248:; in the email he states that "As a result, every new kernel is unique. The relative offsets between functions and data are unique ... change is scaffolding to ensure you boot a newly-linked kernel upon every reboot ... so that a new random kernel can be linked together ... On a fast machine it takes less than a second ... A reboot runs the new kernel, and yet another kernel is built for the next boot. The internal deltas between functions inside the kernel are not where an attacker expects them to be, so he'll need better info leaks".
71:
449:-based operating system, rely on the existing disk encryption features to encrypt the swap, which often (a) need to be enabled by the user manually, (b) require setup (if disk encryption wasn't chosen during the operating system's installation) which is not as trivial to do as toggling swap encryption on OpenBSD, and (c) use the user-provided password, which users need to remember and could be weak/guessable or even extracted out of the users.)
607:, and OpenBSD provides an "aperture" driver to limit X's access to memory. However, after work on X security flaws by Loïc Duflot, Theo de Raadt commented that the aperture driver was merely "the best we can do" and that X "violates all the security models you will hear of in a university class." He went on to castigate X developers for "taking their time at solving this > 10-year-old problem." On November 29, 2006, a
588:
lowlevel memory/hardware access is handled solely by the kernel. Other drivers such as WSFB follow a similar pattern. For this reason, X11 on OpenBSD does not open up lowlevel memory or hardware access to user/root programs as is done on some other systems, and as was done in the past, which then needed the user to escalate the machdep.allowaperture setting from its default zero setting, to an unsecure setting.
27:
284:
integrated in OpenBSD's version GCC in
December 2002, and first made available in OpenBSD 3.3; it was applied to the kernel in release 3.4. The extension works on all the CPU architectures supported by OpenBSD and is enabled by default, so any C code compiled will be protected without user intervention.
419:
configuration option, and doesn't require any prior setup, disk partitioning, or partition-related settings to be done/changed; furthermore, there is no choice of encryption parameters (such as the algorithm or key length to use), as strong parameters are always used. There is no harm and no loss of
342:
function was changed to return memory to the kernel immediately rather than leaving it mapped into the process. A number of additional, optional checks were also added to aid in development. These features make program bugs easier to detect and harder to exploit: instead of memory being corrupted or
347:
and abortion of the process. This has brought to light several issues with software running on OpenBSD 3.8, particularly with programs reading beyond the start or end of a buffer, a type of bug that would previously not be detected directly but can now cause an error. These abilities took more than
424:
continues to work as usual with this feature. This feature is enabled by default in OpenBSD 3.8 (released in
November 2005) and later; OpenBSD, as of 2022, remains the only prominent operating system to have swap encrypted by default independently of disk encryption and its user-provided password.
410:
from leaking on to disk, where they can persist for many years, OpenBSD supports encryption of swap space. The swap space is split up into many small regions that are each assigned their own encryption key, which is generated randomly and automatically with no input from the user, held entirely in
666:
OpenBSD is intended to be secure by default, which includes (but is not limited to) having all non-essential services be disabled by default. This is done not only to not require users to learn how and waste time to secure their computers after installing OpenBSD, but also in hope of making users
587:
In X11 on OpenBSD, neither the X server nor X clients normally have any escalated direct memory or hardware privileges: When driving X with the Intel(4) or Radeon(4) drivers, these normally interact with the underlying hardware via the Direct
Rendering Management(4) kernel interface only, so that
283:
value is placed after local buffers which, when the function exits, can sometimes be used to detect buffer overflows. ProPolice chooses whether or not to protect a buffer based on automatic heuristics which judge how vulnerable it is, reducing the performance overhead of the protection. It was
402:
was introduced, but enabling it during the installation of OpenBSD had required manual intervention from the user by exiting the installer and entering some commands. Starting from OpenBSD 7.3, the installer supports enabling full disk encryption using a guided procedure, not requiring manual
239:
In a June 2017 email, Theo de Raadt stated that a problem with stable systems was that they could be running for months at a time. Although there is considerable randomization within the kernel, some key addresses remain the same. The project in progress modifies the
420:
functionality with this feature, because the encryption keys used to access swapped processes are only lost when the computer crashes (e.g. power loss), after which all operating systems discard the previous contents of the memory and swap anyway, and because
279:. It does this through a number of operations: local stack variables are reordered to place buffers after pointers, protecting them from corruption in case of a buffer overflow; pointers from function arguments are also placed before local buffers; and a
685:) for restricting process capabilities to a minimal subset required for correct operation. If the process is compromised and attempts to perform an unintended behavior, it will be terminated by the kernel. OpenBSD 6.4 introduced the
306:, a memory management scheme to ensure that memory is either writable or executable, but never both, which provides another layer of protection against buffer overflows. While this is relatively easy to implement on a platform like
337:
system call, which was modified so that it returns random memory addresses and ensures that different areas are not mapped next to each other. In addition, allocation of small blocks in shared areas are now randomized and the
183:
functions. These functions are intended to make it harder for programmers to accidentally leave buffers unterminated or allow them to be overflowed. They have been adopted by the NetBSD and FreeBSD projects but not by the
415:; as soon as the data in a region is no longer required, OpenBSD discards its encryption key, effectively transforming the data in that region into useless garbage. Toggling this feature can be done using a single
124:
and the development of security features. According to author
Michael W. Lucas, OpenBSD "is widely regarded as the most secure operating system available anywhere, under any licensing terms."
