248:; in the email he states that "As a result, every new kernel is unique. The relative offsets between functions and data are unique ... change is scaffolding to ensure you boot a newly-linked kernel upon every reboot ... so that a new random kernel can be linked together ... On a fast machine it takes less than a second ... A reboot runs the new kernel, and yet another kernel is built for the next boot. The internal deltas between functions inside the kernel are not where an attacker expects them to be, so he'll need better info leaks".
71:
449:-based operating system, rely on the existing disk encryption features to encrypt the swap, which often (a) need to be enabled by the user manually, (b) require setup (if disk encryption wasn't chosen during the operating system's installation) which is not as trivial to do as toggling swap encryption on OpenBSD, and (c) use the user-provided password, which users need to remember and could be weak/guessable or even extracted out of the users.)
607:, and OpenBSD provides an "aperture" driver to limit X's access to memory. However, after work on X security flaws by Loïc Duflot, Theo de Raadt commented that the aperture driver was merely "the best we can do" and that X "violates all the security models you will hear of in a university class." He went on to castigate X developers for "taking their time at solving this > 10-year-old problem." On November 29, 2006, a
588:
lowlevel memory/hardware access is handled solely by the kernel. Other drivers such as WSFB follow a similar pattern. For this reason, X11 on OpenBSD does not open up lowlevel memory or hardware access to user/root programs as is done on some other systems, and as was done in the past, which then needed the user to escalate the machdep.allowaperture setting from its default zero setting, to an unsecure setting.
27:
284:
integrated in OpenBSD's version GCC in
December 2002, and first made available in OpenBSD 3.3; it was applied to the kernel in release 3.4. The extension works on all the CPU architectures supported by OpenBSD and is enabled by default, so any C code compiled will be protected without user intervention.
419:
configuration option, and doesn't require any prior setup, disk partitioning, or partition-related settings to be done/changed; furthermore, there is no choice of encryption parameters (such as the algorithm or key length to use), as strong parameters are always used. There is no harm and no loss of
342:
function was changed to return memory to the kernel immediately rather than leaving it mapped into the process. A number of additional, optional checks were also added to aid in development. These features make program bugs easier to detect and harder to exploit: instead of memory being corrupted or
347:
and abortion of the process. This has brought to light several issues with software running on OpenBSD 3.8, particularly with programs reading beyond the start or end of a buffer, a type of bug that would previously not be detected directly but can now cause an error. These abilities took more than
424:
continues to work as usual with this feature. This feature is enabled by default in OpenBSD 3.8 (released in
November 2005) and later; OpenBSD, as of 2022, remains the only prominent operating system to have swap encrypted by default independently of disk encryption and its user-provided password.
410:
from leaking on to disk, where they can persist for many years, OpenBSD supports encryption of swap space. The swap space is split up into many small regions that are each assigned their own encryption key, which is generated randomly and automatically with no input from the user, held entirely in
666:
OpenBSD is intended to be secure by default, which includes (but is not limited to) having all non-essential services be disabled by default. This is done not only to not require users to learn how and waste time to secure their computers after installing OpenBSD, but also in hope of making users
587:
In X11 on OpenBSD, neither the X server nor X clients normally have any escalated direct memory or hardware privileges: When driving X with the Intel(4) or Radeon(4) drivers, these normally interact with the underlying hardware via the Direct
Rendering Management(4) kernel interface only, so that
283:
value is placed after local buffers which, when the function exits, can sometimes be used to detect buffer overflows. ProPolice chooses whether or not to protect a buffer based on automatic heuristics which judge how vulnerable it is, reducing the performance overhead of the protection. It was
402:
was introduced, but enabling it during the installation of OpenBSD had required manual intervention from the user by exiting the installer and entering some commands. Starting from OpenBSD 7.3, the installer supports enabling full disk encryption using a guided procedure, not requiring manual
239:
In a June 2017 email, Theo de Raadt stated that a problem with stable systems was that they could be running for months at a time. Although there is considerable randomization within the kernel, some key addresses remain the same. The project in progress modifies the
420:
functionality with this feature, because the encryption keys used to access swapped processes are only lost when the computer crashes (e.g. power loss), after which all operating systems discard the previous contents of the memory and swap anyway, and because
279:. It does this through a number of operations: local stack variables are reordered to place buffers after pointers, protecting them from corruption in case of a buffer overflow; pointers from function arguments are also placed before local buffers; and a
685:) for restricting process capabilities to a minimal subset required for correct operation. If the process is compromised and attempts to perform an unintended behavior, it will be terminated by the kernel. OpenBSD 6.4 introduced the
306:, a memory management scheme to ensure that memory is either writable or executable, but never both, which provides another layer of protection against buffer overflows. While this is relatively easy to implement on a platform like
337:
system call, which was modified so that it returns random memory addresses and ensures that different areas are not mapped next to each other. In addition, allocation of small blocks in shared areas are now randomized and the
183:
functions. These functions are intended to make it harder for programmers to accidentally leave buffers unterminated or allow them to be overflowed. They have been adopted by the NetBSD and FreeBSD projects but not by the
415:; as soon as the data in a region is no longer required, OpenBSD discards its encryption key, effectively transforming the data in that region into useless garbage. Toggling this feature can be done using a single
124:
and the development of security features. According to author
Michael W. Lucas, OpenBSD "is widely regarded as the most secure operating system available anywhere, under any licensing terms."
