[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040510134244.GA3873@symantec.bugtraq.org>
From: thief at bugtraq.org (Richard Johnson)
Subject: iDEFENSE: Security Whitepaper on Trusted Computing Platforms
iDEFENSE: The Power of Intelligence : Current Intelligence Report
iSecurity Brief 05.10.04: Why OpenBSD is more secure than Linux
Author: Richard Johnson, the DataThief
Introduction
Well my mother just finished knitting me a new pair of asbestos
booties so I thought it was high time I try them out. Set phasers to
"flame". Please read the entire article before using them. Just
remember, I could have copped out by making the title something like
"Will Linux ever be as secure as OpenBSD?" or even "Which is more
secure, Linux or OpenBSD?". But I didn't. As well you should check out
the LASG/LSKB if you haven't already. I also know about ImmunixOS from
WireX and the NSA's SELinux (go read last week's column!).
The code
Let's face it, Linux is a great OS, I have more then a few machines
running it, but due to a number of factors it's never going to be as
secure as OpenBSD (which I also have running on several machines). But
Linux will never be as secure as OpenBSD, for technical, political and
marketing reasons. One of the most obvious differences between Linux
and OpenBSD (assuming you look under the hood a bit) is the fact that
OpenBSD has done an extensive code audit. The OpenBSD team has
literally spent dozens of man years of effort auditing code, not only
for security but for general correctness. Even the man pages for
OpenBSD are clean and consistent. This is a very proactive form of
security, OpenBSD fixes many problems before they become security
issues. No such form of extensive code audit exists in the Linux
world, and likely never will. Most vendors I have spoken with
typically have a small security team of less then a half dozen people
(usually much less). Even ignoring the fact that Linux vendors ship
many more packages as standard then OpenBSD (which tends to rely on
the ports collection for add on software) the basic components that
both Linux and OpenBSD have (kernel, command shells, system utilities,
etc.) are quite large, several hundred megabytes of source code in
total. There simply are not enough competent Linux programmers to do a
security audit on this code, let alone every vendor hiring enough
people to fix their own versions/etc. Even when vendors do do code
audits they typically face a problem, many programmers maintaining
software are indifferent, or even hostile to people sending them
security fixes, so it is very common for the original software to be
insecure, and the vendor must maintain their own patch set. This
problem affects OpenBSD far less as they maintain their own code base
now, and it has significantly diverged in many areas (ssh and OpenSSH
being a prime example). Even if Linux vendors wants to audit all their
code there aren't enough Linux programmers capable of doing this. This
means that Linux vendors are essentially doomed to reacting to
security problems, applying patches and shipping out fixed versions of
software, leaving users open to vulnerabilities for hours, days or
even weeks in some cases.
This is far more important then it sounds, even with additional
security products such as PitBull there may be ways for an attacker to
exploit some bug in the kernel that allows them to bypass add-on
security, this happened with PitBull for Solaris, PitBull was fine,
the Solaris kernel was not. Generally speaking add on security
products cannot completely protect the system, for example unless a
firewall product replaces the TCP-IP stack of an OS any problems in
the TCP-IP stack will still be exploitable.
Cryptographic software
This is an area where OpenBSD trounces Linux. OpenBSD not only ships
OpenSSL, OpenSSH, IPSec, and several other cryptographic software
packages, but they have actually been largely responsible for OpenSSH,
which is an incredibly important piece of software now. While many
Linux vendors do ship OpenSSL and OpenSSH there are several that do
not (Caldera being a notable example). However no major Linux vendors
ship IPSec support built in, while there is a project for Linux IPSec,
it is difficult at best to install and configure, and at worst almost
impossible (I know, I've used it). OpenBSD on the other hand ships by
default with one of the best IPSec implementations available. OpenBSD
also provides a different (better in many ways) key daemon, with
support for various forms of authentication, an area where FreeS/WAN
is weak. Additionally because the majority of Linux work is done from
within the US (Linus Torvalds now lives there) there is almost no
cryptographic support built into the Linux kernel. If you want to add
crypto you must patch the kernel and rebuild it. Very few vendors, if
any at all any (I'm not aware of a single one), ship any crypto built
into the kernel such as IPSec support, or any form of cryptographic
hooks (however many do ship OpenSSL/OpenSSH and other cryptographic
components). Because OpenBSD is done from Canada, the export of public
domain (usually interpreted as OpenSource) is not a problem, giving
you out of the box support.