460:
initial sequence numbers and timestamps, and ephemeral source ports. A number of features to increase network resilience and availability, including countermeasures for problems with
640:
and randomized loading of libraries also play a role in increasing the security of the system. Many of these have been applied to the OpenBSD versions of common programs such as
617:
After the discovery of a security vulnerability in X, OpenBSD doesn't support the running of X as a root user and only supports running X via a display manager as a dedicated
704:
are used together to confine applications, further limiting what they're otherwise permitted to do under the user account they're running as. Since the introduction of
327:
allocates more memory by extending the Unix data segment, a practice that has made it difficult to implement strong protection against security problems. The
523:
is integrated into the base operating system and used for verification of all releases, patches, and packages starting with OpenBSD 5.5. In contrast, other
712:
in OpenBSD), applications (handled by their developers), and ports (of applications, handled by the OpenBSD team) have been updated to be confined with
456:
also makes heavy use of randomization to increase security and reduce the predictability of various values that may be of use to an attacker, including
1933:
1464:
164:
2143:
953:
667:
more aware of security considerations, by requiring them to make conscious decisions to enable features that could reduce their security.
45:
295:. This makes use of features of the SPARC architecture to help prevent exploitation of buffer overflows. Support for SPARC64 was added to
1222:
Support for the NX (No-eXecute) bit on i386, resulting in much better W^X enforcement in userland for hardware that has this feature.
1063:
720:. Some examples of third-party applications updated with these features (by their developers or in OpenBSD's app ports) include the
2035:
292:
567:, a software package for journalists and whistleblowers to exchange information securely and anonymously over the Internet; and
314:, OpenBSD is one of the few OSes to support this on the generic i386 platform, which lacks built in per-page execute controls.
1896:
792:
2326:
656:
2321:
2133:
1242:
465:
360:
into the core operating system. To this end, a number of low-level features are provided, including a source of strong
217:
is included in OpenBSD in an attempt to find other common programming mistakes at compile time. Other security-related
196:
519:
existing in the software, and help the user understand the software better and make more security-educated decisions.
2075:
1381:
1178:
823:
758:
461:
218:
633:
611:
kernel driver was developed that permitted X to run, albeit more slowly, without the use of the aperture driver.
369:
280:
213:, are found. All occurrences of these functions in the OpenBSD source tree have been replaced. In addition, a
457:
361:
244:
so that on every boot, the kernel is relinked, as well as all other randomizations. This differs from kernel
516:
132:
Bugs and security flaws are often caused by programmer error. A common source of error is the misuse of the
484:. The telnet daemon was completely removed from OpenBSD in 2005 before the release of OpenBSD version 3.8.
365:
1925:
487:
The OpenBSD project had invented their own utility for cryptographic signing and verification of files,
2331:
659:
in relation to various bugs and security breaches detected by the OpenBSD team. This is exemplified by
144:
1409:
1605:
709:
2048:
1815:
1761:
552:
256:
OpenBSD integrates several technologies to help protect the operating system from attacks such as
2105:
1788:
1486:
948:
535:, a prominent operating system that's also used as a base for other operating systems, including
421:
412:
272:
1841:
721:
148:
1655:
2068:
1352:
572:
276:
87:
1274:
227:
2240:
1027:
629:
608:
604:
576:
399:
214:
1630:
1149:
1051:
1002:
356:
One of the goals of the OpenBSD project is the integration of facilities and software for
8:
1071:
976:
614:
On
February 15, 2014, X was further modified to allow it to run without root privileges.
544:
392:
357:
163:, but they can also be difficult to understand and easy to misuse, so OpenBSD developers
889:
864:
839:
96:
Please help update this article to reflect recent events or newly available information.
44:
Please expand the article to include this information. Further details may exist on the
2279:
1165:
gcc comes with the 'ProPolice' stack protection extension, which is enabled by default.
649:
241:
192:
2032:
1980:
1867:
1732:
1511:
919:
819:
788:
754:
548:
513:"The concerns I had using an existing tool were complexity, quality, and complexity."
508:
496:
426:
381:
121:
1707:"VeraCrypt - Free Open source disk encryption with strong security for the Paranoid"
1706:
2316:
2163:
2061:
1109:
Integration of the ProPolice stack protection technology into the system compiler.
645:
429:
requires toggling a configuration setting that is not presented in its user-facing
261:
117:
2295:
2039:
1845:
809:
784:
778:
748:
592:
257:
1955:
82:. The reason given is: OpenBSD 7.3 was released with new security features (see
2148:
815:
515:
This is in line with the project's longtime tendency to reduce complexity, and
377:
1435:
480:
daemon, in 1999, and features other integrated cryptographic software such as
2310:
2258:
2198:
2044:
1757:
1482:
1460:
1439:
1234:
915:
524:
453:
185:
168:
663:: "Only two remote holes in the default install, in a heck of a long time!"