460:
initial sequence numbers and timestamps, and ephemeral source ports. A number of features to increase network resilience and availability, including countermeasures for problems with
640:
and randomized loading of libraries also play a role in increasing the security of the system. Many of these have been applied to the OpenBSD versions of common programs such as
617:
After the discovery of a security vulnerability in X, OpenBSD doesn't support the running of X as a root user and only supports running X via a display manager as a dedicated
704:
are used together to confine applications, further limiting what they're otherwise permitted to do under the user account they're running as. Since the introduction of
327:
allocates more memory by extending the Unix data segment, a practice that has made it difficult to implement strong protection against security problems. The
523:
is integrated into the base operating system and used for verification of all releases, patches, and packages starting with OpenBSD 5.5. In contrast, other
712:
in OpenBSD), applications (handled by their developers), and ports (of applications, handled by the OpenBSD team) have been updated to be confined with
456:
also makes heavy use of randomization to increase security and reduce the predictability of various values that may be of use to an attacker, including
1932:
1463:
164:
2142:
667:
more aware of security considerations, by requiring them to make conscious decisions to enable features that could reduce their security.
45:
295:. This makes use of features of the SPARC architecture to help prevent exploitation of buffer overflows. Support for SPARC64 was added to
1221:
Support for the NX (No-eXecute) bit on i386, resulting in much better W^X enforcement in userland for hardware that has this feature.
1062:
720:. Some examples of third-party applications updated with these features (by their developers or in OpenBSD's app ports) include the
2034:
292:
567:, a software package for journalists and whistleblowers to exchange information securely and anonymously over the Internet; and
314:, OpenBSD is one of the few OSes to support this on the generic i386 platform, which lacks built in per-page execute controls.
1895:
792:
2325:
656:
2320:
2132:
1241:
465:
360:
into the core operating system. To this end, a number of low-level features are provided, including a source of strong
217:
is included in OpenBSD in an attempt to find other common programming mistakes at compile time. Other security-related
196:
519:
existing in the software, and help the user understand the software better and make more security-educated decisions.
2074:
1380:
1177:
823:
758:
461:
218:
633:
611:
kernel driver was developed that permitted X to run, albeit more slowly, without the use of the aperture driver.
369:
280:
213:, are found. All occurrences of these functions in the OpenBSD source tree have been replaced. In addition, a
457:
361:
244:
so that on every boot, the kernel is relinked, as well as all other randomizations. This differs from kernel
516:
132:
Bugs and security flaws are often caused by programmer error. A common source of error is the misuse of the
484:. The telnet daemon was completely removed from OpenBSD in 2005 before the release of OpenBSD version 3.8.
365:
1924:
487:
The OpenBSD project had invented their own utility for cryptographic signing and verification of files,
2330:
659:
in relation to various bugs and security breaches detected by the OpenBSD team. This is exemplified by
144:
1408:
1604:
709:
2047:
1814:
1760:
552:
256:
OpenBSD integrates several technologies to help protect the operating system from attacks such as
2104:
1787:
1485:
948:
535:, a prominent operating system that's also used as a base for other operating systems, including
421:
412:
272:
1840:
721:
148:
1654:
2067:
1351:
572:
276:
87:
1273:
227:
2239:
1026:
629:
608:
604:
576:
399:
214:
1629:
1148:
1050:
1001:
356:
One of the goals of the OpenBSD project is the integration of facilities and software for
8:
1070:
975:
614:
On
February 15, 2014, X was further modified to allow it to run without root privileges.
544:
392:
357:
163:, but they can also be difficult to understand and easy to misuse, so OpenBSD developers
889:
864:
839:
96:
Please help update this article to reflect recent events or newly available information.
44:
Please expand the article to include this information. Further details may exist on the
2278:
1164:
gcc comes with the 'ProPolice' stack protection extension, which is enabled by default.
649:
241:
192:
2031:
1979:
1866:
1731:
1510:
919:
819:
788:
754:
548:
513:"The concerns I had using an existing tool were complexity, quality, and complexity."
508:
496:
426:
381:
121:
1706:"VeraCrypt - Free Open source disk encryption with strong security for the Paranoid"
1705:
2315:
2162:
2060:
1108:
Integration of the ProPolice stack protection technology into the system compiler.
645:
429:
requires toggling a configuration setting that is not presented in its user-facing
261:
117:
2294:
2038:
1844:
809:
784:
778:
748:
592:
257:
1954:
82:. The reason given is: OpenBSD 7.3 was released with new security features (see
2147:
815:
515:
This is in line with the project's longtime tendency to reduce complexity, and
377:
1434:
480:
daemon, in 1999, and features other integrated cryptographic software such as
2309:
2257:
2197:
2043:
1756:
1481:
1459:
1438:
1233:
915:
524:
453:
185:
168:
663:: "Only two remote holes in the default install, in a heck of a long time!"
