

Exploit Mitigation Techniques (2013) - willvarfar
http://www.openbsd.org/papers/ru13-deraadt/mgp00001.html

======
nullc
I'll leave this link here as offering a contrasting view of openbsd's security
posture, and talks about an orthogonal set of security features:
[http://allthatiswrong.wordpress.com/2010/01/20/the-
insecurit...](http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-
of-openbsd/)

~~~
hhw
I remember when that article came out. The basic premise is that it defines a
secure OS as something that requires an add-on security framework (resulting
in additional complexity), and concludes that OpenBSD is not secure because it
doesn't meet this definition. It's a pretty disingenuous argument. The
author's knowledge and understanding of OpenBSD are also quite obviously
shallow, given the examples he uses to make his points.

Yes, the approach of security through simple correctness is indeed difficult,
but OpenBSD has been doing a pretty darn good job at it for a very long time.
At the very least, its highly successful track record demonstrates how their
approach has been more effective than any added security framework approach,
in the real world. And other operating systems have come around to adopting
OpenBSD's security features and techniques, rather than the other way around.

~~~
ams6110
Also these frameworks are frequently disabled. There are MANY widely used
software products, for which step 1 in the installation instructions is
"disable SELinux." The majority of the security features described in the OP,
by contrast, do not need to be disabled to get mainstream software products to
work.

~~~
lmz
I personally find if SELinux "just works" for the purposes then it is great.
However if I want to integrate a third party software product into the
existing policies I don't know where to start with it. e.g. if I have a daemon
xyzd that wants to write to a pid file and to its log file, and have read
write access to its own data, how do I write a policy to confine it?

------
BorisMelnik
Saving this URL:

[http://www.openbsd.org/papers/ru13-deraadt/mgp00004.html](http://www.openbsd.org/papers/ru13-deraadt/mgp00004.html)

for the next time someone asks me what a buffer overflow is.

I feel like this is a better explanation than any other I've seen.

------
brownbat
Wow, based on how pioneering a lot of this work has been over the last decade,
you'd almost expect OpenBSD was the most frequently targeted OS.

Maybe they compensate for infrequent targeting by having a lot of really smart
people on the project.

------
dfc
Good interview with Theo recorded as part of ruBSD:
[https://www.youtube.com/watch?v=OXS8ljif9b8](https://www.youtube.com/watch?v=OXS8ljif9b8)

------
cauterize
Despite the poor image quality, this is from 2013.

~~~
kchoudhu
I thoroughly enjoyed the material in the presentation. What else matters?

------
EGreg
Comic Sans? fail.

As soon as I saw Comic Sans, I realized this article was not worth reading,
the information was going to be completely pointless and the author is
completely unqualified to give a talk or worthy of any attention. Then I
decided to make the only critique of the paper that a reasonable person would
ever make, and I wrote it above.

~~~
brownbat
The quality of the material quickly wore down my skepticism. Actually, Comic
Sans is in danger of becoming the new shibboleth for OpenBSD security wizards:

[http://www.libressl.org/](http://www.libressl.org/)

~~~
dfc
By "new" you mean the standard font used in Theo's and other OpenBSD
developer's magicpoint presentations going back to at least 2003?

vether(4), 2010 --
[http://www.openbsd.org/papers/asiabsdcon2010_vether/mgp00001...](http://www.openbsd.org/papers/asiabsdcon2010_vether/mgp00001.html)

OpenBSD release Process, 2009 --
[http://www.openbsd.org/papers/asiabsdcon2009-release_enginee...](http://www.openbsd.org/papers/asiabsdcon2009-release_engineering/mgp00001.html)

Exploit Mitigation, 2005 --
[http://www.openbsd.org/papers/ven05-deraadt/mgp00001.html](http://www.openbsd.org/papers/ven05-deraadt/mgp00001.html)

Exploit Mitigation Techniques, 2004 --
[http://www.openbsd.org/papers/bsdcan04/mgp00001.html](http://www.openbsd.org/papers/bsdcan04/mgp00001.html)

Exploit Mitigation, 2003 --
[http://www.openbsd.org/papers/pacsec03/e/mgp00001.html](http://www.openbsd.org/papers/pacsec03/e/mgp00001.html)

OpenBSD und Openssh, 2003 --
[http://www.openbsd.org/papers/cebit2003/mgp00001.html](http://www.openbsd.org/papers/cebit2003/mgp00001.html)

~~~
brownbat
Touche, excellent selection of links.

I've apparently not followed OpenBSD for the last decade at my peril.

I somehow suspected this day would come. :)

~~~
dfc
no worries. Anyone that uses shibboleth correctly in a sentence is fine by me.