2263:
1892:
1562:
1377:
1270:
1238:
1067:
600:
477:
446:
388:
384:
91:
1028:"arc4random, arc4random_buf, arc4random_uniform – random number generator"
921:
strlcpy and strlcat - Consistent, Safe, String Copy and
Concatenation
317:
During the development cycle of the 3.8 release, changes were made to the
728:
689:
674:
560:
472:, are also included. The project was the first to disable the plain-text
660:
2210:
1064:"GCC extension for protecting applications from stack-smashing attacks"
693:
564:
540:
531:
for release verification, and as of 2022 continue to do so, including:
2053:
2188:
2183:
568:
268:
323:
memory management functions. In traditional Unix operating systems,
2235:
2178:
2173:
2168:
2153:
1929:
1656:"How can I verify Tor Browser's signature? | Tor Project | Support"
1580:
1233:
596:
556:
407:
39:
1537:
1327:
1137:
ProPolice stack protection has been enabled in the kernel as well.
1121:
1093:
890:"strlcpy, strlcat – size-bounded string copying and concatenation"
83:
2193:
2100:
2085:
2005:
1302:
1206:
725:
641:
528:
504:
492:
442:
344:
209:
179:
173:
159:
153:
114:
1606:"Download Kali Linux Images Securely | Kali Linux Documentation"
603:
and some of the default applications are patched to make use of
348:
three years to implement without considerable performance loss.
26:
2203:
2158:
2128:
1902:
1387:
1280:
1248:
1184:
925:
637:
536:
532:
473:
469:
373:
319:
311:
307:
140:
134:
1237:; Hallqvist, Niklas; Grabowski, Artur; Keromytis, Angelos D.;
372:). These abilities are used throughout OpenBSD, including the
2220:
2215:
1353:"Initial support for guided disk encryption in the installer"
481:
438:
288:
1505:
1503:
1003:"issetugid – is current executable running setuid or setgid"
527:
operating systems and security-focused software tend to use
2230:
2225:
2138:
491:, instead of using existing standards and software such as
333:
303:
245:
1680:
291:
platform received further stack protection in the form of
1500:
740:
151:
programming language. There are two common alternatives,
42:
and the project's tendency to reduce software complexity.
1762:"Re: security bug in x86 hardware (thanks to X WIndows)"
368:
and transforms; and support for cryptographic hardware (
343:
an invalid access being ignored, they often result in a
2049:
On the matter of strlcpy/strlcat acceptance by industry
2033:
Exploit
Mitigation Techniques: an Update After 10 Years
2006:"unveil — unveil parts of a restricted filesystem view"
801:
387:, which takes advantage of the CPU-intensive Blowfish
865:"strncat – concatenate a string with part of another"
16:
Security features as used in OpenBSD operating system
1895:; Friedl, Markus; Honeyman, Peter (August 4, 2003).
1891:
655:OpenBSD has a history of providing its users with
517:in turn, reduce the probability of vulnerabilities
1283:Annual Technical Conference. Monterey, California
1251:Annual Technical Conference. Monterey, California
1180:StackGhost: Hardware Facilitated Stack Protection
928:Annual Technical Conference. Monterey, California
780:Absolute OpenBSD: Unix for the practical paranoid
503:utility, Ted Unangst, wrote in 2015, speaking of
351:
2308:
747:Korff, Yanek; Hope, Paco; Potter, Bruce (2005).
275:extension designed to protect applications from
1842:"Xorg can now run without privilege on OpenBSD"
1177:Frantzen, Mike; Shuey, Mike (August 13, 2001).
949:"Re: PATCH: safe string copy and concatenation"
746:
331:implementation now in OpenBSD makes use of the
1465:"disable telnet/ftp/login by default, for now"
1410:"Chapter 20. Storage — 20.14. Encrypting Swap"
1269:
913:
670:OpenBSD 5.9 included support for the then–new
411:memory, and never written to disk except when
2069:
1176:
807:
437:apps, and other operating systems, including
974:
840:"strncpy – copy part of a string to another"
772:
770:
2076:
2062:
1512:"signify: Securing OpenBSD From Us To You"
1956:"OpenBSD: Security — "Secure by Default""
1581:"Verifying authenticity of Debian images"
1433:
767:
753:. Sebastopol, California, USA: O'Reilly.
406:To protect sensitive information such as
221:developed by the OpenBSD project include
195:has been changed to issue a warning when
1813:
1756:
1733:"xf86 – X Window System aperture driver"
1481:
1459:
1434:Biancuzzi, Federico (October 12, 2005).
1150:"gcc-local – local modifications to gcc"
376:password-hashing algorithm derived from
127:
2083:
1981:"pledge() - a new mitigation mechanism"
946:
808:Palmer, Brandon; Nazario, Jose (2004).
