“Linux people do what they do because they hate Microsoft. We do what we do because we love Unix."
– Theo de Raadt
Introduction to OpenBSD #
OpenBSD is an Open Source and standards compliant Unix-like operating system. The OpenBSD operating system provides all the features that are expected from a modern operating system, such as preemptive multitasking, memory protection, virtual memory, multi-user facilities, SMP support and all the Open Source development tools for different languages and frameworks. Additionally, OpenBSD has a very powerful and elegant base system which allows the user to perform multiple popular tasks and functions without the need to install additional software. OpenBSD is particularly known for the following strengths:
Security features and record #
OpenBSD takes a proactive approach to security. If a bug is found in one part of the codebase, the whole codebase is scanned for other occurrences of that same bug. There have been only 2 official remotely exploitable security holes for standard installations. The first one was in OpenBSD 3.1 and was an integer overflow in OpenSSH. The second was a buffer overflow caused by malformed ICMPv6 packets.
Documentation for the OpenBSD project is considered of the same importance as the code it documents. An error in the documentation is seen as just a big of an issue as a bug in the code. This has led to high quality man pages for both programs as well as configuration files. Whereas “man httpd” will show the default OpenBSD webserver, “man httpd.conf” will show documentation regarding the configuration of the httpd webserver.
Adherence to the Unix philosophy #
The history of all BSDs is linked with the history of Unix. The Unix operating system first emerged in the early 70’s and it introduced a certain philosophy towards building operating systems. The Unix philosophy has withstood the test of time and can be observed in a whole range of operating systems from the biggest mainframes to the smallest computing devices. Not only are Unix based operating systems powering pretty much all of the internet in the form of web, name, mail, and caching servers, they also have an almost full monopoly on smartphones with Apple’s iOS and Google’s Android operating systems. A more in depth description of the Unix philosophy can be found below.
The Unix Philosophy #
The Unix philosophy has been described in multiple ways. What follows are a short version by Peter H. Salus, and a more extensive version by Eric S. Raymond.
The short version:
- Write programs that do one thing and do it well.
- Write programs to work together.
- Write programs to handle text streams, because that is a universal interface.
The longer version is:
- Rule of Modularity: Write simple parts connected by clean interfaces.
- Rule of Clarity: Clarity is better than cleverness.
- Rule of Composition: Design programs to be connected to other programs.
- Rule of Separation: Separate policy from mechanism; separate interfaces from engines.
- Rule of Simplicity: Design for simplicity; add complexity only where you must.
- Rule of Parsimony: Write a big program only when it is clear by demonstration that nothing else will do.
- Rule of Transparency: Design for visibility to make inspection and debuggingeasier.
- Rule of Robustness: Robustness is the child of transparency and simplicity.
- Rule of Representation: Fold knowledge into data so program logic can be stupid and robust.
- Rule of Least Surprise: In interface design, always do the least surprising thing.
- Rule of Silence: When a program has nothing surprising to say, it should say nothing.
- Rule of Repair: When you must fail, fail noisily and as soon as possible.
- Rule of Economy: Programmer time is expensive; conserve it in preference to machine time.
- Rule of Generation: Avoid hand-hacking; write programs to write programs when you can.
- Rule of Optimization: Prototype before polishing. Get it working before you optimize it.
- Rule of Diversity: Distrust all claims for “one true way”.
- Rule of Extensibility: Design for the future, because it will be here sooner than you think.
History of Unix/BSD #
Click to show an overview of the Unix-based family of Operating Systems
One of the explicitly stated goals of the OpenBSD project is to support as many different systems and hardware as feasible. Support means that the release media has been tested, most of the basic tools are present for the architecture, and that the code can self-compile itself. One of the added benefits of supporting a large amount of different architectures is that a bug in for example the compiler manifest may itself on one lesser used architecture but not in a more popular one. The result is an improvement in code quality by exposing bugs to developers that might otherwise not have been found.
The goal is to implement hardware support in such a way that for the vast majority of users the system just works. OpenBSD currently provides support for 13 distinct architectures.
