skip to content W3C SVG

Development practises

OpenBSD got no continuous integration system, and apparently build breakage are, according to the FAQ, happening from time to time:

Do not report source tree compilation problems, unless they persist. They are almost always your mistake, or they are being worked on as you encounter them. People working on the project are doing make build at least once per day, and usually several times per day with different architectures.

For example, recently, -current was panicking, for ~15h, between those two commits.

There is no bug tracker either, only the sendbug tool, to send emails to openbsd-bugs.

There is no mandatory public review either: apparently the best practice™ is to send a diff to openbsd-tech@, and hope that people will reply. There is no way, beside manually searching on the mailing list, to see what commit what reviewed by whom. From time to time, there is a “ok bob” in commits, to indicate that bob validated the changes, but those reviews are usually happening in private. This is completely backwards compared to the modern practises.

Apparently, in 2006, there were 114 people with the commit bit, with around 25 being slackers. There is no publicly available list of people able to directly push into the codebase.

There is a code style, but since it’s not automatically enforced, if only because there is no CI.

The VCS used is CVS, the Concurrent Versions System:

CVS is the popular version control system in the free software community, used by *BSD, many Linux projects, Netscape and others.

The last stable release was done in May 2008, and is under GPL, a license disliked by OpenBSD. Apparently, there is OpenCVS, to be released soon, but it hasn’t seen much activity since 2017. On the bright side, some OpenBSD folks have been working on their own git implementation: game of trees. Maybe one day OpenBSD will move away from CVS…

There is a long changelog available for each release, but on has to resort to cvs log to find in what commit a specific bug was fixed or a feature added.

Mitigations design

In 2023, in his CanSecWest talk, De Raadt said:

At least 2 attacks have manipulated mmap(2) or mprotect(2) to change a permission, perform a memory operation, and continued to control/escalation

Apparently, one of them was an iPhone exploit, likely the talk from Charlie Miller and Vincenzo Iozzo, at BlackHat 2009, about bypassing code signature, which isn’t a thing on OpenBSD. He also mentioned how iPhones are restricting syscalls to the text segment, which is also not a thing.

He said said, on slide 27, in the context of MAP_STACK and syscall protection:

Increasing exploitation difficulty is a valid strategy

This sounds like a classic case of mitigator instead of properly designed mitigations

During the talk, on the “code can only be read if it has been executed once” implementation for execute-only memory, “I don’t know if this is going to stop an attack in the future, but who knows.”

He also mentioned:

Chrome […] wants to protect the v8 flags page, so that the flags can’t be changed after startup, because that’s a very juicy target, for your JITs to go and modify, because they know where it is. So they mprotect it. Bug guess what, what if you can make your JIT go and make it writeable, you’d be able to change your flags, and carry on."

and

I want to make an observation here, that I don’t here from anybody in the attack surface out here. Quite often, when a program crashes, crashes in this way, and the BROP code starts, you’re executing inside one particular .so, okay? But if the tools that you need to use are not inside that same .so, you have to know what the other .so is. So for example, if you crash inside libcrypto, but libcrypto doesn’t allow you do to system calls, you now have to do BROP, you now have to do ROP code, to determine where your libc is, so you can do system calls from there. I don’t know why no one’s talking about this. I think people on the ROP side should think about this.

This rambling shows an worryingly haphazard comprehension of the exploitation/mitigation terminology and techniques.

When not straight up lying, when talking about the latest openssh pre-auth double-free:

I think the way they [Qualys] explained it is that they have a 33 in a million chances of succeeding at actually, getting control of the PC.

While it’s actually 1 chances in 43690 times, as Qualys said on oss-sec. He also conveniently forgot to say that OpenBSD malloc made exploitation easier, compared to the glibc one.

To the question “What was the inspiration for all this? For the immutable flag, execute-only, … Where do the ideas come from? Was there any inspiration here? “, De Raadt answered “Yeah, … I don’t know.” which is worrying at best.

A proper way to design mitigations would be something like the ECCO framework:

  • Effectiveness: How easy is it to bypass mitigation/security boundary?
  • Cost: How expensive is it, both in terms of initial effort and maintenance?
  • Coverage: How many different types of vulnerabilities does it cover?
  • Overlap: Does it break the kinds of attacks performed by real attackers?