2262:
1891:
1561:
1376:
1269:
1237:
1066:
600:
477:
446:
388:
384:
91:
1027:"arc4random, arc4random_buf, arc4random_uniform – random number generator"
921:
strlcpy and strlcat - Consistent, Safe, String Copy and
Concatenation
317:
During the development cycle of the 3.8 release, changes were made to the
728:
689:
674:
560:
472:, are also included. The project was the first to disable the plain-text
660:
2209:
1063:"GCC extension for protecting applications from stack-smashing attacks"
693:
564:
540:
531:
for release verification, and as of 2022 continue to do so, including:
2052:
2187:
2182:
568:
268:
323:
memory management functions. In traditional Unix operating systems,
2234:
2177:
2172:
2167:
2152:
1928:
1655:"How can I verify Tor Browser's signature? | Tor Project | Support"
1579:
1232:
596:
556:
407:
39:
1536:
1326:
1136:
ProPolice stack protection has been enabled in the kernel as well.
1120:
1092:
890:"strlcpy, strlcat – size-bounded string copying and concatenation"
83:
2192:
2099:
2084:
2004:
1301:
1205:
725:
641:
528:
504:
492:
442:
344:
209:
179:
173:
159:
153:
114:
1605:"Download Kali Linux Images Securely | Kali Linux Documentation"
603:
and some of the default applications are patched to make use of
348:
three years to implement without considerable performance loss.
26:
2202:
2157:
2127:
1901:
1386:
1279:
1247:
1183:
925:
637:
536:
532:
473:
469:
373:
319:
311:
307:
140:
134:
1236:; Hallqvist, Niklas; Grabowski, Artur; Keromytis, Angelos D.;
372:). These abilities are used throughout OpenBSD, including the
2219:
2214:
1352:"Initial support for guided disk encryption in the installer"
481:
438:
288:
1504:
1502:
1002:"issetugid – is current executable running setuid or setgid"
527:
operating systems and security-focused software tend to use
2229:
2224:
2137:
491:, instead of using existing standards and software such as
333:
303:
245:
1679:
291:
platform received further stack protection in the form of
1499:
740:
151:
programming language. There are two common alternatives,
42:
and the project's tendency to reduce software complexity.
1761:"Re: security bug in x86 hardware (thanks to X WIndows)"
368:
and transforms; and support for cryptographic hardware (
343:
an invalid access being ignored, they often result in a
2048:
On the matter of strlcpy/strlcat acceptance by industry
2032:
Exploit
Mitigation Techniques: an Update After 10 Years
2005:"unveil — unveil parts of a restricted filesystem view"
801:
387:, which takes advantage of the CPU-intensive Blowfish
865:"strncat – concatenate a string with part of another"
16:
Security features as used in OpenBSD operating system
1894:; Friedl, Markus; Honeyman, Peter (August 4, 2003).
1890:
655:OpenBSD has a history of providing its users with
517:in turn, reduce the probability of vulnerabilities
1282:Annual Technical Conference. Monterey, California
1250:Annual Technical Conference. Monterey, California
1179:StackGhost: Hardware Facilitated Stack Protection
928:Annual Technical Conference. Monterey, California
780:Absolute OpenBSD: Unix for the practical paranoid
503:utility, Ted Unangst, wrote in 2015, speaking of
351:
2307:
747:Korff, Yanek; Hope, Paco; Potter, Bruce (2005).
275:extension designed to protect applications from
1841:"Xorg can now run without privilege on OpenBSD"
1176:Frantzen, Mike; Shuey, Mike (August 13, 2001).
949:"Re: PATCH: safe string copy and concatenation"
746:
331:implementation now in OpenBSD makes use of the
1464:"disable telnet/ftp/login by default, for now"
1409:"Chapter 20. Storage — 20.14. Encrypting Swap"
1268:
913:
670:OpenBSD 5.9 included support for the then–new
411:memory, and never written to disk except when
2068:
1175:
807:
437:apps, and other operating systems, including
973:
840:"strncpy – copy part of a string to another"
772:
770:
2075:
2061:
1511:"signify: Securing OpenBSD From Us To You"
1955:"OpenBSD: Security — "Secure by Default""
1580:"Verifying authenticity of Debian images"
1432:
767:
753:. Sebastopol, California, USA: O'Reilly.
406:To protect sensitive information such as
221:developed by the OpenBSD project include
195:has been changed to issue a warning when
1812:
1755:
1732:"xf86 – X Window System aperture driver"
1480:
1458:
1433:Biancuzzi, Federico (October 12, 2005).
1149:"gcc-local – local modifications to gcc"
376:password-hashing algorithm derived from
127:
2082:
1980:"pledge() - a new mitigation mechanism"
946:
808:Palmer, Brandon; Nazario, Jose (2004).