599:) has some security modifications. The
559:, a security-focused operating system;
234:
2309:
1923:
1376:
750:Mastering FreeBSD and OpenBSD security
2057:
1787:Herrb, Matthieu (November 29, 2006).
1786:
1681:"Share and accept documents securely"
776:
543:, a specialized operating system for
464:and software for redundancy, such as
310:, which has hardware support for the
1814:Kettenis, Mark (February 15, 2014).
1518:. BSDCan 2015 (June), Ottawa, Canada
1390:Security Symposium. Denver, Colorado
1244:Cryptography in OpenBSD: An Overview
975:Madhavapeddy, Anil (June 26, 2003).
251:
197:unsafe string manipulation functions
64:
20:
2047:'s email about secure programming:
1924:Miller, Robin (December 11, 2000).
1905:Security Symposium. Washington, D.C
1509:
1187:Security Symposium. Washington, D.C
13:
1936:from the original on July 28, 2011
1276:A Future-Adaptable Password Scheme
1273:; Mazières, David (June 6, 1999).
947:Drepper, Ulrich (August 8, 2000).
708:, base OpenBSD programs (included
14:
2343:
2026:
1687:. Freedom of the Press Foundation
811:Secure Architectures with OpenBSD
624:
476:daemon in favor of the encrypted
1816:"CVS: cvs.openbsd.org: xenocara"
1561:
69:
25:
1998:
1973:
1948:
1917:
1898:Preventing Privilege Escalation
1885:
1860:
1834:
1807:
1780:
1750:
1725:
1699:
1673:
1648:
1623:
1598:
1573:
1555:
1530:
1475:
1453:
1427:
1402:
1370:
1345:
1320:
1295:
1263:
1227:
1199:
1170:
1142:
1114:
1086:
1056:
1045:
1020:
995:
783:(2nd ed.). San Francisco:
696:visibility to a minimum level.
370:OpenBSD Cryptographic Framework
1495:Removed files: libexec/telnetd
968:
940:
907:
882:
857:
832:
677:(introduced in OpenBSD 5.8 as
352:Cryptography and randomization
1:
734:
1414:FreeBSD Documentation Portal
563:, an anonymous Web browser;
398:In OpenBSD 5.3, support for
366:cryptographic hash functions
287:In May 2004, OpenBSD on the
7:
1789:"CVS: cvs.openbsd.org: XF4"
1487:"CVS: cvs.openbsd.org: src"
977:"CVS: cvs.openbsd.org: src"
267:Developed by Hiroaki Etoh,
92:updated list of innovations
10:
2348:
2327:Embedded operating systems
2038:February 20, 2014, at the
777:Lucas, Michael W. (2013).
2322:Operating system security
2288:
2272:
2251:
2121:
2093:
1436:"OpenBSD's network stack"
1383:Encrypting Virtual Memory
591:OpenBSD's version of the
571:, a software program for
78:This article needs to be
1926:"Theo de Raadt Responds"
1491:OpenBSD-CVS mailing list
302:OpenBSD 3.4 introduced
88:independent news report
1660:support.torproject.org
1631:"Verifying signatures"
1563:"OpenBSD: Innovations"
681:and renamed in 5.9 to
582:
403:intervention anymore.
277:stack-smashing attacks
36:is missing information
573:on-the-fly encryption
547:, security research,
499:. The creator of the
362:pseudo random numbers
215:static bounds checker
128:API and build changes
2010:OpenBSD manual pages
1868:"OpenBSD 6.4 Errata"
1737:OpenBSD manual pages
1154:OpenBSD manual pages
1032:OpenBSD manual pages
1007:OpenBSD manual pages
894:OpenBSD manual pages
869:OpenBSD manual pages
844:OpenBSD manual pages
661:the project's slogan
634:privilege revocation
630:Privilege separation
605:privilege separation
577:full disk encryption
400:full disk encryption
235:Kernel randomization
1848:. February 22, 2014
1380:(August 14, 2000).
553:reverse engineering
545:penetration testing
393:brute-force attacks
358:strong cryptography
2280:OpenBSD Foundation
1463:(April 10, 1999).
650:BSD Authentication
345:segmentation fault
2332:Software features
2304:
2303:
2111:security features
914:Miller, Todd C.;
794:978-1-59327-476-4
549:digital forensics
262:integer overflows
252:Memory protection
147:functions in the
111:
110:
63:
62:
2339:
2122:Related projects
2094:Operating system
2078:
2071:
2064:
2055:
2054:
2021:
2020:
2018:
2016:
2002:
1996:
1995:
1993:
1991:
1977:
1971:
1970:
1968:
1966:
1952:
1946:
1945:
1943:
1941:
1921:
1915:
1914:
1912:
1910:
1889:
1883:
1882:
1880:
1878:
1864:
1858:
1857:
1855:
1853:
1838:
1832:
1831:
1829:
1827:
1811:
1805:
1804:
1802:
1800:
1784:
1778:
1777:
1775:
1773:
1760:(May 11, 2006).
