|
Counterpoint: Why OpenBSD will never be as secure as Linux
Well my mother just finished knitting me a new pair of
asbestos booties so I thought it was high time I try them
out. Set phasers to "flame". Please read the entire article
before using them. Just remember, I could have copped out by
making the title something like "Will Linux ever be as
secure as OpenBSD?" or even "Which is more secure, Linux or
OpenBSD?". But I didn't. As well you should check out the
LASG/LSKB if you haven't already. I also know about
ImmunixOS from WireX and the NSA's SELinux (go read last
week's column!).
The
code
Let's face it, Linux is a great OS, I have more then a few
machines running it, but due to a number of factors it's
never going to be as secure as OpenBSD (which I also have
running on several machines). But Linux will never be as
secure as OpenBSD, for technical, political and marketing
reasons. One of the most obvious differences between Linux
and OpenBSD (assuming you look under the hood a bit) is the
fact that OpenBSD has done an extensive code audit. The
OpenBSD team has literally spent dozens of man years of
effort auditing code, not only for security but for general
correctness. Even the man pages for OpenBSD are clean and
consistent.
This
is a very proactive form of security, OpenBSD fixes many
problems before they become security issues. No such form of
extensive code audit exists in the Linux world, and likely
never will. Most vendors I have spoken with typically have a small
security team of less then a half dozen people (usually much
less). Even ignoring the fact that Linux vendors ship many
more packages as standard then OpenBSD (which tends to rely
on the ports collection for add on software) the basic
components that both Linux and OpenBSD have (kernel, command
shells, system utilities, etc.) are quite large, several
hundred megabytes of source code in total. There simply are
not enough competent Linux programmers to do a security
audit on this code, let alone every vendor hiring enough
people to fix their own versions/etc. Even when vendors do
do code audits they typically face a problem, many
programmers maintaining software are indifferent, or even
hostile to people sending them security fixes, so it is very
common for the original software to be insecure, and the
vendor must maintain their own patch set. This problem
affects OpenBSD far less as they maintain their own code
base now, and it has significantly diverged in many areas
(ssh and OpenSSH being a prime example). Even if Linux
vendors wants to audit all their code there aren't enough
Linux programmers capable of doing this. This means that
Linux vendors are essentially doomed to reacting to security
problems, applying patches and shipping out fixed versions
of software, leaving users open to vulnerabilities for
hours, days or even weeks in some cases.
This is far more important then it sounds, even with
additional security products such as PitBull there may be
ways for an attacker to exploit some bug in the kernel that
allows them to bypass add-on security, this happened with
PitBull for Solaris, PitBull was fine, the Solaris kernel
was not. Generally speaking add on security products cannot
completely protect the system, for example unless a firewall
product replaces the TCP-IP stack of an OS any problems in
the TCP-IP stack will still be exploitable.
Cryptographic software
This is an area where OpenBSD trounces Linux. OpenBSD not
only ships OpenSSL, OpenSSH, IPSec, and several other
cryptographic software packages, but they have actually been
largely responsible for OpenSSH, which is an incredibly
important piece of software now. While many Linux vendors do
ship OpenSSL and OpenSSH there are several that do not
(Caldera being a notable example). However no major Linux
vendors ship IPSec support built in, while there is a
project for Linux IPSec, it is difficult at best to install
and configure, and at worst almost impossible (I know, I've
used it). OpenBSD on the other hand ships by default with
one of the best IPSec implementations available. OpenBSD
also provides a different (better in many ways) key daemon,
with support for various forms of authentication, an area
where FreeS/WAN is weak. Additionally because the majority
of Linux work is done from within the US (Linus Torvalds now
lives there) there is almost no cryptographic support built
into the Linux kernel. If you want to add crypto you must
patch the kernel and rebuild it. Very few vendors, if any at
all any (I'm not aware of a single one), ship any crypto
built into the kernel such as IPSec support, or any form of
cryptographic hooks (however many do ship OpenSSL/OpenSSH
and other cryptographic components). Because OpenBSD is done
from Canada, the export of public domain (usually
interpreted as OpenSource) is not a problem, giving you out
of the box support.