Halvar Flake wrote a nice little summary about this in July 2019 as well:

Before you ship a mitigation:

  1. Have a design doc for a mitigation with clear claims of what it intends to achieve. This should ideally be something like “make it impossible to achieve reliable exploitation of bugs like CVE1, CVE2, CVE3”, or similar; claims like “make it harder” are difficult to quantify. Use exploit equivalence classes. If you can’t avoid such statements, quantify them: “Make sure that development of an exploit for bugs like CVE4, CVE5 takes more than N months”.
  2. Pick a few historical bugs (ideally from the design doc) and involve someone with solid vuln-dev experience; give him a 4-8 full engineering weeks to try to bypass the mitigation when exploiting historical bugs. See if the mitigation holds, and to what extent.
  3. When writing the code for the mitigation, especially when it touches kernel components, have a very stringent code review with review history. The reviewer should question any unwarranted complexity and ask for clarification.

Follow good coding principles:

  • avoid functions with hidden side effects that are not visible from the name etc.
  • the stringency of the code review should at least match the stringency of a picky C++ readability reviewer, if not exceed it.

He also gave a great keynote at BSides Zurich 2017 on the topic: Repeated vs. single-round games in security.

While every player in the industry (Chrome, PaX’ RAP, …) moved their threat model to “arbitrary read/write at arbitrary time concurrently”, most (if not all) OpenBSD home-brewed mitigations are falling apart, by design, in this threat model.

Moreover, instead of endlessly chasing down imaginary exploits, in the words of Saar Amar:

In my opinion, for a mitigation to have high ROI, it should target 1st order primitives rather than specific exploitation techniques (i.e., we should aim to kill bug classes). Or at least, we should aim to get as close to the 1st order primitive as possible.

Code reviews

OpenBSD claims that they have “between six and twelve members who continue to search for and fix new security holes”, but it seems that this doesn’t prevent low-hanging bugs from entering the codebase, for example:

  • In August 2016, OpenBSD fixed a couple of integer overflows in its memory mapping code. This should have been detected by using something like UBSAN.
  • In 2017, OpenBSD realised that it forgot to initialize variables before using them in ptrace, fcntl, and ELF binaries. This should have been caught with ASAN, trivial static analysis, or systematically initializing variables, like Windows' InitAll or clang’s -ftrivial-auto-var-init.
  • In 2017, OpenBSD got the TCB mapping wrong, fixed it wrongly, and fixed it again one month later, when the original reporter highlighted the flaw.
  • In August 2019, OpenBSD fixed a denial of service in OpenSMTPD, caused by a textbook misuse of vsnprintf.
  • In October 2019, OpenBSD realised that their dhcp server was leaking memory over the wire, again due to unitialized memory.
  • The 5th December 2019, Qualys published multiple proof of concepts for an authentication bypass, based on an option injection issue, meaning that no OpenBSd developers thought about usernames with a leading dash.
  • In December 2019, Qualys published a local privilege escalation via OpenBSD’s dynamic linker: environment variables weren’t correctly sanitized in an artificially constrained environment.
  • In 2020, Qualys found an other remote code execution in OpenSMTPD present since one year: a shell injection, for which they “drew inspiration from the Morris worm (https://spaf.cerias.purdue.edu/tech-reps/823.pdf)”, the one from 1988. Interestingly, the author of OpenSTMPD wrote a blogpost about the issue, and the possible future mitigations.
  • In February 2020, Maxime Villard reported a couple of severe issues in OpenBSD’s hypervisor, granting arbitrary write from guest to the host’s kernel. They weren’t correctly fixed.
  • May 2021, Maxime Villard reported an other trivial guest-to-host vulnerability via a hilarious arbitrary r/w.

Moreover, code audit from the OpenBSD members only focuses on OpenBSD software, not on software in ports that people are installing.

Security advisories

OpenBSD is publishing security issues on its Errata pages, but doesn’t provide much context nor analysis. For example, this is OpenBSD’s CVE-2019-19519 advisory:

untrusted comment: verify with openbsd-66-base.pub
RWSvK/c+cFe24Icv2ypHJly8sKJfGTilSEiQVVkDejBzxQaH/xYrNbwM/DexJBiNT0QBg1IKTeswHou4vAmT75O/s+KMmlb4swI=

OpenBSD 6.6 errata 012, December 8, 2019:

A user can log in with a different user's login class.