1754:
1748:
1747:
1745:
1743:
1729:
1723:
1722:
1720:
1718:
1703:
1697:
1696:
1694:
1692:
1677:
1671:
1670:
1668:
1666:
1652:
1646:
1645:
1643:
1641:
1627:
1621:
1620:
1618:
1616:
1602:
1596:
1595:
1593:
1591:
1577:
1571:
1570:
1559:
1553:
1552:
1550:
1548:
1534:
1528:
1527:
1525:
1523:
1507:
1498:
1497:
1485:(May 25, 2005).
1479:
1473:
1472:
1457:
1451:
1450:
1448:
1446:
1431:
1425:
1424:
1422:
1420:
1406:
1400:
1399:
1397:
1395:
1374:
1368:
1367:
1365:
1363:
1349:
1343:
1342:
1340:
1338:
1324:
1318:
1317:
1315:
1313:
1299:
1293:
1292:
1290:
1288:
1267:
1261:
1260:
1258:
1256:
1241:(June 6, 1999).
1231:
1225:
1224:
1219:
1217:
1203:
1197:
1196:
1194:
1192:
1174:
1168:
1167:
1162:
1160:
1146:
1140:
1139:
1134:
1132:
1118:
1112:
1111:
1106:
1104:
1090:
1084:
1083:
1081:
1079:
1070:. Archived from
1060:
1054:
1052:email 2017-06-13
1049:
1043:
1042:
1040:
1038:
1024:
1018:
1017:
1015:
1013:
999:
993:
992:
990:
988:
972:
966:
965:
963:
961:
944:
938:
937:
935:
933:
918:(June 6, 1999).
911:
905:
904:
902:
900:
886:
880:
879:
877:
875:
861:
855:
854:
852:
850:
836:
830:
829:
805:
799:
798:
774:
765:
764:
744:
719:
715:
707:
703:
699:
692:for restricting
688:
684:
680:
673:
620:
522:
502:
490:
395:less practical.
341:
336:
330:
326:
322:
298:
258:buffer overflows
230:
224:
212:
206:
202:
191:On OpenBSD, the
182:
176:
162:
156:
143:
137:
118:operating system
106:
103:
97:
73:
72:
65:
58:
55:
49:
29:
21:
2347:
2346:
2342:
2341:
2340:
2338:
2337:
2336:
2307:
2306:
2305:
2300:
2296:OpenBSD Journal
2284:
2268:
2247:
2117:
2106:version history
2089:
2082:
2040:Wayback Machine
2029:
2024:
2014:
2012:
2004:
2003:
1999:
1989:
1987:
1979:
1978:
1974:
1964:
1962:
1960:www.openbsd.org
1954:
1953:
1949:
1939:
1937:
1922:
1918:
1908:
1906:
1890:
1886:
1876:
1874:
1872:www.openbsd.org
1866:
1865:
1861:
1851:
1849:
1846:OpenBSD Journal
1840:
1839:
1835:
1825:
1823:
1812:
1808:
1798:
1796:
1785:
1781:
1771:
1769:
1755:
1751:
1741:
1739:
1731:
1730:
1726:
1716:
1714:
1705:
1704:
1700:
1690:
1688:
1679:
1678:
1674:
1664:
1662:
1654:
1653:
1649:
1639:
1637:
1629:
1628:
1624:
1614:
1612:
1604:
1603:
1599:
1589:
1587:
1579:
1578:
1574:
1567:www.openbsd.org
1560:
1556:
1546:
1544:
1542:www.openbsd.org
1536:
1535:
1531:
1521:
1519:
1516:www.openbsd.org
1508:
1501:
1480:
1476:
1458:
1454:
1444:
1442:
1432:
1428:
1418:
1416:
1408:
1407:
1403:
1393:
1391:
1375:
1371:
1361:
1359:
1351:
1350:
1346:
1336:
1334:
1332:www.openbsd.org
1326:
1325:
1321:
1311:
1309:
1301:
1300:
1296:
1286:
1284:
1268:
1264:
1254:
1252:
1232:
1228:
1215:
1213:
1205:
1204:
1200:
1190:
1188:
1175:
1171:
1158:
1156:
1148:
1147:
1143:
1130:
1128:
1120:
1119:
1115:
1102:
1100:
1092:
1091:
1087:
1077:
1075:
1074:on June 4, 2014
1062:
1061:
1057:
1050:
1046:
1036:
1034:
1026:
1025:
1021:
1011:
1009:
1001:
1000:
996:
986:
984:
973:
969:
959:
957:
945:
941:
931:
929:
912:
908:
898:
896:
888:
887:
883:
873:
871:
863:
862:
858:
848:
846:
838:
837:
833:
826:
806:
802:
795:
785:No Starch Press
775:
768:
761:
745:
741:
737:
717:
713:
705:
701:
697:
686:
682:
678:
671:
657:full disclosure
627:
618:
593:X Window System
585:
520:
500:
488:
354:
339:
332:
328:
324:
318:
299:in March 2005.
