If you run recent OpenBSD on certain amd64 or aarch64 platforms, indirect branching to an "unexpected" location will crash your program, in order to prevent ROP attacks and similar ways to have your program execute code where it shouldn't.The OpenBSD compiler will insert an extra instruction in all the places where a branch is supposed to land, and if it lands anywhere else, a CPU fault is raised and your program gets an "Illegal Instruction".Previously, crashes of this kind have looked more or less like any other kind of fault where code is executing random data or from random locations, but since the kernel knows when this has happened, we can make it explicit that the fault is due to missing branch target instructions, which will help a lot when debugging.Link to the commit here.
Rafael Sadowski (rsadowski@) has added a new post to his Shut up and hack series, titledEffortless OpenBSD Audio and Desktop Screen Recording Guide,where he takes the reader through the steps needed to configureyour OpenBSD system for audio and video recording.The post even includes ayoutube videowhere he demonstrates recording while he is putting final touches on the blog post.You can take in the blog post here:Effortless OpenBSD Audio and Desktop Screen Recording Guide.
While you were likely busy celebrating the new year,OpenBSDdeveloper Solene Rapenne (solene@)found the time to write an article detailing variousOpenBSD workstation hardening tips.It's a useful collection of things you could do to secure your environment and customize your setup to best fill your needs.Enjoy!
In a message to the tech@ mailing list, Theo de Raadt (deraadt@) gave a summary of progress so far, along with a patch for testing what will likely be the next steps in the process.The message leads in,
As announced by Damien Miller OpenSSH 9.6/9.6p1 has been released.The complete release notes may be found here: https://www.openssh.com/releasenotes.html#9.6.Among notable changes, this release includes a fix for the Terrapin Attack.Read more...
Theo de Raadt (deraadt@)postedto tech@ regarding restrictions on theaddresses from which system calls can be made.In addition to providing background,the post contains information (and a patch)for an imminent change - the introduction of a newsyscall,pinsyscalls(2)[link not working at the time of writing because change not yet committed],which specifies the addresses from which individualsystem calls are permitted.pinsyscalls(2) will be called only fromthe shared library linker,ld.so(1).
Asannouncedon themisc@mailing list,Otto Moerbeek (otto@),the author of OpenBSD'smalloc(3)implementation[a.k.a. "otto malloc"],has written atutorial on the newmalloc(3) leak detection available in OpenBSD 7.4Read it at:OpenBSD's built-in memory leak detectionSince the publication of that write-up,Otto hascommittedfurther enchancements:
Asannouncedon themisc@mailing list,Otto Moerbeek (otto@),the author of OpenBSD'smalloc(3)implementation[a.k.a. "otto malloc"],has written atutorial on the newmalloc(3) leak detection available in OpenBSD 7.4Read it at:OpenBSD's built-in memory leak detectionSince the publication of that write-up,Otto hascommittedfurther enhancements:
The OpenBSD project has announced the release ofOpenBSD 7.4,the 55 release of the OpenBSD operating system.The new release contains a number of innovations and improvements across a number of areas, including
Rafael Sadowski (rsadowski@)bloggedabout his participation inp2k23.Perhaps most notable is his work in portingKDEPlasma.Read all about it athttps://rsadowski.de/posts/2023-10-09-p2k23-dublin-openbsd-hackathon/.There is some further discussion of the work in a thread titled NEW: KDE Plasma (x11/kde-plasma) on the ports@ mailing list.
Version 8.6ofrpki-client, the FREE, easy-to-use implementation of the ResourcePublic Key Infrastructure (RPKI)for Relying Parties (RP),has beenreleased.This version includes new compliance checks,random shuffling of processing of Manifest entries,and [non-random!] code shuffling.See the announcement for more details.This is another hint that a new OpenBSDreleaseis about to happen, and soon.
ManyOpenBSDsysadminsfind thesysclean(8)portuseful for removing obsolete files following upgrades.Sebastien Marie (semarie@),theauthorof sysclean(8),has written apiecegiving an under-the-hoodlook at the operation of this handy utility.It's well worth reading for those interested in understandinghow it works!
Frederic Cambus (fcambus@) wrote a blogpost about running OpenBSD on the arm64-based cloudservers provided by Hetzner. For now, only -current will work,because the new viogpu(4)driver[on which wereported earlier]is needed.Head on over to Frederic's blog for the full story!
EuroBSDCon 2023has now ended,and slides for many of the OpenBSD developer presentationsare now available in theusual place.Video of the presentations can be expected somewhat later.Slides from the tutorial"Network Management with the OpenBSD Packet Filter Toolset"arealso available.