                                  2. 3

                                                    Call it what you will. The post is in the section of the forum called “Blog.” Blog entries can be called articles.

                                                    Whatever floats your goat.

                                                  1. 3

                                                    A lot of KVA info leaks leak a single pointer. From that you can calculate the kernel base address and everything else is relative. The order never changes.

                                                    There are of course bugs which allow arbitrary reads of kernel memory, but they’re usually rarer. The common case is some data structure is copied out, but a sensitive field isn’t zeroed. Attacker doesn’t have control over what value they read. You get one function pointer address and that’s it.

                                                  1. 3

                                                    While I certainly wouldn’t recommend paying the ransom…. I’m curious. Does paying the ransom even work?

                                                    I thought the relevant email address to apply for the decryption key had been taken down.

                                                    Sigh. I guess like gambling, this whole thing is a “Stupidity Tax”.

                                                    1. 2

                                                      It works more than 50% of the time I believe - unsure of the exact number and those things are hard to measure. But security experts do recommend paying it even if the chances are slim.

                                                      1. 3

                                                        i’m very curious where this information comes from. i’ve never seen anyone recommend paying these and in this case paying would do no good as the email address associated with it has been disabled.

                                                        1. 3

                                                          I could go and search a bunch of links, I’ve read it in various sources. FBI and law enforcement will probably advise against paying the ransom, but a practical security expert is likely to think: if your data is worth $2k and the ransom is $200, it’s worth the risk.

                                                          There’s a well documented case (and on-going) in Korea where an entire web hosting company got taken over. Here’s a Google Translate link: https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fwww.nayana.com%2Fbbs%2Fset_view.php%3Fb_name%3Dnotice%26w_no%3D960

                                                          They negotiated, paid the hackers and are in the process of recovering the data.

                                                          1. 2

                                                            i think i’d recommend regular backups instead but i’m not a security expert. go figure.

                                                            1. 2

                                                              Yup, well they f’d up bad on this one.

                                                              1. 1

                                                                Backups can be tricky for this, depending on how they’re set up. Many of these ransomwares try to access any backups they can and overwrite them too. Are your backups set up in such a way that a malicious admin app can’t overwrite them? Are you sure? You’re gonna need either an element of manual-ness to performing a backup, plus the ability to notice that something is going wrong, or a backup system that preserves multiple versions of files in a way that the previous versions can’t be destroyed.

                                                                1. 3

                                                                  Two cloud options I’ve used, not because I have data that’s all that important, but mostly to learn how they work:

                                                                  1. The access permissions supported by cloud-based object storage (S3, etc.) now make it fairly easy to set up a backup system where the system doing the backups can’t also wipe them. One way to do it is to grant the system only the ability to write new objects but not to delete/modify existing ones. So the backup cron job can push backup-20170628.tar.gz but can’t delete it (or previous snapshots) once it’s done so. This isn’t 100% foolproof because there is presumably still some account that can delete snapshots, and that could be compromised. But you can at least keep those credentials less widely distributed, not put them on every server that needs to be backed up.

                                                                  2. Use a backup or cloud-storage service that keeps a fixed set of snapshots that the service itself rotates, using credentials you don’t have access to at all. For example, rsync.net takes and rotates daily and weekly ZFS snapshots on a fixed schedule.

                                                        1. 2

                                                          Awesome!