Apply by doing:
    signify -Vep /etc/signify/openbsd-66-base.pub -x 012_suauth.patch.sig \
        -m - | (cd /usr/src && patch -p0)

And then rebuild and install su:
    cd /usr/src/usr.bin/su
    make obj
    make
    make install

Index: usr.bin/su/su.c
===================================================================
RCS file: /var/cvs/src/usr.bin/su/su.c,v
retrieving revision 1.77.2.1
diff -u -p -r1.77.2.1 su.c
--- usr.bin/su/su.c	4 Dec 2019 09:52:22 -0000	1.77.2.1
+++ usr.bin/su/su.c	6 Dec 2019 20:46:25 -0000
@@ -172,6 +172,8 @@ main(int argc, char **argv)
 		err(1, "unveil");
 
 	for (;;) {
+		char *pw_class = class;
+
 		/* get target user, default to root unless in -L mode */
 		if (*argv) {
 			user = *argv;
@@ -207,11 +209,11 @@ main(int argc, char **argv)
 		}
 
 		/* If the user specified a login class, use it */
-		if (!class && pwd && pwd->pw_class && pwd->pw_class[0] != '\0')
-			class = strdup(pwd->pw_class);
-		if ((lc = login_getclass(class)) == NULL)
+		if (pw_class == NULL && pwd != NULL)
+			pw_class = pwd->pw_class;
+		if ((lc = login_getclass(pw_class)) == NULL)
 			auth_errx(as, 1, "no such login class: %s",
-			    class ? class : LOGIN_DEFCLASS);
+			    pw_class ? pw_class : LOGIN_DEFCLASS);
 
 		if ((ruid == 0 && !emlogin) ||
 		    verify_user(username, pwd, style, lc, as) == 0)

It doesn’t mention the CVE, the CVSS, if it’s remote or local, if and how is it possible to mitigate without patching, … also, it doesn’t provide a link to the (amazing) original report.

And this is true for all the security “erratas”: no context whatsoever.

Commit messages

OpenBSD’s commits tends to be short:

Length of commit message in OpenBSD1310.2039777615761413.35000003118980811904357.284543743192517.758413902303638287432.5508597341654444.80956451208217610755492.5045024321451690.6384653815691511805542.314945242321164.7210935962144742752384.8529548729593172.8567111858954511481563.5346615941648254.3559604963453211450551.7797585420358344.3145701842265710682511.07616193142167421.87766161619719883451.63303066383355477.558828685104349306382.8673300038758510.018068567149652802409.4907302104188334.656288652880058585312.73379198247625520.63734424999317867247.9346356852414512.8888913854197185192.15745919576128491.508977683476256297147.67178318114622461.73803233493885583114.41341254274033428.2635565521262635517262.0471146153327377.0787087911695464591.17119273693129394.9246031415282428875.45470847110056363.08834791488516382565.15982909422621332.52585094807387345359.29160399529951304.19273200974095332256.7622756637582277.375084735418619533195.24500567139057301.9481298342182306156.99410908023469251.99669024755133298259.549938016948886228.10438420730893277764.07946447118687205.65666710220066255870.06658114067645185.30383334003562235677.06866934985104167.0594918499464813734193.12042457483426240.01119642772338218084.76141670246889150.74266620637587201792.89580691958662136.167243514208451796101.1027690901943123.414936271729861692109.26556097526529112.197953134284521596117.51109098358637102.047561878994099281210.1944988090784200.40478822353231476125.6782222417984792.959671245561881379133.6527275484036284.875363857873961354141.6181700042540477.478262209092721288149.6128772006446570.658210023885231160157.2668582818651364.639488377250616657229.77409045289335177.738050808193631034164.31851448591159.49839835750029965170.893986785918955.02793301380893910177.1861142249058251.024008994031476936183.4932913056265747.26440326647301855189.714083491014343.79277246695234700246.86005416393263164.90164662697026787195.5009744239590640.76460040058558692200.7786143135266538.165380996554546691205.7669993859523235.84621810849316632210.584971840219933.72940891589823634215.2355422943897531.7978013013497223436260.3662724136989157.6719519297343574219.707976945107630.04110849467409543223.87243100994928.492404036542297552227.9805825695527827.0452336430929472231.8443213814839825.755911723765053463235.3899198367571224.6329758280446642604270.9297097376581153.4488361895334429238.7874607128023323.610247272909078387241.9077799573883622.716363254409686388244.8816805621959221.904427527095095380247.8382391932219421.13553878391002359250.691701863400720.4293509906630961943279.119575387318150.93954288434242326253.343803046200219.804337886056885315255.8314985079035819.245305704404643284258.1611641934179618.745529611457755268260.312105033042318.304361848130128259262.3691205545440517.9005630847908321452285.3398346338721149.45003327108606244264.3355070566575517.531022395468767233266.2028895742572617.194922441146105213267.951140935435116.89330995004846216269.6347060365751516.614738002291887222271.3554843269440716.342013687722841128290.1149289025117148.54067187845087203273.026941942081616.08868846817083173274.507069360949615.873861968938144193275.9490240380162615.673134850944336158277.3329427484951615.488411703105982161278.591557117347115.327139249115532888293.8694440783369147.9649822813075168279.8904547484833615.167408847372826156281.17040098839615.016657532237872131282.304807531017214.888554926361167138283.368580080311414.773123150816161130284.4288729290833514.662584008049521723296.88161754735717147.59043929046078138285.4896209861051414.556502026711598123286.5230826140447714.457476683433242104287.4222401817525614.3747911279196593288.2028007083506514.30562783606862492288.936005691058514.242873402095142550299.26792165417976147.34837166573598102289.7050722464702514.17935124603133188290.458465675988414.11940698714369193291.1763351552791614.06439025737057668291.8150110215300414.01716524581843368292.3546050946044413.978529802962186419301.08733319020996147.1960693315375672292.9101543457224513.93996021249964270293.473725136298113.90208568780360668294.021500190443913.86648059983798569294.56538081583313.83230620206282472295.1252164999001513.798354265962303351302.5346197249032147.0947688996090559295.6454136329163613.76791965534243944296.05446683738913.74474064386052448296.4198659849633413.72459573316709242296.7773494333843613.70539888942255449297.1388321028528613.68650175491527242303.64999117120226147.0286705735796661297.57582461725313.6643477599221853298.0287473918978713.64218364149533641298.402239356330613.62451708226643641298.728072460208613.60955547116267942299.0578984549154613.59483810869395238304.5532406533277146.9827653672991242299.391717473935513.58038053687164440299.717606516248613.56669136269437138300.027614626413413.55405886893504437300.32571370668213.54226985511451242300.6397261683625313.530231261666813199305.3758536093886146.946886289434639300.9617035437653413.51829182643825835301.2558687566268513.5077417034174832301.5222179310713413.49848403142797835301.788576685528113.48950621754380628302.039041901062313.481319696343888169306.0687576143675146.9210454061530424302.245781106506413.47474898583692533302.472405153466413.46774016333179719302.679155288500913.46152285141113221302.8381972643456413.45685503157196221303.005194455493913.452061193200109118306.6092440928614146.9036679493692633303.219909705981813.44605930988302629303.466440786720513.43939249102342623303.673213707876613.43398579325156622303.8521553208749413.42944301845747622304.0271235108798513.425123295208778129307.0744600900055146.8906602288105322304.20209463989213.42092430310580719304.365138491181313.41712027194557819304.516254459906813.41368819150457618304.663395632501213.41043295892907819304.810538669133213.40726310368609197307.5001645672972146.8803372106118329305.0014296294110613.40327808486554816305.1803925819230613.39967263158277411305.287771559030913.39756998060184411305.375266192397613.39589032571694821305.502532136008813.39350107762069888307.84866495423165146.8730100123101212