599:) has some security modifications. The
559:, a security-focused operating system;
234:
2308:
1922:
1375:
750:Mastering FreeBSD and OpenBSD security
2056:
1786:Herrb, Matthieu (November 29, 2006).
1785:
1680:"Share and accept documents securely"
776:
543:, a specialized operating system for
464:and software for redundancy, such as
310:, which has hardware support for the
1813:Kettenis, Mark (February 15, 2014).
1517:. BSDCan 2015 (June), Ottawa, Canada
1389:Security Symposium. Denver, Colorado
1243:Cryptography in OpenBSD: An Overview
974:Madhavapeddy, Anil (June 26, 2003).
251:
197:unsafe string manipulation functions
64:
20:
2046:'s email about secure programming:
1923:Miller, Robin (December 11, 2000).
1904:Security Symposium. Washington, D.C
1508:
1186:Security Symposium. Washington, D.C
13:
1935:from the original on July 28, 2011
1275:A Future-Adaptable Password Scheme
1272:; Mazières, David (June 6, 1999).
947:Drepper, Ulrich (August 8, 2000).
708:, base OpenBSD programs (included
14:
2342:
2025:
1686:. Freedom of the Press Foundation
811:Secure Architectures with OpenBSD
624:
476:daemon in favor of the encrypted
1815:"CVS: cvs.openbsd.org: xenocara"
1560:
69:
25:
1997:
1972:
1947:
1916:
1897:Preventing Privilege Escalation
1884:
1859:
1833:
1806:
1779:
1749:
1724:
1698:
1672:
1647:
1622:
1597:
1572:
1554:
1529:
1474:
1452:
1426:
1401:
1369:
1344:
1319:
1294:
1262:
1226:
1198:
1169:
1141:
1113:
1085:
1055:
1044:
1019:
994:
783:(2nd ed.). San Francisco:
696:visibility to a minimum level.
370:OpenBSD Cryptographic Framework
1494:Removed files: libexec/telnetd
967:
940:
907:
882:
857:
832:
677:(introduced in OpenBSD 5.8 as
352:Cryptography and randomization
1:
953:libc-alpha@sources.redhat.com
734:
1413:FreeBSD Documentation Portal
563:, an anonymous Web browser;
398:In OpenBSD 5.3, support for
366:cryptographic hash functions
287:In May 2004, OpenBSD on the
7:
1788:"CVS: cvs.openbsd.org: XF4"
1486:"CVS: cvs.openbsd.org: src"
976:"CVS: cvs.openbsd.org: src"
267:Developed by Hiroaki Etoh,
92:updated list of innovations
10:
2347:
2326:Embedded operating systems
2037:February 20, 2014, at the
777:Lucas, Michael W. (2013).
2321:Operating system security
2287:
2271:
2250:
2120:
2092:
1435:"OpenBSD's network stack"
1382:Encrypting Virtual Memory
591:OpenBSD's version of the
571:, a software program for
78:This article needs to be
1925:"Theo de Raadt Responds"
1490:OpenBSD-CVS mailing list
302:OpenBSD 3.4 introduced
88:independent news report
1659:support.torproject.org
1630:"Verifying signatures"
1562:"OpenBSD: Innovations"
681:and renamed in 5.9 to
582:
403:intervention anymore.
277:stack-smashing attacks
36:is missing information
573:on-the-fly encryption
547:, security research,
499:. The creator of the
362:pseudo random numbers
215:static bounds checker
128:API and build changes
2009:OpenBSD manual pages
1867:"OpenBSD 6.4 Errata"
1736:OpenBSD manual pages
1153:OpenBSD manual pages
1031:OpenBSD manual pages
1006:OpenBSD manual pages
894:OpenBSD manual pages
869:OpenBSD manual pages
844:OpenBSD manual pages
661:the project's slogan
634:privilege revocation
630:Privilege separation
605:privilege separation
577:full disk encryption
400:full disk encryption
235:Kernel randomization
1847:. February 22, 2014
1379:(August 14, 2000).
553:reverse engineering
545:penetration testing
393:brute-force attacks
358:strong cryptography
2279:OpenBSD Foundation
1462:(April 10, 1999).
650:BSD Authentication
345:segmentation fault
2331:Software features
2303:
2302:
2110:security features
914:Miller, Todd C.;
794:978-1-59327-476-4
549:digital forensics
262:integer overflows
252:Memory protection
147:functions in the
111:
110:
63:
62:
2338:
2121:Related projects
2093:Operating system
2077:
2070:
2063:
2054:
2053:
2020:
2019:
2017:
2015:
2001:
1995:
1994:
1992:
1990:
1976:
1970:
1969:
1967:
1965:
1951:
1945:
1944:
1942:
1940:
1920:
1914:
1913:
1911:
1909:
1888:
1882:
1881:
1879:
1877:
1863:
1857:
1856:
1854:
1852:
1837:
1831:
1830:
1828:
1826:
1810:
1804:
1803:
1801:
1799:
1783:
1777:
1776:
1774:
1772:
1759:(May 11, 2006).