Click to show an overview currently supported architectures
- Digital Alpha (alpha)
- AMD64 (amd64)
- 64-bit ARM (arm64)
- ARM v7 (armv7)
- HP Precision Architecture (hppa)
- Intel i386 (i386)
- IO-DATA Landisk (landisk)
- Loongson 2E/2F (loongson)
- Omron LUNA88K(2) (luna88k)
- Apple PowerPC (macppc)
- Cavium Octeon MIPS64 (octeon)
- IBM POWER PowerNV (powerpc64)
- Sun UltraSPARC and Fujitsu SPARC64 (sparc64)
Permissive Open Source license #
The licenses in used by the OpenBSD project and its various subprojects are very permissive and short enough to include in their entirety on this page.
OpenBSD license #
Click to show the OpenBSD license
Copyright (c) YYYY YOUR NAME HERE <firstname.lastname@example.org> Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
3-clause BSD license #
Click to show the 3-clause BSD license
Copyright (c) <YEAR> <OWNER> All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the University of California, Berkeley nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS AND CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
ICS license #
Click to show the ICS license
Copyright <YEAR> <OWNER> Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Other Major BSD distributions #
As shown in the history graph above, Unix comes in many distinct flavours and one of those flavours is the Berkeley Software Distribution, or BSD for short. Separating one Unix operating system from other Unix based operating systems can be done based on the license in use, the kernel (design), user space tools, and ancestry. Inversely and as such, the various BSD distributions share a common ancester, use a BSD kernel in one form or another, use the BSD user space tools (as opposed to GNU tools), and generally use the ICS or BSD license for the code they write. The specifics of some of the other BSD distributions can be found below.
FreeBSD is an operating system for a variety of platforms which focuses on features, speed, and stability. It is derived from BSD, the version of UNIX® developed at the University of California, Berkeley. It is developed and maintained by a large community.
- FreeBSD offers advanced networking, performance, security and compatibility features today which are still missing in other operating systems, even some of the best commercial ones.
- FreeBSD makes an ideal Internet or Intranet server. It provides robust network services under the heaviest loads and uses memory efficiently to maintain good response times for thousands of simultaneous user processes.
- FreeBSD brings advanced network operating system features to appliance and embedded platforms, from higher-end Intel-based appliances to ARM, PowerPC, and MIPS hardware platforms. From mail and web appliances to routers, time servers, and wireless access points, vendors around the world rely on FreeBSD’s integrated build and cross-build environments and advanced features as the foundation for their embedded products. And the Berkeley open source license lets them decide how many of their local changes they want to contribute back.
- With over 24,000 ported libraries and applications, FreeBSD supports applications for desktop, server, appliance, and embedded environments.
- FreeBSD can be installed from a variety of media including CD-ROM, DVD, or directly over the network using FTP or NFS. All you need are these directions.
- FreeBSD is free
The NetBSD Project is an international collaborative effort of a large group of people, to produce a freely available and redistributable UNIX-like operating system, NetBSD. In addition to their own work, NetBSD contains a variety of other free software, including 4.4BSD Lite2 from the University of California, Berkeley.
One of the primary focuses of the NetBSD project has been to make the base OS highly portable. This has resulted in NetBSD being ported to a large number of hardware platforms. NetBSD is also interoperable, implementing many standard APIs and network protocols, and emulating many other systems' ABIs.
- NetBSD provides a well designed, stable, and fast BSD system.
- NetBSD avoids encumbering licenses.
- NetBSD provides a portable system, which runs on many hardware platforms.
- NetBSD interoperates well with other systems.
- NetBSD conforms to open systems standards as much as is practical.
HardenedBSD is a fork of FreeBSD, founded in 2014, that implements exploit mitigations and security hardening technologies. The primary goal of HardenedBSD is to perform a clean-room re-implementation of the grsecurity patchset for Linux to HardenedBSD.
HardenedBSD has successfully implemented the following features:
- PaX-inspired ASLR
- PaX-inspired NOEXEC
- PaX-inspired SEGVGUARD
- Base compiled as Position Independent Executables (PIEs)
- Base compiled with full RELRO (RELRO + BIND_NOW)
- Hardening of certain sensitive sysctl nodes
- Network stack hardening
- Executable file integrity enforcement
- Boot process hardening
- procs/linprocfs hardening
- LibreSSL as an optional crypto library in base
- Trusted Path Execution (TPE)
- Randomized PIDs
- SafeStack in base
- SafeStack available in ports
- Non-Cross-DSO CFI in base
- Non-Cross-DSO CFI available in ports