305.6337763790017413.39110405618055218305.753090389299813.38898388493794314305.8803597511744713.38678424001494717306.003652983164413.3847142388410716306.134901706320213.38257655306344477308.15950641005617146.867327983144413306.2502423932575713.38075405275731117306.3695612046227613.37892390687466113306.4888808637984413.37714989623486912306.5883145416914313.37571443540693412306.683771394930113.37437306849906867308.43079746256075146.863026414090487306.7593417576555313.3733366326414978306.819002786435513.37253429913809610306.8905962676311713.37159002403501510306.97014488909513.37056453171180711307.0536712834428413.36951461701735946308.6436919674838146.860079884711410307.137198019023113.368492209612648307.208792628532613.3676377540498388307.2724324816964613.36689520406491714307.359937579926813.3659002707835848307.44744301620713.36493552733884448308.82079380344663146.85791623969818307.511083539883313.3642528580197968307.5747242328472513.3635861569825926307.630409974909613.36301589258920310307.694050974488713.3623791321927299307.769624866077313.36164371943186841308.9884780974294146.856108292266511307.8491765638820513.3608939276669797307.920773289850713.36024044798546110307.988392586785913.3596418299133869308.0639672809143713.3589941192020385308.119654019363613.35853126785269842309.14485996562763146.854633133408475308.159430322663713.358208145045759308.215117231372713.3577662525524663308.2628489436598313.357397218478072308.282737177456813.3572461053355773308.302625423041513.35709655163873322309.2654448092781146.853634650916328308.3463796042181613.3567730227587165308.398089162075213.356400401405413308.429910465809613.3561763357109568308.473664803832213.3558747638919339308.5412852449912313.35542354435898533309.3690731659684146.852873273654671308.581062030462413.3551665421690594308.600950438189513.35504038026133308.628794225496513.3548663734819973308.65266034398513.3547196575719345308.684481856576313.35452752955168916309.4613971340599146.85227024281142308.712325699678513.354362692404722308.728236475235713.354269872076944308.752102649410313.3541325129420445308.787901934641413.3539306847949324308.82370124800213.35373390931761217309.5235747494323146.85190409798254308.8555228829162613.3535632395328893308.8833668308419613.3534171783545055308.9151885050224613.3532539940194971308.9390547739562313.353134225677993308.9549656261270313.35305562769363516309.58575254596184146.851570130670444308.982809629176713.3529204828070933309.0106536468938413.3527883944860831309.0265645206171713.3527142877816521309.0345199592142613.3526776087030611309.0424753989578313.3526411791402510309.6347412296173146.851329668104482309.0544085607059513.3525870026382171309.066341724989413.3525333875469135309.090208061057513.3524278415969773309.1220298577294413.3522906068884314309.1498739437521413.3521738014181615309.6818458218512146.85111729088921309.1697625843929713.3520922403114353309.1856735014718513.3520281142496913309.2095398845541513.3519337965303751309.225450811493713.3518721656333811309.2334062764054513.3518417244597749309.7270663054147146.850930782962254309.253294942827813.3517667131609415309.289094556973113.35163562271122309.3169387138900713.3515371567077922309.332849665498913.3514822627630850309.3408051425867613.3514551900661913309.7685184743558146.850774768652682309.3487606205200713.3514283668862674309.3726270593121513.3513493944487321309.392515763910113.351285299514160309.3964935054293613.3512726676650860309.3964935054293613.3512726676650867309.80620230899956146.850645347640073309.40842673116913.3512351463936912309.428315444615213.3511738585274030309.436270931328913.3511497800361380309.436270931328913.3511497800361380309.436270931328913.3511497800361385309.8288126286175146.850573368262272309.444226418794213.351125951062131309.456159651383313.3510906754460733309.472070630725213.3510445146021081309.487981612931513.3509993518277670309.491959358923213.3509882170825457309.8514229613806146.850505643809923309.503892597939613.3509551871231622309.52378133304413.3509013847782971309.535714576110113.350869851923960309.539692324126813.3508594657313320309.539692324126813.3508594657313326309.8759175024457146.850437077221221309.5436700723061613.3508491419180471309.5516255691476313.3508286814297042309.563558815603313.3507984585427552309.5794698130642413.3507590346718532309.595380812966813.3507206088716838309.9022962540117146.85036882087563309.615269566183613.3506739801586321309.6311805713511413.350637800018123309.6470915787568313.3506026179488232309.666980341066113.3505600438999750309.6749358469142513.3505434509366989309.93432761436867146.850293724106361309.678913600032813.3505352480242722309.6908468601525313.3505110135638460309.698802367526713.3504951691543280309.698802367526713.3504951691543280309.698802367526713.3504951691543283309.95693799788813146.850245856002152309.70675787539413.3504795742626923309.7266466471677413.350441678674770309.7385799116367513.3504196898759630309.7385799116367513.3504196898759630309.7385799116367513.3504196898759635309.9720115917326146.850216307786471309.7425576666882413.3504124850353781309.750513177127313.350398262492691309.7584686880084613.3503842894680530309.762446443612513.3503773965250050309.762446443612513.3503773965250053309.98708518916555146.850188650654451309.7664241993240413.350370565961471309.774379711066113.350357091972911309.782335223226813.350343867502461309.7902907357984613.350330892550090309.7942684922358613.3503244986432044310.0002745896764146.850166001943762309.802224005409113.350311897967972309.8181350329216513.3502874451718871309.830068304545513.3502697605599680309.834046061936713.3502639904484110309.834046061936713.3502639904484115310.01723239384745146.850139009642871309.8380238194181413.3502582827163681309.8459793346466413.3502470543909622309.8579126081413.3502306797494161309.8698458823904513.3502148665238280309.873823640637613.3502097202077445310.0360744027374146.850111825276491309.8778013989652313.35020463627120309.8817791573718513.3501996147142280309.8817791573718513.3501996