296:
254:
237:
226:
222:
208:
204:
200:
178:
172:
158:
152:
139:
133:
130:
107:
101:
98:
95:
74:
70:
59:
53:
50:
43:
30:
17:
12:
11:
5:
2345:
2335:
2334:
2329:
2324:
2319:
2302:
2301:
2299:
2298:
2292:
2290:
2286:
2285:
2283:
2282:
2276:
2274:
2270:
2269:
2267:
2266:
2261:
2255:
2253:
2249:
2248:
2246:
2245:
2244:
2243:
2233:
2228:
2223:
2218:
2213:
2208:
2207:
2206:
2196:
2191:
2186:
2181:
2176:
2171:
2166:
2161:
2156:
2151:
2146:
2141:
2136:
2131:
2125:
2123:
2119:
2118:
2116:
2115:
2114:
2113:
2108:
2097:
2095:
2091:
2090:
2081:
2080:
2073:
2066:
2058:
2052:
2051:
2042:
2028:
2027:External links
2025:
2023:
2022:
1997:
1972:
1947:
1916:
1884:
1859:
1833:
1822:(Mailing list)
1806:
1795:(Mailing list)
1779:
1768:(Mailing list)
1758:de Raadt, Theo
1749:
1724:
1698:
1672:
1647:
1622:
1597:
1585:www.debian.org
1572:
1554:
1529:
1510:Unangst, Ted.
1499:
1483:de Raadt, Theo
1474:
1461:de Raadt, Theo
1452:
1426:
1401:
1369:
1344:
1319:
1294:
1262:
1235:de Raadt, Theo
1226:
1198:
1169:
1141:
1113:
1085:
1055:
1044:
1019:
994:
983:(Mailing list)
967:
956:(Mailing list)
939:
916:de Raadt, Theo
906:
881:
856:
831:
824:
816:Addison-Wesley
800:
793:
766:
759:
738:
736:
733:
710:out of the box
626:
625:Other features
623:
584:
581:
378:Bruce Schneier
353:
350:
253:
250:
236:
233:
165:Todd C. Miller
129:
126:
109:
108:
77:
75:
68:
61:
60:
33:
31:
24:
15:
9:
6:
4:
3:
2:
2344:
2333:
2330:
2328:
2325:
2323:
2320:
2318:
2315:
2314:
2312:
2297:
2294:
2293:
2291:
2287:
2281:
2278:
2277:
2275:
2273:Organizations
2271:
2265:
2262:
2260:
2259:Theo de Raadt
2257:
2256:
2254:
2250:
2242:
2239:
2238:
2237:
2234:
2232:
2229:
2227:
2224:
2222:
2219:
2217:
2214:
2212:
2209:
2205:
2202:
2201:
2200:
2197:
2195:
2192:
2190:
2187:
2185:
2182:
2180:
2177:
2175:
2172:
2170:
2167:
2165:
2162:
2160:
2157:
2155:
2152:
2150:
2147:
2145:
2142:
2140:
2137:
2135:
2132:
2130:
2127:
2126:
2124:
2120:
2112:
2109:
2107:
2104:
2103:
2102:
2099:
2098:
2096:
2092:
2087:
2079:
2074:
2072:
2067:
2065:
2060:
2059:
2056:
2050:
2046:
2045:Theo de Raadt
2043:
2041:
2037:
2034:
2031:
2030:
2011:
2007:
2001:
1986:
1982:
1976:
1965:September 27,
1961:
1957:
1951:
1935:
1931:
1927:
1920:
1904:
1900:
1899:
1894:
1893:Provos, Niels
1888:
1873:
1869:
1863:
1847:
1843:
1837:
1821:
1817:
1810:
1794:
1790:
1783:
1767:
1763:
1759:
1753:
1738:
1734:
1728:
1712:
1708:
1702:
1686:
1682:
1676:
1661:
1657:
1651:
1636:
1632:
1626:
1611:
1607:
1601:
1586:
1582:
1576:
1568:
1564:
1558:
1543:
1539:
1538:"OpenBSD 5.5"
1533:
1517:
1513:
1506:
1504:
1496:
1492:
1488:
1484:
1478:
1470:
1466:
1462:
1456:
1441:
1440:SecurityFocus
1437:
1430:
1419:September 27,
1415:
1411:
1405:
1389:
1385:
1384:
1379:
1378:Provos, Niels
1373:
1358:
1354:
1348:
1333:
1329:
1328:"OpenBSD 7.3"
1323:
1308:
1304:
1303:"OpenBSD 5.3"
1298:
1282:
1278:
1277:
1272:
1271:Provos, Niels
1266:
1250:
1246:
1245:
1240:
1239:Provos, Niels
1236:
1230:
1223:
1212:
1208:
1207:"OpenBSD 5.8"
1202:
1186:
1182:
1181:
1173:
1166:
1155:
1151:
1145:
1138:
1127:
1123:
1122:"OpenBSD 3.4"
1117:
1110:
1099:
1095:
1094:"OpenBSD 3.3"
1089:
1073:
1069:
1065:
1059:
1053:
1048:
1033:
1029:
1023:
1008:
1004:
998:
982:
978:
