|Front | Info | Lists | Newsfeeds | Study Guide | What is BSD?|
Significant new features in OpenBSD 3.2 release
By Jeremy C. Reed
Last week, the OpenBSD project announced its thirteenth release with OpenBSD 3.2. OpenBSD supplies the open source Unix operating system for i386, alpha, sparc, UltraSPARC, macppc, and hp300* users in a 3-CD set. (Other hardware platforms are available by download.)
OpenBSD is known for its security with only one remote hole in the default install in the past six years. The OpenBSD 3.2 release includes several new security features to continue this standard.
For OpenBSD user, Marco Peereboom, several features new to 3.2 are particularly significant, such as privilege separation, systrace, the non-executable stack, and new pf packet filter improvements.
OpenBSD has improved its security by resisting buffer overflow attacks with a non-executable stack on i386, sun4m, sparc64, alpha, and macppc platforms and non-executable data and bss segments on sun4m, sparc64 and alpha platforms.
"This eliminates a large percentage of security holes," said Peereboom, a senior storage engineer and co-founder of the OpeniSCSI project. "Even ones that we have not thought of yet."
"Dynamic interface expansion is a great feature," said Peereboom about the pf improvement. "I really missed this in the previous versions."
In addition, the pf state table entries can be controlled on a per-rule granularity. The packet filter also now has a simplified filter rule language and spoofing protection is made easy.
Another OpenBSD user, Frank Denis, believes systrace is "definitely the killer feature introduced in 3.2." Systrace constrains an application's access to the system and allows the user to interactively specify policies for allowing or denying use of system calls, like munmap, stat, fchdir, recvfrom, chown, setuid, etc.
"Strict systrace policies applied to every running daemon dramatically reduces impacts of possible security flaws," said Denis, the Pure-FTPd project maintainer. "A properly systrace'd server running as root becomes more secure than privilege separation, with less overhead. Systrace is also very useful for restricted environments, easier and more flexible than chroot."
The OpenBSD 3.2 release also offers improved hardware support, such as improved Intel Gigabit Ethernet support, support for UDMA133 and IDE disks larger than 128GB, and Wavelan, Prism, and Symbol 802.11b support for the sparc64 platform.
In addition, the X Window System supports builtin AGP-based video on i386 machines using ALI, AMD, Intel, SiS, and VIA chipsets. And it has improved X and frame buffer performance on the sparc, sparc64, and alpha platforms.
Software upgrades with additional improvements include XFree86 4.2.1, Sendmail 8.12.6, Apache 1.3.26, mod_ssl 2.8.10, OpenSSL 0.9.7beta3, latest KAME IPv6, and OpenSSH 3.5.
The official OpenBSD 3.2 release can be obtained directly via http://www.openbsd.org/orders.html at the price of US$40.
DiscussionDiscuss this article below.
BSD Links· Advocacy
· User Groups