147142280309.8817791573718513.3501996147142280309.8817791573718513.3501996147142281310.04737961003616146.850096932970561309.8857569158567513.3501946555368251309.8937124330574313.3501849243206441309.9016679505593313.3501754426227141309.9096234683547713.3501662104430350309.9136012273600613.3501616879225654310.05680061715475146.850085335291421309.9175789864358413.3501572277816361309.925534504794713.350148494638490309.929512264075913.350144221636270309.929512264075913.350144221636270309.929512264075913.350144221636272310.06810582685415146.85007239316752309.9374677828368513.3501358627705710309.9454233018560713.3501277534231240309.9454233018560713.3501277534231240309.9454233018560713.3501277534231240309.9454233018560713.3501277534231242310.07564263397535146.850064356049221309.9494010614600413.3501237923187831309.95735658085213.3501160572488120309.961334340637913.350112283283210309.961334340637913.350112283283210309.961334340637913.350112283283212310.08317944158586146.850056791702431309.9653121004825513.3501085716971490309.9692898603849513.3501049224906860309.9692898603849513.3501049224906860309.9692898603849513.3501049224906860309.9692898603849513.3501049224906861310.088832047597146.850051428698631309.97326762034413.3501013356638231309.9812231404285413.3500943491488040309.98520090055213.3500909494606790309.98520090055213.3500909494606790309.98520090055213.3500909494606792310.09448465385424146.850046331628871309.9891786607282713.3500876121521230309.993156420956413.3500843372231370309.993156420956413.3500843372231370309.993156420956413.3500843372231370309.993156420956413.3500843372231371310.100137260345146.85004150049312310.0011119415642613.350077974503960310.009067462367813.350071861303150310.009067462367813.350071861303150310.009067462367813.350071861303150310.009067462367813.350071861303152310.1057898670567146.850036935291373310.0210007439227413.350063159348821310.0369117866078513.350052430057360310.040889547381813.350049903683470310.040889547381813.350049903683470310.040889547381813.350049903683474310.11709508109334146.850028602689971310.044867308194913.3500474396891780310.048845069046213.3500450380744550310.048845069046213.3500450380744550310.048845069046213.3500450380744550310.048845069046213.3500450380744551310.12651609335546146.85002247143171310.052822829934613.350042698839361310.0607783518190713.3500382075079360310.0647561128131413.3500360554116360310.0647561128131413.3500360554116360310.0647561128131413.3500360554116362310.13216870093333146.850019147255521310.0687338738405313.3500339656949050310.0727116349001413.3500319383578020310.0727116349001413.3500319383578020310.0727116349001413.3500319383578020310.0727116349001413.3500319383578021310.1378213086613146.850016089013371310.076689395991113.3500299734002680310.080667157112313.3500280708223330310.080667157112313.3500280708223330310.080667157112313.3500280708223330310.080667157112313.3500280708223331310.1415897138905146.850014197926441310.0846449182629413.3500262306240240310.0886226794418713.3500244528052860310.0886226794418713.3500244528052860310.0886226794418713.3500244528052860310.0886226794418713.3500244528052861310.14535811917716146.850012425032451310.0926004406482513.3500227373662030310.09657820188113.3500210843066610310.09657820188113.3500210843066610310.09657820188113.3500210843066610310.09657820188113.3500210843066611310.1491265245176146.850010770331351310.1005559631392413.3500194936267462310.1124892470566613.3500150958645631310.1244225311678513.3500112595188510310.128400292576713.3500101054961530310.128400292576713.3500101054961534310.15854753807946146.85000715067271310.1323780540031413.3500090138530541310.14033357690513.3500070177056780310.1443113383784313.3500061132014030310.1443113383784313.3500061132014030310.1443113383784313.3500061132014032310.16985275468505146.850003782173991310.1482890998655613.3500052710767250310.152266861365413.3500044913316460310.152266861365413.3500044913316460310.152266861365413.3500044913316460310.152266861365413.3500044913316461310.1755053630942146.850002496825821310.1562446228769513.3500037739661930310.160222384399313.3500031189803110310.160222384399313.3500031189803110310.160222384399313.3500031189803110310.160222384399313.3500031189803111310.1792737687312146.85000178766821310.164200145931413.3500025263740550310.1681779074723413.3500019961473980310.1681779074723413.3500019961473980310.1681779074723413.3500019961473980310.1681779074723413.3500019961473981310.18304217438856146.85000119670351310.172155669021113.350001528300342310.184088953704513.3500004990368380310.1920444768479713.350000124759220310.1920444768479713.350000124759220310.1920444768479713.350000124759223310.19057898574965146.850000369352931310.196022238423113.3500000311898080310.1999999999992513.3499999999999940310.1999999999992513.3499999999999940310.1999999999992513.3499999999999940310.1999999999992513.3499999999999941310.1981157971478146.8500000147741Length of commit message in OpenBSD<= 5 words<= 10 words<= 15 words<= 20 words<= 25 words<= 30 words<= 35 words<= 40 words<= 45 words<= 50 words<= 55 words<= 60 words<= 65 words<= 70 words<= 75 words<= 80 words<= 85 words<= 90 words<= 95 words<= 100 words<= 105 words<= 110 words<= 115 words<= 120 words<= 125 words<= 130 words<= 135 words<= 140 words<= 145 words<= 150 words<= 155 words<= 160 words<= 165 words<= 170 words<= 175 words<= 180 words<= 185 words<= 190 words<= 195 words<= 200 words<= 205 words<= 210 words<= 215 words<= 220 words<= 225 words<= 230 words<= 235 words<= 240 words<= 245 words<= 250 words<= 255 words<= 260 words<= 265 words<= 270 words<= 275 words<= 280 words<= 285 words<= 290 words<= 295 words<= 300 words<= 305 words<= 310 words<= 315 words<= 320 words<= 335 words<= 365 words<= 370 words<= 385 words<= 395 words<= 400 words<= 410 words<= 425 words<= 430 words<= 455 words<= 495 words<= 10705 words
  • A bit less than 50% of the commit messages (title + body) is less than 10 characters words long
  • Around 75% of them are less than 20 characters words.

