We recentlyreportedthat Theo de Raadt (derradt@)was scheduled to present atCanSecWest.That's now happened, andslidesof Theo's presentation,Synthetic Memory Protections,can be found in theusual place.Video isavailableon the bird site.
In a late-stage addition prior to the release ofOpenBSD 7.3,Mark Kettenis (kettenis@) hascommitted[more] aggressive randomisation of the stack locationfor all 64-bit architectures except alpha:Read more…
One small but significant step for routing security on the Internet happened Sunday 19th of March 2023 with the release of version 8.3 of rpki-client.The announcement reads,
With a message to openbsd-announce and other lists, Brent Cook (bcook@) announced the release of LibreSSL 3.7.1, with numerous improvements.It is worth noting that this is the final version to be released before the upcoming OpenBSD 7.3 release.The announcement reads,
Crystal Kolipe has written up more of her work on the console.This time, it regards bugs in the handling ofUTF-8:ExoticSilicon.com - fixing cringeworthy bugs in the OpenBSD console code.As Crystal pointed out in her email to Undeadly,Miod Vallat (miod@) hascommittedfixes.
Wladimir Palanthas written anarticleon use ofOpenSMTPDfilters, andprovided codeunder an MIT license for those who may wish to utilizethe techniques described therein.
The OpenBSD installer now has basic support for configuring disk encryption during the regular installation process. Previously, disk encryption needed to be set up manually by dropping to the shellfrom the installer.Initial support, likely to be expanded upon, wascommittedby Klemens Nanni (kn@) onMarch 7, 2023.The commit reads,
Another piece from Florian Obser (florian@) just came out, titledDynamic host configuration, please.In the article, Florian details the steps to modern OpenBSDdynamic host configuration, including interface configuration, name resolution, routing and more.We also get an explanation of the various userland programs (most of them portable, some OpenBSD-specific) that make a modern OpenBSD laptop shine.You can read the full piece here, Dynamic host configuration, please.
It's that time of the year again. With this commit,Theo de Raadt (deraadt@) changed the version string for the development branch of OpenBSD to 7.3-beta.The commit reads,
We all know the OpenBSD is lead from Canada, but what is the status in that country by and large? Bringing up the subject, Katie McMillan wrote in, saying
Theo de Raadt (deraadt@)posted totech@a message entitledpinsyscall, execve, and rop pivots, etc.It explainspinsyscall(2),OpenBSD's latest securityinnovation.We reproduce the posting below with added links:Read more…
Florian Obser wrote an extensive piece with great attention to detail titled: Privilege drop, privilege separation, and restricted-service operating mode in OpenBSD.
Following a wide-ranging thread onmisc@with the subjectSafely remove USB drive,Crystal Kolipe wrote anarticleabout howOpenBSDhandles removable media, centered around theeject(1) command,also known as mt(1).The article leads in,
At the recently-concludedFOSDEM 2023conference,Stefan Sperling (stsp@)presented a talk onGame of Trees.Videoandslidesof Stefan's presentation are now available.
As part of her efforts in developing patches for the console(many of which have been committed recently),Crystal Kolipe created some patches for taking screenshots of theOpenBSD console.She wrote an in depth article,Coding new ioctls to produce screendumps from the console, about her work.We will look forward to further development and refinement on this.
Support for execute-only (xonly) code(on which wereported earlier)has been committed to -current by Theo de Raadt (deraadt@).The commitswere:Read more…
As with library order randomisation(libc.so/libcrypto/ld.so)at bootand kernel relinking at boot,boot time relinking ofsshd(8)is now implemented in -current.Theo de Raadt committed thechanges:Read more…
On thetech@ mailing list,Theo de Raadt (deraadt@)has issued arequest for testingof patch(es) for execute-only (xonly)binaries on amd64.The message is quite long, but well worth reading in its entiretyfor those interested.Selected highlights include:
A rewritten version of vmd(8)'s BIOS memory map handling could soon be appearing in -current. In a recent post to tech@ and supplemented by an accompanying post to ports@ since the changes touch on SeaBIOS, Dave Voutila (dv@) describes the changes and the motiviation for changing them, ie
Following the recent discovery of asecurity issue in FreeBSD's ping(8),OpenBSD developer Florian Obser(florian@) wanted to know if something similar lurkedin the OpenBSD code as well.The result of his investigation can be found in the article calledFuzzing ping(8) … and finding a 24 year old bug., which leads in,
The OpenBSD Foundation, which is central to funding the OpenBSD project, needs your help to reach its 2022 Fundraising Goal of $300,000.At the time of writing, the amount raised in 2022 stands at a little over 50% of the stated goal.The Foundation needs your help to sustainably fund the project. Please head over to the Foundation's donations page, and make sure you drag your employer over there too!With about 30 days left in 2022, we know we can do it!
It started with a thread on misc@ with the subject"Locking network card configuration"where the problem description is, when two or more network interfaces are attached to the same USB bus, their numbering may not be entirely predictable.The question is, what workarounds are possible?The thread, where several developers offered their insights, and which soon migrated to tech@ with the subject switched to "lladdr support for netstart/hostname.if (was: Re: Locking network card configuration)" and later "lladdr support for netstart/hostname.if" turned up several suggestions, with several patches, and potential support for link level address (MAC address) tied configuration via a new hostname.MAC(5) file to supplement the more familiarhostname.if(5) config file, complete with correspondingifconfig(8) options.Please read the messages and patches, and if you have useful input for the developers on this, please chime in via tech@ or in comments here if you prefer.Once again, an interesting feature that may materialize for testing in snapshots in the near future.
In a recent message to the tech mailing list, Theo de Raadt (deraadt@) summarized the state of the new memory protections work. The thread also includes a followup from Otto Moerbeek (otto@) on consequent changes to the memory allocation mechanisms.Theo writes,