New OpenBSD 3.3 hits the stack
- — 02 May, 2003 12:30
Despite losing significant funding support from the US Department of Defense for its research and development, the OpenBSD Project has pushed ahead with the release of version 3.3 of its open source software, boasting of new features and improvements across almost all of the operating system.
Topping the list of new features is the integration of ProPolice stack protection technology into the system compiler, which will be enabled by default. According to the OpenBSD Web site, this change “makes it very hard for an attacker to modify the return address used when returning from a function”. The technology is based on a Gnu Compiler Collection (GCC) extension, designed to protect applications from stack-smashing attacks.
Another new feature is W^X (pronounced: "W xor X"); what OpenBSD calls a “fine-grained memory permissions layout”. W^X ensures memory written to by application programs can not be executed at the same time by other applications. It works on architectures capable of pure execute-bit support in the memory management unit, such as Sparc, Sparc64, Alpha and hppa.
As well as those features, OpenBSD claims the introduction of privilege separation across X window server and xconsole as well as a new privilege revocation function to the terminal emulator will further tighten security levels across the operating system.
Version 3.3 also incorporates changes to the OpenBSD packet filter, including improvements to the address pools, the bandwidth management system (Queue), and spamd. Spamd is a fake sendmail-like daemon designed to ward off spam by rejecting false mail. “This daemon handles connections based on black lists and white lists, tar-pits the connections, and ensures that the spammer knows why their mail has not been accepted,” OpenBSD states.
Version 3.3 represents the first release of OpenBSD software since the US Defense Advanced Research Projects Agency’s (DARPA) decision to cut its funding to the OpenBSD project last month. The $US2.3 million in funding was for a Portable Open-Source Security Enhancements project at the University of Pennsylvania, run through DARPA.
DARPA said the decision to suspend its contract with the OpenBSD software project was due to “world events”. OpenBSD Project leader Theo de Raadt, however, believes differently, as the cuts came days after the he was quoted in a Canadian newspaper opposing the US war in Iraq and expressing his discomfort with taking Defense Department funding.
OpenBSD version is now available for download or to purchase as a 3-CD set from the OpenBSD Web site: www.openbsd.org
- Grant Gross contributed to this report