The previous graph can be obtained via this:

$ git clone https://github.com/openbsd/src
$ git rev-list master |
    while read sha1; do
			git show -s --format='%B' $sha1 | tr -d '\n'; echo
		done | awk '{ print NF}' | sort | uniq -c > ~/out.cvs

and the following python script:

$ cat commits_to_svg.py
import pygal
import csv
import collections

d = collections.defaultdict(list)

with open('out.cvs') as csvfile:
    for line in csv.reader(csvfile, delimiter=';'):
        k, v = int(line[1]), int(line[0])
        d[(k + 5) - k%5].append(v)

pie_chart = pygal.Pie()
pie_chart.title = 'Length of commit message in OpenBSD'
for a,b in sorted(d.items()):
    pie_chart.add(str(a), b)
pie_chart.render()
pie_chart.render_to_file('bar_chart.svg')
$

Interestingly, there are a lot of commits with a single word as message, and this is an accepted practise:

$ git log --log-size --format="%B" | \
awk '/^log size/{
  if (matches == 1) {messages[line]++; line = ""}
  matches = 0;
  if ($3 <= 10) { matches = 1}
}
{
  if (matches == 1 && $0 !~ /^log size/) {line = line tolower($0)}
}
END {
  for (line in messages){ print messages[line]": "line}
}' | \
sort -n | tail
107: tweaks;
115: spelling
117: regen.
135: indent
183: oops
249: spacing
416: knf
441: typo
1902: regen
4915: sync

Commits adding new mitigations sometimes don’t contain much information nor context, like for MAP_STACK:

commit 80e6ddab5b6b834f2d6fa7f2078e697ea58cdbf9
Author: deraadt <deraadt@openbsd.org>
Date:   Sun Feb 11 04:09:19 2018 +0000