Cryptographic hardware
Yet another area where OpenBSD shines and Linux is almost completely
lacking. OpenBSD supports several cryptographic acceleration products,
allowing you to build very powerful (and cheap) IPSec gateways for
example. While there is some SSL acceleration hardware available for
Linux this is essentially an easy problem to solve (most web load
balancers can handle the encryption, and keep sessions organized
properly). There is as far as I know no IPSec capable hardware
acceleration products for Linux. As well OpenBSD is currently working
towards allowing hardware to accelerate other cryptographic software
such as ssh, which will become an increasingly large problem (how much
CPU would you have to add to a server to support 1000 users using ssh
instead of telnet?). As well with OpenSSH's support for large file
transfers (via scp and sftp) load on servers using the SSH protocol
will only increase.
On the cryptographic front OpenBSD has Linux beat, hands down. The
chances of Linux gaining this support is unlikely for a number of
reasons, US crypto export policy, and a lack of programmers that are
capable of writing the software to name a few. This is not something
that will change for a long time (if ever).
Happy customers
Linux vendors care about having happy customers. OpenBSD developers
don't. The Linux market has become a very competitive space, with
around a dozen "major" distributions, and literally dozens (if not
hundreds) of smaller players. The major distributions generally pursue
similar markets, home desktop users, corporate/educational desktop
users and corporate/educational servers. Almost every commercial
vendor has invested significant effort in graphical installation
programs, desktop software like Gnome and KDE, and other
usability/entertainment/productivity software. There is absolutely
nothing wrong with this, as more people use Linux the installation
must become easier, and things like word processors are needed.
However it means that Linux vendors have to spend a lot more effort
pleasing users, several distributions now ship on multiple CD's
because of all the add on software they include. Although customers
complain about security, very few will actually take a secure product
instead of an insecure product with more features (even if they may
not need those features). Unless a sizable portion of customers start
putting their money where their mouth is vendors will not change
significantly.
Secure by default
In comparison OpenBSD 2.8's install files (all of them) are just over
90 megs, installed (with everything) it requires around 200 megs of
space. The only things enabled by default in OpenBSD are those that
the developers deem "safe". For example Telnet is disabled by default,
and OpenSSH is enabled. Sendmail is configured to run in local queue
mode, it can send mail but not receive (you must add the "-bd" option
in rc.conf to enable it). As OpenBSD's webpage puts it:
Four years without a remote hole in the default install!
Which is not something any Linux vendor can claim (or ever will in all
likelihood). A typical installation of Linux will result in a half
dozen or more network services being started, and while some vendors
are starting to improve it is unlikely many will since disabling
things results in frustrated users and increased support costs
(although one wonders about the cost of rebuilding machines after they
are broken into).
Summary
We need to teach people how to program well, and then maybe we can
teach them how to program securely. We then need these programmers to
either completely rewrite major portions of the software most Linux
vendors ship, or audit the existing stuff (in both cases a task that
is unlikely to be done). Since this is basically impossible we need to
look at other solutions. ImmunixOS and SELinux are two solutions to
this problem, and when installed, maintained and used correctly they
do help, a lot. However this will not benefit the vast majority of
Linux users. OpenBSD users on the other hand have an extremely clean
and secure code base to work from, that is proactively being audited
on a continuous basis. Linux has dug itself into a very deep hole, and
appears to be digging downwards at an ever faster rate. Even with add
on software like PitBull LX, or NSA's SELinux kernel modifications
there are still potential security holes that could allow an attacker
to bypass any Mandatory Access Controls, RBAC, Type Enforcement as was
the case with PitBull for Solaris (Solaris had a flaw that allowed
attackers to compromise the system despite PitBull). Without a high
level of assurance in the actual source code of the Linux kernel and
associated files there will always be a hint of doubt about the
security of the system as a whole. This is why Linux can never be as
secure as OpenBSD.
Reference links:
http://www.openbsd.org/ - OpenBSD
http://www.openbsd.org/security.html - OpenBSD security page
http://www.openbsd.org/crypto.html - OpenBSD crypto page
http://seifried.org/lasg/ - Linux Administrators Security Guide
_____________________________________
/ Why can't those cheap bastards from \
\ Bank of America pay bills on time? /
-------------------------------------
\ _
\ (_)
\ ^__^ / \
\ (oo)\_____/_\ \
(__)\ ) /
||----w ((
|| ||>>
About iDEFENSE:
iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world from technical vulnerabilities
and hacker profiling to the spread of viruses and other malicious code.
iALERT, our security intelligence service, provides decision-makers,
frontline security professionals and network administrators with timely
access to actionable intelligence and decision support on cyber-related
threats. We are currently trying for complete market dominance and hope
to soon eliminate the Carlyle Group by any means necessary. We already
have stolen their webdesign - their customer base is next. For more
information, visit http://www.idefense.com, or our research team's
official website at http://idefense.bugtraq.org.