1753:
1747:
1746:
1744:
1742:
1728:
1722:
1721:
1719:
1717:
1702:
1696:
1695:
1693:
1691:
1676:
1670:
1669:
1667:
1665:
1651:
1645:
1644:
1642:
1640:
1626:
1620:
1619:
1617:
1615:
1601:
1595:
1594:
1592:
1590:
1576:
1570:
1569:
1558:
1552:
1551:
1549:
1547:
1533:
1527:
1526:
1524:
1522:
1506:
1497:
1496:
1484:(May 25, 2005).
1478:
1472:
1471:
1456:
1450:
1449:
1447:
1445:
1430:
1424:
1423:
1421:
1419:
1405:
1399:
1398:
1396:
1394:
1373:
1367:
1366:
1364:
1362:
1348:
1342:
1341:
1339:
1337:
1323:
1317:
1316:
1314:
1312:
1298:
1292:
1291:
1289:
1287:
1266:
1260:
1259:
1257:
1255:
1240:(June 6, 1999).
1230:
1224:
1223:
1218:
1216:
1202:
1196:
1195:
1193:
1191:
1173:
1167:
1166:
1161:
1159:
1145:
1139:
1138:
1133:
1131:
1117:
1111:
1110:
1105:
1103:
1089:
1083:
1082:
1080:
1078:
1069:. Archived from
1059:
1053:
1051:email 2017-06-13
1048:
1042:
1041:
1039:
1037:
1023:
1017:
1016:
1014:
1012:
998:
992:
991:
989:
987:
971:
965:
964:
962:
960:
944:
938:
937:
935:
933:
918:(June 6, 1999).
911:
905:
904:
902:
900:
886:
880:
879:
877:
875:
861:
855:
854:
852:
850:
836:
830:
829:
805:
799:
798:
774:
765:
764:
744:
719:
715:
707:
703:
699:
692:for restricting
688:
684:
680:
673:
620:
522:
502:
490:
395:less practical.
341:
336:
330:
326:
322:
298:
258:buffer overflows
230:
224:
212:
206:
202:
191:On OpenBSD, the
182:
176:
162:
156:
143:
137:
118:operating system
106:
103:
97:
73:
72:
65:
58:
55:
49:
29:
21:
2346:
2345:
2341:
2340:
2339:
2337:
2336:
2335:
2306:
2305:
2304:
2299:
2295:OpenBSD Journal
2283:
2267:
2246:
2116:
2105:version history
2088:
2081:
2039:Wayback Machine
2028:
2023:
2013:
2011:
2003:
2002:
1998:
1988:
1986:
1978:
1977:
1973:
1963:
1961:
1959:www.openbsd.org
1953:
1952:
1948:
1938:
1936:
1921:
1917:
1907:
1905:
1889:
1885:
1875:
1873:
1871:www.openbsd.org
1865:
1864:
1860:
1850:
1848:
1845:OpenBSD Journal
1839:
1838:
1834:
1824:
1822:
1811:
1807:
1797:
1795:
1784:
1780:
1770:
1768:
1754:
1750:
1740:
1738:
1730:
1729:
1725:
1715:
1713:
1704:
1703:
1699:
1689:
1687:
1678:
1677:
1673:
1663:
1661:
1653:
1652:
1648:
1638:
1636:
1628:
1627:
1623:
1613:
1611:
1603:
1602:
1598:
1588:
1586:
1578:
1577:
1573:
1566:www.openbsd.org
1559:
1555:
1545:
1543:
1541:www.openbsd.org
1535:
1534:
1530:
1520:
1518:
1515:www.openbsd.org
1507:
1500:
1479:
1475:
1457:
1453:
1443:
1441:
1431:
1427:
1417:
1415:
1407:
1406:
1402:
1392:
1390:
1374:
1370:
1360:
1358:
1350:
1349:
1345:
1335:
1333:
1331:www.openbsd.org
1325:
1324:
1320:
1310:
1308:
1300:
1299:
1295:
1285:
1283:
1267:
1263:
1253:
1251:
1231:
1227:
1214:
1212:
1204:
1203:
1199:
1189:
1187:
1174:
1170:
1157:
1155:
1147:
1146:
1142:
1129:
1127:
1119:
1118:
1114:
1101:
1099:
1091:
1090:
1086:
1076:
1074:
1073:on June 4, 2014
1061:
1060:
1056:
1049:
1045:
1035:
1033:
1025:
1024:
1020:
1010:
1008:
1000:
999:
995:
985:
983:
972:
968:
958:
956:
945:
941:
931:
929:
912:
908:
898:
896:
888:
887:
883:
873:
871:
863:
862:
858:
848:
846:
838:
837:
833:
826:
806:
802:
795:
785:No Starch Press
775:
768:
761:
745:
741:
737:
717:
713:
705:
701:
697:
686:
682:
678:
671:
657:full disclosure
627:
618:
593:X Window System
585:
520:
500:
488:
354:
339:
332:
328:
324:
318:
299:in March 2005.
