Yesterday, the founder of OpenBSD, Theo de Raadt announced the release of a new version of its free and open-source security-focused OS, OpenBSD 6.4.
The interesting feature in the OpenBSD 6.4 is the unveil() system call, which allows applications to sandbox themselves, blocking their own access to the file system. This is especially useful for programs which operate on unknown data which may try to exploit or crash the application. OpenBSD 6.4 also includes many driver improvements, which allow OpenSSH’s configuration files to use service names instead of port numbers. Also, the Clang compiler will now replace some risky ROP instructions with safe alternatives.
The OpenBSD 6.4 has a new ‘join’ feature (managed with ifconfig(8)) using which the kernel manages automatic switching between different WiFi networks. Also, the ifconfig(8) scan performance has been improved for many devices.
Addition of a new eoip(4) interface for the MikroTik Ethernet over IP (EoIP) encapsulation protocol. Also, new global IPsec counters are available via netstat(1). The trunk(4) now has LACP administrative knobs for mode, timeout, system priority, port priority, and ifq priority.
OpenBSD 6.4 introduces a new RETGUARD security mechanism on amd64 and arm64. Here, one can use per-function random cookies to protect access to function return instructions, making them harder to use in ROP gadgets. It also includes an added SpectreRSB mitigation on amd64 and an added Intel L1 Terminal Fault mitigation on amd64.
clang(1) includes pass that identifies common instructions which may be useful in ROP gadgets and replaces them with safe alternatives on amd64 and i386. The Retpoline mitigation against Spectre Variant 2 has been enabled in clang(1) and in assembly files on amd64 and i386. The amd64 now uses eager-FPU switching to prevent FPU state information speculatively leaking across protection boundaries.
Simultaneous MultiThreading (SMT) uses core resources in a shared and unsafe manner, it is now disabled by default. It can be enabled with the new hw.smt sysctl(2) variable.
The audio recording feature is now disabled by default and can be enabled with the new kern.audio.record sysctl(2) variable.
The getpwnam(3) and getpwuid(3) no longer return a pointer to static storage but a managed allocation which gets unmapped. This allows detection of access to stale entries.
sshd(8) includes improved defence against user enumeration attacks.
To know more about the other features in detail, head over to the OpenBSD 6.4 release log.
KUnit: A new unit testing framework for Linux Kernel
The kernel community attempting to make Linux more secure
I remember deciding to pursue my first IT certification, the CompTIA A+. I had signed…
Key takeaways The transformer architecture has proved to be revolutionary in outperforming the classical RNN…
Once we learn how to deploy an Ubuntu server, how to manage users, and how…
Key-takeaways: Clean code isn’t just a nice thing to have or a luxury in software projects; it's a necessity. If we…
While developing a web application, or setting dynamic pages and meta tags we need to deal with…
Software architecture is one of the most discussed topics in the software industry today, and…