--
Richard Johnson, CISSP
Senior Security Researcher
iDEFENSE Inc.
thief@...traq.org
Get paid for security stuff!!!!!!
http://www.idefense.com/contributor.html
and become part of our reearch team!
http://idefense.bugtraq.org/
-------------- next part --------------
iDEFENSE: The Power of Intelligence : Current Intelligence Report
iSecurity Brief 05.10.04: Why OpenBSD is more secure than Linux
Author: Richard Johnson, the DataThief
Introduction
Well my mother just finished knitting me a new pair of asbestos
booties so I thought it was high time I try them out. Set phasers to
"flame". Please read the entire article before using them. Just
remember, I could have copped out by making the title something like
"Will Linux ever be as secure as OpenBSD?" or even "Which is more
secure, Linux or OpenBSD?". But I didn't. As well you should check out
the LASG/LSKB if you haven't already. I also know about ImmunixOS from
WireX and the NSA's SELinux (go read last week's column!).
The code
Let's face it, Linux is a great OS, I have more then a few machines
running it, but due to a number of factors it's never going to be as
secure as OpenBSD (which I also have running on several machines). But
Linux will never be as secure as OpenBSD, for technical, political and
marketing reasons. One of the most obvious differences between Linux
and OpenBSD (assuming you look under the hood a bit) is the fact that
OpenBSD has done an extensive code audit. The OpenBSD team has
literally spent dozens of man years of effort auditing code, not only
for security but for general correctness. Even the man pages for
OpenBSD are clean and consistent. This is a very proactive form of
security, OpenBSD fixes many problems before they become security
issues. No such form of extensive code audit exists in the Linux
world, and likely never will. Most vendors I have spoken with
typically have a small security team of less then a half dozen people
(usually much less). Even ignoring the fact that Linux vendors ship
many more packages as standard then OpenBSD (which tends to rely on
the ports collection for add on software) the basic components that
both Linux and OpenBSD have (kernel, command shells, system utilities,
etc.) are quite large, several hundred megabytes of source code in
total. There simply are not enough competent Linux programmers to do a
security audit on this code, let alone every vendor hiring enough
people to fix their own versions/etc. Even when vendors do do code
audits they typically face a problem, many programmers maintaining
software are indifferent, or even hostile to people sending them
security fixes, so it is very common for the original software to be
insecure, and the vendor must maintain their own patch set. This
problem affects OpenBSD far less as they maintain their own code base
now, and it has significantly diverged in many areas (ssh and OpenSSH
being a prime example). Even if Linux vendors wants to audit all their
code there aren't enough Linux programmers capable of doing this. This
means that Linux vendors are essentially doomed to reacting to
security problems, applying patches and shipping out fixed versions of
software, leaving users open to vulnerabilities for hours, days or
even weeks in some cases.
This is far more important then it sounds, even with additional
security products such as PitBull there may be ways for an attacker to
exploit some bug in the kernel that allows them to bypass add-on
security, this happened with PitBull for Solaris, PitBull was fine,
the Solaris kernel was not. Generally speaking add on security
products cannot completely protect the system, for example unless a
firewall product replaces the TCP-IP stack of an OS any problems in
the TCP-IP stack will still be exploitable.
Cryptographic software
This is an area where OpenBSD trounces Linux. OpenBSD not only ships
OpenSSL, OpenSSH, IPSec, and several other cryptographic software
packages, but they have actually been largely responsible for OpenSSH,
which is an incredibly important piece of software now. While many
Linux vendors do ship OpenSSL and OpenSSH there are several that do
not (Caldera being a notable example). However no major Linux vendors
ship IPSec support built in, while there is a project for Linux IPSec,
it is difficult at best to install and configure, and at worst almost
impossible (I know, I've used it). OpenBSD on the other hand ships by
default with one of the best IPSec implementations available. OpenBSD
also provides a different (better in many ways) key daemon, with
support for various forms of authentication, an area where FreeS/WAN
is weak. Additionally because the majority of Linux work is done from
within the US (Linus Torvalds now lives there) there is almost no
cryptographic support built into the Linux kernel. If you want to add
crypto you must patch the kernel and rebuild it. Very few vendors, if
any at all any (I'm not aware of a single one), ship any crypto built
into the kernel such as IPSec support, or any form of cryptographic
hooks (however many do ship OpenSSL/OpenSSH and other cryptographic
components). Because OpenBSD is done from Canada, the export of public
domain (usually interpreted as OpenSource) is not a problem, giving
you out of the box support.