296:
254:
237:
226:
222:
208:
204:
200:
178:
172:
158:
152:
139:
133:
130:
107:
101:
98:
95:
74:
70:
59:
53:
50:
43:
30:
17:
12:
11:
5:
2344:
2334:
2333:
2328:
2323:
2318:
2301:
2300:
2298:
2297:
2291:
2289:
2285:
2284:
2282:
2281:
2275:
2273:
2269:
2268:
2266:
2265:
2260:
2254:
2252:
2248:
2247:
2245:
2244:
2243:
2242:
2232:
2227:
2222:
2217:
2212:
2207:
2206:
2205:
2195:
2190:
2185:
2180:
2175:
2170:
2165:
2160:
2155:
2150:
2145:
2140:
2135:
2130:
2124:
2122:
2118:
2117:
2115:
2114:
2113:
2112:
2107:
2096:
2094:
2090:
2089:
2080:
2079:
2072:
2065:
2057:
2051:
2050:
2041:
2027:
2026:External links
2024:
2022:
2021:
1996:
1971:
1946:
1915:
1883:
1858:
1832:
1821:(Mailing list)
1805:
1794:(Mailing list)
1778:
1767:(Mailing list)
1757:de Raadt, Theo
1748:
1723:
1697:
1671:
1646:
1621:
1596:
1584:www.debian.org
1571:
1553:
1528:
1509:Unangst, Ted.
1498:
1482:de Raadt, Theo
1473:
1460:de Raadt, Theo
1451:
1425:
1400:
1368:
1343:
1318:
1293:
1261:
1234:de Raadt, Theo
1225:
1197:
1168:
1140:
1112:
1084:
1054:
1043:
1018:
993:
982:(Mailing list)
966:
955:(Mailing list)
939:
916:de Raadt, Theo
906:
881:
856:
831:
824:
816:Addison-Wesley
800:
793:
766:
759:
738:
736:
733:
710:out of the box
626:
625:Other features
623:
584:
581:
378:Bruce Schneier
353:
350:
253:
250:
236:
233:
165:Todd C. Miller
129:
126:
109:
108:
77:
75:
68:
61:
60:
33:
31:
24:
15:
9:
6:
4:
3:
2:
2343:
2332:
2329:
2327:
2324:
2322:
2319:
2317:
2314:
2313:
2311:
2296:
2293:
2292:
2290:
2286:
2280:
2277:
2276:
2274:
2272:Organizations
2270:
2264:
2261:
2259:
2258:Theo de Raadt
2256:
2255:
2253:
2249:
2241:
2238:
2237:
2236:
2233:
2231:
2228:
2226:
2223:
2221:
2218:
2216:
2213:
2211:
2208:
2204:
2201:
2200:
2199:
2196:
2194:
2191:
2189:
2186:
2184:
2181:
2179:
2176:
2174:
2171:
2169:
2166:
2164:
2161:
2159:
2156:
2154:
2151:
2149:
2146:
2144:
2141:
2139:
2136:
2134:
2131:
2129:
2126:
2125:
2123:
2119:
2111:
2108:
2106:
2103:
2102:
2101:
2098:
2097:
2095:
2091:
2086:
2078:
2073:
2071:
2066:
2064:
2059:
2058:
2055:
2049:
2045:
2044:Theo de Raadt
2042:
2040:
2036:
2033:
2030:
2029:
2010:
2006:
2000:
1985:
1981:
1975:
1964:September 27,
1960:
1956:
1950:
1934:
1930:
1926:
1919:
1903:
1899:
1898:
1893:
1892:Provos, Niels
1887:
1872:
1868:
1862:
1846:
1842:
1836:
1820:
1816:
1809:
1793:
1789:
1782:
1766:
1762:
1758:
1752:
1737:
1733:
1727:
1711:
1707:
1701:
1685:
1681:
1675:
1660:
1656:
1650:
1635:
1631:
1625:
1610:
1606:
1600:
1585:
1581:
1575:
1567:
1563:
1557:
1542:
1538:
1537:"OpenBSD 5.5"
1532:
1516:
1512:
1505:
1503:
1495:
1491:
1487:
1483:
1477:
1469:
1465:
1461:
1455:
1440:
1439:SecurityFocus
1436:
1429:
1418:September 27,
1414:
1410:
1404:
1388:
1384:
1383:
1378:
1377:Provos, Niels
1372:
1357:
1353:
1347:
1332:
1328:
1327:"OpenBSD 7.3"
1322:
1307:
1303:
1302:"OpenBSD 5.3"
1297:
1281:
1277:
1276:
1271:
1270:Provos, Niels
1265:
1249:
1245:
1244:
1239:
1238:Provos, Niels
1235:
1229:
1222:
1211:
1207:
1206:"OpenBSD 5.8"
1201:
1185:
1181:
1180:
1172:
1165:
1154:
1150:
1144:
1137:
1126:
1122:
1121:"OpenBSD 3.4"
1116:
1109:
1098:
1094:
1093:"OpenBSD 3.3"
1088:
1072:
1068:
1064:
1058:
1052:
1047:
1032:
1028:
1022:
1007:
1003:
997:
981:
977:
970:
954:
950:
943:
927:
923:
922:
917:
910:
895:
891:
885:
870:
866:
860:
845:
841:
835:
827:
825:0-321-19366-0
821:
817:
813:
812:
804:
796:
790:
786:
782:
781:
773:
771:
762:
760:0-596-00626-8
756:
752:
751:
743:
739:
732:
730:
727:
723:
711:
695:
691:
676:
668:
664:
662:
658:
653:
651:
648:, and to the
647:
643:
639:
635:
631:
622:
615:
612:
610:
606:
602:
598:
594:
589:
580:
578:
574:
570:
566:
562:
558:
554:
550:
546:
542:
538:
534:
530:
526:
525:Free Software
518:
514:
510:
506:
498:
494:
485:
483:
479:
475:
471:
467:
463:
459:
455:
454:network stack
450:
448:
444:
440:
436:
432:
431:Control Panel
428:
423:
418:
414:
409:
404:
401:
396:
394:
390:
386:
383:
379:
375:
371:
367:
363:
359:
349:
346:
335:
321:
315:
313:
309:
305:
300:
294:
290:
285:
282:
278:
274:
270:
265:
263:
259:
249:
247:
243:
232:
229:
220:
216:
211:
198:
194:
189:
187:
186:GNU C Library
181:
175:
171:designed the
170:
169:Theo de Raadt
166:
161:
155:
150:
146:
142:
136:
125:
123:
119:
116:
105:
93:
89:
85:
84:release notes
81:
76:
67:
66:
57:
47:
41:
37:
34:This article
32:
28:
23:
22:
19:
2288:Publications
2263:Niels Provos
2109:
2012:. Retrieved
2008:
1999:
1987:. Retrieved
1983:
1974:
1962:. Retrieved
1958:
1949:
1937:. Retrieved
1918:
1906:. Retrieved
1896:
1886:
1874:. Retrieved
1870:
1861:
1849:. Retrieved
1835:
1823:. Retrieved
1818:
1808:
1796:. Retrieved
1791:
1781:
1769:. Retrieved
1765:openbsd-misc
1764:
1751:
1739:. Retrieved
1735:
1726:
1714:. Retrieved
1710:veracrypt.fr
1709:
1700:
1688:. Retrieved
1683:
1674:
1662:. Retrieved
1658:
1649:
1637:. Retrieved
1633:
1624:
1612:. Retrieved
1608:
1599:
1587:. Retrieved
1583:
1574:
1565:
1556:
1544:. Retrieved
1540:
1531:
1519:. Retrieved
1514:
1493:
1489:
1476:
1467:
1454:
1444:December 10,
1442:. Retrieved
1428:
1416:. Retrieved
1412:
1403:
1391:. Retrieved
1381:
1371:
1359:. Retrieved
1356:undeadly.org
1355:
1346:
1334:. Retrieved
1330:
1321:
1309:. Retrieved
1305:
1296:
1284:. Retrieved
1274:
1264:
1252:. Retrieved
1242:
1228:
1220:
1213:. Retrieved
1209:
1200:
1188:. Retrieved
1178:
1171:
1163:
1156:. Retrieved
1152:
1143:
1135:
1128:. Retrieved
1124:
1115:
1107:
1100:. Retrieved
1096:
1087:
1075:. Retrieved
1071:the original
1067:IBM Research
1057:
1046:
1034:. Retrieved
1030:
1021:
1009:. Retrieved
1005:
996:
984:. Retrieved
979:
969:
957:. Retrieved
952:
942:
930:. Retrieved
920:
909:
897:. Retrieved
893:
884:
872:. Retrieved
868:
859:
847:. Retrieved
843:
834:
810:
803:
779:
749:
742:
729:web browsers
669:
665:
654:
628:
616:
613:
590:
586:
512:
486:
451:
445:, and every
434:
430:
416:
405:
397:
389:key schedule
385:block cipher
355:
316:
301:
286:
266:
255:
238:
190:
131:
112:
99:
79:
51:
35:
18:
1819:openbsd-cvs
1792:openbsd-cvs
1254:January 30,
980:openbsd-cvs
690:system call
675:system call
561:Tor Browser
422:hibernation
413:hibernating
364:; built-in
120:focuses on
2310:Categories
1684:SecureDrop
1609:Kali Linux
814:. Boston:
735:References
694:filesystem
565:SecureDrop
541:Kali Linux
293:StackGhost
228:arc4random
199:, such as
102:April 2023
54:April 2023
2188:OpenSMTPD
2183:OpenOSPFD
1361:April 19,
1336:April 19,
986:March 31,
652:system.
