Open BSD Security Features - Memory Protection

Memory Protection

OpenBSD integrates several technologies to help protect the operating system from attacks such as buffer overflows or integer overflows.

Developed by Hiroaki Etoh, ProPolice is a GCC extension for protecting applications from stack-smashing attacks. In order to make this possible, it performs a number of operations: local stack variables are reordered to place buffers after pointers, protecting them from corruption in case of a buffer overflow; pointers from function arguments are also placed before local buffers; and a canary value placed after local buffers which, when the function exits, can sometimes be used to detect buffer overflows. ProPolice chooses whether or not to protect a buffer based on automatic heuristics which judge how vulnerable it is, reducing the performance overhead of the protection. It was integrated into the OpenBSD GCC in December 2002, and first made available in version 3.3; it was applied to the kernel in release 3.4. The extension works on all the CPU architectures supported by OpenBSD and is activated by default, so any C code compiled will be protected without user intervention.

In May 2004, OpenBSD on the SPARC platform received further stack protection in the form of StackGhost. This makes use of features of the SPARC architecture to help prevent exploitation of buffer overflows. Support for SPARC64 was added to -current in March 2005.

OpenBSD 3.4 introduced W^X (W xor X), a memory management scheme to ensure that memory is either writable or executable, but never both, and providing another layer of protection against buffer overflows. While this is relatively easy to implement on a platform like AMD64, which has hardware support for the NX bit, OpenBSD is one of the few OSes to support this on the generic i386 platform, which lacks built in per-page execute controls.

During the development cycle of the 3.8 release, changes were made to the malloc memory management functions. In traditional Unix operating systems, malloc allocates more memory by extending the Unix data segment, a practice that has made it difficult to implement strong protection against security problems. The malloc implementation now in OpenBSD makes use of the mmap system call, which was modified so that it returns random memory addresses and ensures that different areas are not mapped next to each other. In addition, allocation of small blocks in shared areas are now randomized and the free function was changed to return memory to the kernel immediately rather than leaving it mapped into the process. A number of additional, optional checks were also added to aid in development. These features make program bugs easier to detect and harder to exploit: instead of memory being corrupted or an invalid access being ignored, they often result in a segmentation fault and abortion of the process. This has brought to light several issues with software running on OpenBSD 3.8, particularly with programs reading beyond the start or end of a buffer, a type of bug that would previously not be detected directly but can now cause an error. These abilities took more than three years to implement without considerable performance loss and are similar in goals to that of the Electric Fence malloc debugging library by Bruce Perens.