Cryptographic hardware
Yet another area where OpenBSD shines and Linux is almost completely
lacking. OpenBSD supports several cryptographic acceleration products,
allowing you to build very powerful (and cheap) IPSec gateways for
example. While there is some SSL acceleration hardware available for
Linux this is essentially an easy problem to solve (most web load
balancers can handle the encryption, and keep sessions organized
properly). There is as far as I know no IPSec capable hardware
acceleration products for Linux. As well OpenBSD is currently working
towards allowing hardware to accelerate other cryptographic software
such as ssh, which will become an increasingly large problem (how much
CPU would you have to add to a server to support 1000 users using ssh
instead of telnet?). As well with OpenSSH's support for large file
transfers (via scp and sftp) load on servers using the SSH protocol
will only increase.
On the cryptographic front OpenBSD has Linux beat, hands down. The
chances of Linux gaining this support is unlikely for a number of
reasons, US crypto export policy, and a lack of programmers that are
capable of writing the software to name a few. This is not something
that will change for a long time (if ever).
Happy customers
Linux vendors care about having happy customers. OpenBSD developers
don't. The Linux market has become a very competitive space, with
around a dozen "major" distributions, and literally dozens (if not
hundreds) of smaller players. The major distributions generally pursue
similar markets, home desktop users, corporate/educational desktop
users and corporate/educational servers. Almost every commercial
vendor has invested significant effort in graphical installation
programs, desktop software like Gnome and KDE, and other
usability/entertainment/productivity software. There is absolutely
nothing wrong with this, as more people use Linux the installation
must become easier, and things like word processors are needed.
However it means that Linux vendors have to spend a lot more effort
pleasing users, several distributions now ship on multiple CD's
because of all the add on software they include. Although customers
complain about security, very few will actually take a secure product
instead of an insecure product with more features (even if they may
not need those features). Unless a sizable portion of customers start
putting their money where their mouth is vendors will not change
significantly.
Secure by default
In comparison OpenBSD 2.8's install files (all of them) are just over
90 megs, installed (with everything) it requires around 200 megs of
space. The only things enabled by default in OpenBSD are those that
the developers deem "safe". For example Telnet is disabled by default,
and OpenSSH is enabled. Sendmail is configured to run in local queue
mode, it can send mail but not receive (you must add the "-bd" option
in rc.conf to enable it). As OpenBSD's webpage puts it:
Four years without a remote hole in the default install!
Which is not something any Linux vendor can claim (or ever will in all
likelihood). A typical installation of Linux will result in a half
dozen or more network services being started, and while some vendors
are starting to improve it is unlikely many will since disabling
things results in frustrated users and increased support costs
(although one wonders about the cost of rebuilding machines after they
are broken into).
Summary
We need to teach people how to program well, and then maybe we can
teach them how to program securely. We then need these programmers to
either completely rewrite major portions of the software most Linux
vendors ship, or audit the existing stuff (in both cases a task that
is unlikely to be done). Since this is basically impossible we need to
look at other solutions. ImmunixOS and SELinux are two solutions to
this problem, and when installed, maintained and used correctly they
do help, a lot. However this will not benefit the vast majority of
Linux users. OpenBSD users on the other hand have an extremely clean
and secure code base to work from, that is proactively being audited
on a continuous basis. Linux has dug itself into a very deep hole, and
appears to be digging downwards at an ever faster rate. Even with add
on software like PitBull LX, or NSA's SELinux kernel modifications
there are still potential security holes that could allow an attacker
to bypass any Mandatory Access Controls, RBAC, Type Enforcement as was
the case with PitBull for Solaris (Solaris had a flaw that allowed
attackers to compromise the system despite PitBull). Without a high
level of assurance in the actual source code of the Linux kernel and
associated files there will always be a hint of doubt about the
security of the system as a whole. This is why Linux can never be as
secure as OpenBSD.
Reference links:
http://www.openbsd.org/ - OpenBSD
http://www.openbsd.org/security.html - OpenBSD security page
http://www.openbsd.org/crypto.html - OpenBSD crypto page
http://seifried.org/lasg/ - Linux Administrators Security Guide
_____________________________________
/ Why can't those cheap bastards from \
\ Bank of America pay bills on time? /
-------------------------------------
\ _
\ (_)
\ ^__^ / \
\ (oo)\_____/_\ \
(__)\ ) /
||----w ((
|| ||>>
About iDEFENSE:
iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world from technical vulnerabilities
and hacker profiling to the spread of viruses and other malicious code.
iALERT, our security intelligence service, provides decision-makers,
frontline security professionals and network administrators with timely
access to actionable intelligence and decision support on cyber-related
threats. We are currently trying for complete market dominance and hope
to soon eliminate the Carlyle Group by any means necessary. We already
have stolen their webdesign - their customer base is next. For more
information, visit http://www.idefense.com, or our research team's
official website at http://idefense.bugtraq.org.
Powered by blists - more mailing lists