971:
955:
954:
950:
943:
927:
923:
922:
917:
910:
895:
891:
885:
870:
866:
860:
845:
841:
835:
827:
825:0-321-19366-0
821:
817:
813:
812:
804:
796:
790:
786:
782:
781:
773:
771:
762:
760:0-596-00626-8
756:
752:
751:
743:
739:
732:
730:
727:
723:
711:
695:
691:
676:
668:
664:
662:
658:
653:
651:
648:, and to the
647:
643:
639:
635:
631:
622:
615:
612:
610:
606:
602:
598:
594:
589:
580:
578:
574:
570:
566:
562:
558:
554:
550:
546:
542:
538:
534:
530:
526:
525:Free Software
518:
514:
510:
506:
498:
494:
485:
483:
479:
475:
471:
467:
463:
459:
455:
454:network stack
450:
448:
444:
440:
436:
432:
431:Control Panel
428:
423:
418:
414:
409:
404:
401:
396:
394:
390:
386:
383:
379:
375:
371:
367:
363:
359:
349:
346:
335:
321:
315:
313:
309:
305:
300:
294:
290:
285:
282:
278:
274:
270:
265:
263:
259:
249:
247:
243:
232:
229:
220:
216:
211:
198:
194:
189:
187:
186:GNU C Library
181:
175:
171:designed the
170:
169:Theo de Raadt
166:
161:
155:
150:
146:
142:
136:
125:
123:
119:
116:
105:
93:
89:
85:
84:release notes
81:
76:
67:
66:
57:
47:
41:
37:
34:This article
32:
28:
23:
22:
19:
2289:Publications
2264:Niels Provos
2110:
2013:. Retrieved
2009:
2000:
1988:. Retrieved
1984:
1975:
1963:. Retrieved
1959:
1950:
1938:. Retrieved
1919:
1907:. Retrieved
1897:
1887:
1875:. Retrieved
1871:
1862:
1850:. Retrieved
1836:
1824:. Retrieved
1819:
1809:
1797:. Retrieved
1792:
1782:
1770:. Retrieved
1766:openbsd-misc
1765:
1752:
1740:. Retrieved
1736:
1727:
1715:. Retrieved
1711:veracrypt.fr
1710:
1701:
1689:. Retrieved
1684:
1675:
1663:. Retrieved
1659:
1650:
1638:. Retrieved
1634:
1625:
1613:. Retrieved
1609:
1600:
1588:. Retrieved
1584:
1575:
1566:
1557:
1545:. Retrieved
1541:
1532:
1520:. Retrieved
1515:
1494:
1490:
1477:
1468:
1455:
1445:December 10,
1443:. Retrieved
1429:
1417:. Retrieved
1413:
1404:
1392:. Retrieved
1382:
1372:
1360:. Retrieved
1357:undeadly.org
1356:
1347:
1335:. Retrieved
1331:
1322:
1310:. Retrieved
1306:
1297:
1285:. Retrieved
1275:
1265:
1253:. Retrieved
1243:
1229:
1221:
1214:. Retrieved
1210:
1201:
1189:. Retrieved
1179:
1172:
1164:
1157:. Retrieved
1153:
1144:
1136:
1129:. Retrieved
1125:
1116:
1108:
1101:. Retrieved
1097:
1088:
1076:. Retrieved
1072:the original
1068:IBM Research
1058:
1047:
1035:. Retrieved
1031:
1022:
1010:. Retrieved
1006:
997:
985:. Retrieved
980:
970:
958:. Retrieved
952:
942:
930:. Retrieved
920:
909:
897:. Retrieved
893:
884:
872:. Retrieved
868:
859:
847:. Retrieved
843:
834:
810:
803:
779:
749:
742:
729:web browsers
669:
665:
654:
628:
616:
613:
590:
586:
512:
486:
451:
445:, and every
434:
430:
416:
405:
397:
389:key schedule
385:block cipher
355:
316:
301:
286:
266:
255:
238:
190:
131:
112:
99:
79:
51:
35:
18:
1820:openbsd-cvs
1793:openbsd-cvs
1255:January 30,
981:openbsd-cvs
690:system call
675:system call
561:Tor Browser
422:hibernation
413:hibernating
364:; built-in
120:focuses on
2311:Categories
1685:SecureDrop
1610:Kali Linux
814:. Boston:
735:References
694:filesystem
565:SecureDrop
541:Kali Linux
293:StackGhost
228:arc4random
199:, such as
102:April 2023
54:April 2023
2189:OpenSMTPD
2184:OpenOSPFD
1362:April 19,
1337:April 19,
987:March 31,
652:system.