638:chrooting
569:VeraCrypt
408:passwords
391:, making
269:ProPolice
223:issetugid
46:talk page
2235:Xenocara
2178:OpenNTPD
2173:OpenIKED
2168:OpenBGPD
2153:LibreSSL
2035:Archived
1933:Archived
1929:Slashdot
1716:July 12,
1690:July 12,
1664:July 12,
1639:July 12,
1634:Qubes OS
1614:July 12,
1589:July 12,
1546:July 12,
1521:July 12,
1393:April 9,
722:Chromium
597:Xenocara
557:Qubes OS
435:Settings
382:Blowfish
297:-current
122:security
40:LibreSSL
2316:OpenBSD
2210:sensors
2193:OpenSSH
2100:OpenBSD
2087:Project
2085:OpenBSD
2014:May 15,
1989:May 19,
1984:OpenBSD
1939:May 16,
1908:May 26,
1900:. 12th
1876:May 23,
1851:May 26,
1825:May 26,
1798:May 26,
1771:May 26,
1741:May 14,
1712:. IDRIX
1468:OpenBSD
1311:May 26,
1306:OpenBSD
1286:May 26,
1215:May 28,
1210:OpenBSD
1190:May 26,
1182:. 10th
1158:May 28,
1130:May 28,
1125:OpenBSD
1102:May 28,
1097:OpenBSD
1077:May 26,
1036:May 14,
1011:May 14,
959:May 26,
932:May 26,
899:May 14,
874:May 14,
849:May 14,
726:Firefox
716:and/or
642:tcpdump
595:(named
529:OpenPGP
521:signify
505:OpenPGP
501:signify
493:OpenPGP
489:signify
443:FreeBSD
427:Windows
210:sprintf
180:strlcat
174:strlcpy
160:strncat
154:strncpy
115:OpenBSD
80:updated
2251:People
2203:pfsync
2158:mandoc
1902:USENIX
1387:USENIX
1385:. 9th
1280:USENIX
1248:USENIX
1184:USENIX
926:USENIX
822:
791:
757:
718:unveil
714:pledge
706:pledge
702:unveil
698:pledge
687:unveil
683:pledge
672:pledge
646:Apache
621:user.
601:server
551:, and
537:Ubuntu
533:Debian
474:telnet
470:pfsync
417:sysctl
374:bcrypt
329:malloc
325:malloc
320:malloc
312:NX bit
308:x86-64
281:canary
242:linker
205:strcat
201:strcpy
193:linker
145:string
141:strcat
135:strcpy
90:, and
38:about
2220:spamd
2215:sndio
2143:httpd
509:GnuPG
497:GnuPG
482:IPsec
447:Linux
439:macOS
289:SPARC
271:is a
207:, or
2230:tmux
2225:sudo
2138:doas
2133:CARP
2083:The
2016:2020
1991:2018
1966:2023
1941:2014
1910:2016
1878:2019
1853:2016
1827:2016
1800:2016
1773:2016
1743:2021
1718:2022
1692:2022
1666:2022
1641:2022
1616:2022
1591:2022
1548:2022
1523:2022
1446:2005
1420:2023
1395:2006
1363:2023
1338:2023
1313:2016
1288:2016
1256:2005
1217:2016
1192:2016
1160:2016
1132:2016
1104:2016
1079:2016
1038:2021
1013:2021
988:2013
961:2016
934:2016
901:2021
876:2021
851:2021
820:ISBN
789:ISBN
755:ISBN
724:and
700:and
679:tame
644:and
619:_x11
609:VESA
575:and
507:and
495:and
468:and
466:CARP
462:ICMP
452:The
433:and
340:free
334:mmap
246:ASLR
225:and
219:APIs
177:and
167:and
157:and
138:and
113:The
2240:cwm
2148:fdm
2128:bio
583:X11
478:SSH
458:TCP
380:'s
304:W^X
273:GCC
260:or
2312::
2198:PF
2163:mg
2007:.
1982:.
1957:.
1931:.
1927:.
1869:.
1843:.
1817:.
1790:.
1763:.
1734:.
1708:.
1682:.
1657:.
1632:.
1607:.
1582:.
1564:.
1539:.
1513:.
1501:^
1492:.
1488:.
1466:.
1437:.
1411:.
1354:.
1329:.
1304:.
1278:.
1246:.
1219:.
1208:.
1162:.
1151:.
1134:.
1123:.
1106:.
1095:.
1065:.
1029:.
1004:.
978:.
951:.
924:.
892:.
867:.
842:.
818:.
787:.
769:^
731:.
636:,
632:,
579:.
555:;
539:;
511::
441:,
264:.
231:.
203:,
188:.
94:).
86:,
2076:e
2069:t
2062:v
2018:.
1993:.
1968:.
1943:.
1912:.
1880:.
1855:.
1829:.
1802:.
1775:.
1745:.
1720:.
1694:.
1668:.
1643:.
1618:.
1593:.
1568:.
1550:.
1525:.
1470:.
1448:.
1422:.
1397:.
1365:.
1340:.
1315:.
1290:.
1258:.
1194:.
1081:.
1040:.
1015:.
990:.
963:.
936:.
903:.
878:.
853:.
828:.
797:.
763:.
425:(
149:C
104:)
100:(
56:)
52:(
48:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.