    Add MAP_STACK flag.  Currently masked by mmap()

or the Stackclash mitigation:

commit 4ed6bfeac112229466414b94cdbd983fb8017796
Author: kettenis <kettenis@openbsd.org>
Date:   Thu May 18 18:50:32 2017 +0000

    Add a gap of 1MB between the stack and mmap spaces.
    
    ok deraadt@, millert@, stefan@

The non-syscalls from non-marked maps one is also interesting:

Repurpose the "syscalls must be on a writeable page" mechanism to
enforce a new policy: system calls must be in pre-registered regions.
We have discussed more strict checks than this, but none satisfy the
cost/benefit based upon our understanding of attack methods, anyways
let's see what the next iteration looks like.

This is intended to harden (translation: attackers must put extra
effort into attacking) against a mixture of W^X failures and JIT bugs
which allow syscall misinterpretation, especially in environments with
polymorphic-instruction/variable-sized instructions.  It fits in a bit
with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash
behaviour, particularily for remote problems. Less effective once on-host
since someone the libraries can be read.

For static-executables the kernel registers the main program's
PIE-mapped exec section valid, as well as the randomly-placed sigtramp
page.  For dynamic executables ELF ld.so's exec segment is also
labelled valid; ld.so then has enough information to register libc's
exec section as valid via call-once msyscall(2)

For dynamic binaries, we continue to to permit the main program exec
segment because "go" (and potentially a few other applications) have
embedded system calls in the main program.  Hopefully at least go gets
fixed soon.

We declare the concept of embedded syscalls a bad idea for numerous
reasons, as we notice the ecosystem has many of
static-syscall-in-base-binary which are dynamically linked against
libraries which in turn use libc, which contains another set of
syscall stubs.  We've been concerned about adding even one additional
syscall entry point... but go's approach tends to double the entry-point
attack surface.

This was started at a nano-hackathon in Bob Beck's basement 2 weeks
ago during a long discussion with mortimer trying to hide from the SSL
scream-conversations, and finished in more comfortable circumstances
next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.

ok guenther kettenis mortimer, lots of feedback from others
conversations about go with jsing tb sthen

While it explains what’s going on, it doesn’t provide much rationale: what other strict checks were considered? What were the cost/benefit ratios? What are the attack methods? Upon what are their understanding based? “Less effective once on-host” as in “a complete bypass”, since the attacker can simply use ROP, so it seems that this doesn’t add much on top of ASLR and random relink. But at least the commit provides some bits of rationale and a couple of arguments.

Anyway, this tendency to have super-small commits messages makes it tricky to understand what are those mitigations doing, against what they are defending, …

Equally worrying, OpenBSD doesn’t usually mention papers about their mitigations, either because they’re not reading it, or to claim that their ideas are brand new. For example, their ROP gadget removal process doesn’t mention Is Less Really More? Towards Better Metrics for Measuring Security Improvements Realized Through Software Debloating; MAP_STACK doesn’t mention ROPGuard; …

Some performance-critical changes don’t provide data/benchmarks, like choosing the right™ number of pools for the memory allocator:

commit e02928f11c682f13cb9c80ef478a1405cff78ee2
Author: otto <otto@openbsd.org>
Date:   Thu Jan 10 18:47:05 2019 +0000

    Move default numer of pools in the multi-threaded case to 8. Various tests
    by me and others indicate that it is the optimum.

diff --git a/lib/libc/stdlib/malloc.c b/lib/libc/stdlib/malloc.c
index 2a1bcfc8b69..e41178d5c56 100644
--- a/lib/libc/stdlib/malloc.c
+++ b/lib/libc/stdlib/malloc.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: malloc.c,v 1.258 2019/01/10 18:45:33 otto Exp $       */
+/*     $OpenBSD: malloc.c,v 1.259 2019/01/10 18:47:05 otto Exp $       */
 /*
  * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net>
  * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org>
@@ -409,7 +409,7 @@ omalloc_init(void)
        /*
         * Default options
         */
-       mopts.malloc_mutexes = 4;
+       mopts.malloc_mutexes = 8;
        mopts.malloc_junk = 1;
        mopts.malloc_cache = MALLOC_DEFAULT_CACHE;