638:chrooting
569:VeraCrypt
408:passwords
391:, making
269:ProPolice
223:issetugid
46:talk page
2236:Xenocara
2179:OpenNTPD
2174:OpenIKED
2169:OpenBGPD
2154:LibreSSL
2036:Archived
1934:Archived
1930:Slashdot
1717:July 12,
1691:July 12,
1665:July 12,
1640:July 12,
1635:Qubes OS
1615:July 12,
1590:July 12,
1547:July 12,
1522:July 12,
1394:April 9,
722:Chromium
597:Xenocara
557:Qubes OS
435:Settings
382:Blowfish
297:-current
122:security
40:LibreSSL
2317:OpenBSD
2211:sensors
2194:OpenSSH
2101:OpenBSD
2088:Project
2086:OpenBSD
2015:May 15,
1990:May 19,
1985:OpenBSD
1940:May 16,
1909:May 26,
1901:. 12th
1877:May 23,
1852:May 26,
1826:May 26,
1799:May 26,
1772:May 26,
1742:May 14,
1713:. IDRIX
1469:OpenBSD
1312:May 26,
1307:OpenBSD
1287:May 26,
1216:May 28,
1211:OpenBSD
1191:May 26,
1183:. 10th
1159:May 28,
1131:May 28,
1126:OpenBSD
1103:May 28,
1098:OpenBSD
1078:May 26,
1037:May 14,
1012:May 14,
960:May 26,
932:May 26,
899:May 14,
874:May 14,
849:May 14,
726:Firefox
716:and/or
642:tcpdump
595:(named
529:OpenPGP
521:signify
505:OpenPGP
501:signify
493:OpenPGP
489:signify
443:FreeBSD
427:Windows
210:sprintf
180:strlcat
174:strlcpy
160:strncat
154:strncpy
115:OpenBSD
80:updated
2252:People
2204:pfsync
2159:mandoc
1903:USENIX
1388:USENIX
1386:. 9th
1281:USENIX
1249:USENIX
1185:USENIX
926:USENIX
822:
791:
757:
718:unveil
714:pledge
706:pledge
702:unveil
698:pledge
687:unveil
683:pledge
672:pledge
646:Apache
621:user.
601:server
551:, and
537:Ubuntu
533:Debian
474:telnet
470:pfsync
417:sysctl
374:bcrypt
329:malloc
325:malloc
320:malloc
312:NX bit
308:x86-64
281:canary
242:linker
205:strcat
201:strcpy
193:linker
145:string
141:strcat
135:strcpy
90:, and
38:about
2221:spamd
2216:sndio
2144:httpd
509:GnuPG
497:GnuPG
482:IPsec
447:Linux
439:macOS
289:SPARC
271:is a
207:, or
2231:tmux
2226:sudo
2139:doas
2134:CARP
2084:The
2017:2020
1992:2018
1967:2023
1942:2014
1911:2016
1879:2019
1854:2016
1828:2016
1801:2016
1774:2016
1744:2021
1719:2022
1693:2022
1667:2022
1642:2022
1617:2022
1592:2022
1549:2022
1524:2022
1447:2005
1421:2023
1396:2006
1364:2023
1339:2023
1314:2016
1289:2016
1257:2005
1218:2016
1193:2016
1161:2016
1133:2016
1105:2016
1080:2016
1039:2021
1014:2021
989:2013
962:2016
934:2016
901:2021
876:2021
851:2021
820:ISBN
789:ISBN
755:ISBN
724:and
700:and
679:tame
644:and
619:_x11
609:VESA
575:and
507:and
495:and
468:and
466:CARP
462:ICMP
452:The
433:and
340:free
334:mmap
246:ASLR
225:and
219:APIs
177:and
167:and
157:and
138:and
113:The
2241:cwm
2149:fdm
2129:bio
583:X11
478:SSH
458:TCP
380:'s
304:W^X
273:GCC
260:or
2313::
2199:PF
2164:mg
2008:.
1983:.
1958:.
1932:.
1928:.
1870:.
1844:.
1818:.
1791:.
1764:.
1735:.
1709:.
1683:.
1658:.
1633:.
1608:.
1583:.
1565:.
1540:.
1514:.
1502:^
1493:.
1489:.
1467:.
1438:.
1412:.
1355:.
1330:.
1305:.
1279:.
1247:.
1220:.
1209:.
1163:.
1152:.
1135:.
1124:.
1107:.
1096:.
1066:.
1030:.
1005:.
979:.
951:.
924:.
892:.
867:.
842:.
818:.
787:.
769:^
731:.
636:,
632:,
579:.
555:;
539:;
511::
441:,
264:.
231:.
203:,
188:.
94:).
86:,
2077:e
2070:t
2063:v
2019:.
1994:.
1969:.
1944:.
1913:.
1881:.
1856:.
1830:.
1803:.
1776:.
1746:.
1721:.
1695:.
1669:.
1644:.
1619:.
1594:.
1569:.
1551:.
1526:.
1471:.
1449:.
1423:.
1398:.
1366:.
1341:.
1316:.
1291:.
1259:.
1195:.
1082:.
1041:.
1016:.
991:.
964:.
936:.
903:.
878:.
853:.
828:.
797:.
763:.
425:(
149:C
104:)
100:(
56:)
52:(
48:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.
