Yesterday, the founder of OpenBSD, Theo de Raadt announced the release of a new version of its free and open-source security-focused OS, OpenBSD 6.4.
The interesting feature in the OpenBSD 6.4 is the unveil() system call, which allows applications to sandbox themselves, blocking their own access to the file system. This is especially useful for programs which operate on unknown data which may try to exploit or crash the application. OpenBSD 6.4 also includes many driver improvements, which allow OpenSSH’s configuration files to use service names instead of port numbers. Also, the Clang compiler will now replace some risky ROP instructions with safe alternatives.
Other features and improvements in OpenBSD 6.4
Improved hardware support
- The new version includes an ACPI support on OpenBSD/arm64 platforms.
- New acpipci(4/arm64) driver providing support for PCI host bridges based on information provided by ACPI.
- Added a sensor for port replicator status to acpithinkpad(4).
- Support for Allwinner H3 and A64 SoC in scitemp(4).
- New bnxt(4) driver for Broadcom NetXtreme-C/E PCI Express Ethernet adapters based on the Broadcom BCM573xx and BCM574xx chipsets. Enabled on amd64 and arm64 platforms.
- The radeondrm(4) driver was updated to code based on Linux 4.4.155.
IEEE 802.11 wireless stack improvements
The OpenBSD 6.4 has a new ‘join’ feature (managed with ifconfig(8)) using which the kernel manages automatic switching between different WiFi networks. Also, the ifconfig(8) scan performance has been improved for many devices.
Generic network stack improvements
Addition of a new eoip(4) interface for the MikroTik Ethernet over IP (EoIP) encapsulation protocol. Also, new global IPsec counters are available via netstat(1). The trunk(4) now has LACP administrative knobs for mode, timeout, system priority, port priority, and ifq priority.
Security improvements
OpenBSD 6.4 introduces a new RETGUARD security mechanism on amd64 and arm64. Here, one can use per-function random cookies to protect access to function return instructions, making them harder to use in ROP gadgets. It also includes an added SpectreRSB mitigation on amd64 and an added Intel L1 Terminal Fault mitigation on amd64.
clang(1) includes a pass that identifies common instructions which may be useful in ROP gadgets and replaces them with safe alternatives on amd64 and i386. The Retpoline mitigation against Spectre Variant 2 has been enabled in clang(1) and in assembly files on amd64 and i386. The amd64 now uses eager-FPU switching to prevent FPU state information speculatively leaking across protection boundaries.
Simultaneous MultiThreading (SMT) uses core resources in a shared and unsafe manner, it is now disabled by default. It can be enabled with the new hw.smt sysctl(2) variable.
The audio recording feature is now disabled by default and can be enabled with the new kern.audio.record sysctl(2) variable.
The getpwnam(3) and getpwuid(3) no longer return a pointer to static storage but a managed allocation which gets unmapped. This allows detection of access to stale entries.
sshd(8) includes improved defence against user enumeration attacks.
To know more about the other features in detail, head over to the OpenBSD 6.4 release log.
Read Next
KUnit: A new unit testing framework for Linux Kernel
The kernel community attempting to make Linux more secure