Bill’s Security Blog

I saw the following quote in a post on the Security Focus website regarding the bug in Debian and Debian derived distros:

The latest flaw was introduced in the system because developers removed a line of code that had caused warnings about the use of uninitialized data when any program was linked to the OpenSSL library, [HD] Moore said.

It got me thinking back on the days when I was reading software engineering material like there was no tomorrow…

When I see a flaw like this, I think of all the areas where the flaw should have been caught prior to release:

• Code reviews, especially of critical/security systems
• Change/configuration control
• Testing

Though at one point in my life, I had visions of pure, mature software development processes being followed without fail in software shops around the world, I’ve come to believe that dream is a myth.

But for the love of god and all that is holy, if you are going to edit software that’s at the center of a security product or pipeline, you should be doing so within the realm of strict process.

I know there are a lot of developers out there who are editing code without much regard for process, but I urge you, think…

I urge every developer to take some time to refresh their understanding of what good software process is.  Though you may not follow it at the organizational level, we, as individuals, can bring some quality to what we do.

Here’s a few of my favorites:

• Software Release Methodology
• A Discipline for Software Engineering
• Testing Computer Software
• Planning Extreme Programming - read all software process books you can, esp the Rational books
• After the Gold Rush - Read all Steve’s books
• The Pragmatic Programmer

Read as many books in the fields of software process, lifecycle, engineering, testing as you can.  Don’t forget configuration control.

Bill

Installing applications

Out of the box, there’s no nifty graphical package installer in OpenBSD.

Installation can be performed by two methods:
1) The traditional method of building from source and installing
2) Downloading and installing pre-build binaries from CD or over the Web

For my experimenting, I’ll be installing binaries.

Though the absence of a package manager may seem a bit burdensome, the reality is that OpenBSD, IMHO, is best suited for a server environment where the number of installed packages should be quite small.

The bare-bones install of OpenBSD is very thin, requiring little more than is needed to get the host to boot a kernel.

From a security perspective, this is a bonus. Smaller install set = smaller attack surface.

The other thing I like is that it’s pretty easy to script the installation of packages, greatly simplifying the process of creating standard builds for web servers, database servers, etc.

Purchasing copies of the CD’s help to support the project, and packages can be installed directly from CD.

I don’t have the CD’s, so I’ll be installing from the Web.

The overall process is pretty straight forward:
1) Select an FTP mirror
2) Identify the package(s) to install
3) Use the pkg_add command to install

From scratch, here’ the process for installing the latest pre-built nmap package:

# ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD /4.3/packages/i386/index.txt
100% |**************************************************| 105 KB 00:01
# grep nmap index.txt
nmap-4.53.tgz
nmap-zenmap-4.53.tgz
# pkg_add ftp://ftp.openbsd.org/pub/OpenBSD /4.3/packages/i386/nmap-4.53.tgz
lua-5.1.2p1: complete
libdnet-1.10p2: complete
nmap-4.53: complete
# nmap -p80 localhost

Starting Nmap 4.53 ( http://insecure.org ) at 2008-05-20 04:18 EDT
Interesting ports on bsdvm.localdomain (127.0.0.1):
PORT STATE SERVICE
80/tcp closed http

Nmap done: 1 IP address (1 host up) scanned in 0.334 seconds
#

For some reason, I was having trouble connecting to FTP servers… I kept getting the following error:
435 Can’t build data connection: illegal port number

I suspect the reason is the network I’m on, but who knows.

I also found that many of the mirrors didn’t have the latest 4.3 builds, which may not be too suprising as 4.3 was released only a few weeks ago.

Identifying what is installed

Ok, so now I know how to install, how do I tell what’s on my box?

The pkg_info command will list all packages installed on the host.

For example:

# pkg_info
atk-1.20.0p0 accessibility toolkit used by gtk+
cairo-1.4.14 vector graphics library
desktop-file-utils-0.14p1 utilities for 'desktop' entries
...


For further information on a package, you can:

# pkg_info <pkg name>

This will give detailed information about a package, including it’s full version (if it can be determined) and any dependencies…

For example:

# pkg_info tiff
Information for inst:tiff-3.8.2p0

Comment:
tools and library routines for working with TIFF images

Required by:
gtk+2-2.12.7

Description:
This software provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.


...

Maintainer: The OpenBSD ports mailing-list <ports@openbsd.org>

The documentation is quite extensive, and I recommend reading the FAQ and the MAN pages.

I certainly haven’t made it through all the documentation yet :)

Next time, getting Apache, PHP, and MySQL running…

Bill

I’ve heard that getting OpenBSD installed and running can be intense.

I reserve judgment until I am able to actually try the installation a few times on bare metal.

For now, I want to set this puppy up in a virtual machine.

Here’s my rig:

• HP Pavilion DV5224nr Laptop with AMD Turion 64 Mobile, 2 GHz processor with 1 GB Ram.
• Microsoft Windows XP (32bit) Professional, fully patched.
• VMWare Server 1.0.5 build 80187

Ok, so I’m ready to go.

Doing some quick Googling, I came across a very good, short OpenBSD on VMWare how-to by Jan Exß.

I downloaded the latest OpenBSD (4.3) installer ISO from one of the many mirrors. There were many iso images, the file I nabbed was openbsd-install43.iso.

Then I got down to work using Jan’s recommended settings.

I followed the instructions pretty much 100% with a few exceptions. Notably, I didn’t install all the packages he described on the Installation page. I also set up the NIC a little differently.

I wanted the install to be relatively thin, and I also wanted to reserve some packages out so that I can get experience with installing them later, when the excitement wears off.

In the end, I completed all the tasks up to the top of the Applications page.

Reboot, and presto! OpenBSD 4.3.

Sweet.

I banged around in the terminal a bit, just enough to realize that things weren’t as different as I thought they’d be.

I know the machine isn’t doing much at the moment, but I’m surprised how fast it responds considering it’s only allocated 512 MB ram, and is running in a VM…

Current impression: Sweet! This hasn’t been as challenging as I though it would be.  Let’s see how things go from here.

Stay tuned for the next episode - Installing Applications…

For years I’ve heard about the mythical, OpenBSD.

While getting my Master’s Degree in Information Security, one of my professors remarked, “Out of the box, OpenBSD is widely considered to be the most secure operating system.”

The home page of the OpenBSD site clearly, and proudly claims: “ Only two remote holes in the default install, in more than 10 years!”

Sounds impressive. Secunia shows that of the 189 advisories it reported from 2003 to 2008 for Microsoft Windows XP Professional, 61% were remote exploits.

Sixty-one percent! That’s 115 in just over 4 years!

The skeptic in me says, well, how many OpenBSD installs are there, relative to the number of XP installs. The bigger the install base, the more attractive the target.

But still. The seed had been planted.

I needed to try this thing out for myself!

I’ve toyed around with Linux since the late 90’s, but hadn’t used a Unix system since before that.

I have been stuck in Microsoft shops since ‘99 :/

But the power of virtualization has now made it possible for me to kick the tires of this mythical beast, and see how it responds.

In my next post, getting up-and-running with OpenBSD and VMWare Server.

For those who can’t wait, here’s my browser’s User Agent:
Mozilla/5.0 (X11; U; OpenBSD i386; en-US; rv:1.8.1.12) Gecko/20080310 Firefox/2.0.0.12
So, it works :)