Cryptographic hardware
Yet another area where OpenBSD shines and Linux is almost
completely lacking. OpenBSD supports several cryptographic
acceleration products, allowing you to build very powerful
(and cheap) IPSec gateways for example. While there is some
SSL acceleration hardware available for Linux this is
essentially an easy problem to solve (most web load
balancers can handle the encryption, and keep sessions
organized properly). There is as far as I know no IPSec
capable hardware acceleration products for Linux. As well
OpenBSD is currently working towards allowing hardware to
accelerate other cryptographic software such as ssh, which
will become an increasingly large problem (how much CPU
would you have to add to a server to support 1000 users
using ssh instead of telnet?). As well with OpenSSH's
support for large file transfers (via scp and sftp) load on
servers using the SSH protocol will only increase.
On the cryptographic front OpenBSD has Linux beat, hands
down. The chances of Linux gaining this support is unlikely
for a number of reasons, US crypto export policy, and a lack
of programmers that are capable of writing the software to
name a few. This is not something that will change for a
long time (if ever).
Happy
customers
Linux vendors care about having happy customers. OpenBSD
developers don't. The Linux market has become a very
competitive space, with around a dozen "major"
distributions, and literally dozens (if not hundreds) of
smaller players. The major distributions generally pursue
similar markets, home desktop users, corporate/educational
desktop users and corporate/educational servers. Almost
every commercial vendor has invested significant effort in
graphical installation programs, desktop software like Gnome
and KDE, and other usability/entertainment/productivity
software. There is absolutely nothing wrong with this, as
more people use Linux the installation must become easier,
and things like word processors are needed. However it means
that Linux vendors have to spend a lot more effort pleasing
users, several distributions now ship on multiple CD's
because of all the add on software they include. Although
customers complain about security, very few will actually
take a secure product instead of an insecure product with
more features (even if they may not need those features).
Unless a sizable portion of customers start putting their
money where their mouth is vendors will not change
significantly.
Secure
by default
In comparison OpenBSD 2.8's install files (all of them) are
just over 90 megs, installed (with everything) it requires
around 200 megs of space. The only things enabled by default
in OpenBSD are those that the developers deem "safe". For
example Telnet is disabled by default, and OpenSSH is
enabled. Sendmail is configured to run in local queue mode,
it can send mail but not receive (you must add the "-bd"
option in rc.conf to enable it). As OpenBSD's webpage puts
it:
Four years without a remote hole in the default install!
Which is not something any Linux vendor can claim (or ever
will in all likelihood). A typical installation of Linux
will result in a half dozen or more network services being
started, and while some vendors are starting to improve it
is unlikely many will since disabling things results in
frustrated users and increased support costs (although one
wonders about the cost of rebuilding machines after they are
broken into).
Summary
We need to teach people how to program well, and then maybe
we can teach them how to program securely. We then need
these programmers to either completely rewrite major
portions of the software most Linux vendors ship, or audit
the existing stuff (in both cases a task that is unlikely to
be done). Since this is basically impossible we need to look
at other solutions. ImmunixOS and SELinux are two solutions
to this problem, and when installed, maintained and used
correctly they do help, a lot. However this will not benefit
the vast majority of Linux users. OpenBSD users on the other
hand have an extremely clean and secure code base to work
from, that is proactively being audited on a continuous
basis. Linux has dug itself into a very deep hole, and
appears to be digging downwards at an ever faster rate. Even
with add on software like PitBull LX, or NSA's SELinux
kernel modifications there are still potential security
holes that could allow an attacker to bypass any Mandatory
Access Controls, RBAC, Type Enforcement as was the case with
PitBull for Solaris (Solaris had a flaw that allowed
attackers to compromise the system despite PitBull). Without
a high level of assurance in the actual source code of the
Linux kernel and associated files there will always be a
hint of doubt about the security of the system as a whole.
This is why Linux can never be as secure as OpenBSD.
Reference links:
http://www.openbsd.org/ - OpenBSD
http://www.openbsd.org/security.html - OpenBSD security
page
http://www.openbsd.org/crypto.html - OpenBSD crypto page
http://www.seifried.org/lasg/ - Linux Administrators
Security Guide
Credits
Last updated 8/11/2001
Copyright Kurt Seifried 2001 |