Berkeley Software Distribution (BSD) Open Source versions of UNIX suffer from a lack of monitoring in their code, and this undermines their security, said Ilja Van Sprundel, director of crash testing at IOActive in late December.
The following article was submitted by Marcos Oliveira, from the website and channel "Terminal root"and was translated from the source: CSO. It does not necessarily reflect the opinion of the blog or Marcos at all points.
Admired for the small number of BSD kernel vulnerabilities compared to Linux, Van Sprundel analyzed the BSD source code in his spare time. "Why are there so few BSD security kernel security warnings published every year?"He wanted to know. Why are BSDs so much safer? Or why isn't anyone looking?
Van Sprundel says he easily found about 115 kernel errors for all three BSDs, including 30 for FreeBSD, 25 for OpenBSD, and 60 for NetBSD. Many of these flaws he called "almost ripe fruit". He promptly reported all security flaws, but six months later, at the time of his lecture, many remained without correction."Generally speaking, most security flaws in the Linux kernel do not have a long life. Only they found too fast"says Van Sprundel."Already in BSD, this is not always true. I found several errors that
haven't been fixed yet"
OpenBSD, the safest!
"OpenBSD by far has the most knowledgeable developers when it comes to security."van Sprundel told the public. For one thing, OpenBSD has a much smaller code, about 2.9 million lines of code, compared to FreeBSD's 7 million and NetBSD's 7.3 million."Obviously this is part"says van Sprundel."You can't have an error in the code you don't have"
In terms of code quality, Van Sprundel also praised OpenBSD code, however, said "Quality proportional to problems"However, OpenBSD's relative lack of popularity undermines operating system security, he suggested."Mistakes are still easy to find. If there were more people looking at OpenBSD, there would be more errors."
OpenBSD founder Theo De Raadt agreed with van Sprundel that more analysts at OpenBSD would make the operating system more secure. "I remember reading your first slides, which were mostly about the impact minor abuse of the API"De Raadt said by email."Unfortunately, this is a problem of code volume relative to the workforce. Ensuring that all code is 100% error free is very difficult"Van Sprundel also praised OpenBSD's response to the bug findings, saying that De Raadt responded within a week, and OpenBSD fixed the flaws within a few days.
"I communicated with Ilja from the beginning and got our entire team to work on their findings."wrote De Raadt."We fixed all bugs within a week or so and made patches available to those that were important. In my experience, the only way to be proactive and responsive in a volunteer-driven software project will never allow you to gauge a problem for later. Problems should be dealt with as quickly as possible to maintain interest in them. "
NetBSD, the most stable!
NetBSD's focus for many years has been to support the widest range of hardware possible. To this end, however, comes the need to include a large amount of binary compatibility code, and it has been pointed out that NetBSD appears to be less stable for security.
NetBSD's response to van Sprundel's bug reports was surprisingly good and bad.
On the one hand, they said that "They corrected just about every bug submitted, and pretty much overnight!"On the other hand, these patches have not yet been sent to users six months later."If you do not install the new versions yourself, your NetBSD will still be vulnerable"
"Many of the findings were in the binary compatibility layers, and these are not things that will cause a remote vulnerability anyway."says Taylor R Campbell, member of the board of directors of the NetBSD Foundation."Someone would need system access anyway to run this code"
While NetBSD is a volunteer open-source project with no full-time developers, Campbell and David Maxwell, a former NetBSD founding board member, are both confident, Agryroudis's pessimism unfounded. "Our main goal is to have a central system with a clean architecture, so it becomes It is very easy to access new platforms"says Maxwell."We will probably continue to be strong in the place that we have been historically"."We're also notoriously bad at marketing"adds Campbell.
FreeBSD, the most advanced!
FreeBSD is the most popular of the three large BSDs and is used by Netflix, WhatsApp, among others. "FreeBSD is currently on par with Linux or slightly better than"says van Sprundel."Wherever you can deploy Linux, you can say that you can probably also deploy FreeBSD. They are massively deployed in many places."
FreeBSD responded to 30 kernel errors in about a week and fixed a few in its source code repository. However, the software project issued only a few warnings, and "we don't know about the others"according to Van Sprundel.
Ed Maste, director of project development at Fundao FreeBSD and a member of FreeBSD's elected team, says:
"We started treating some of these as just errors and not as security issues"
The lack of developers undermines FreeBSD's security, not only in its ability to respond to bug reports, but also in implementing new industry standard security features, Argyroudis suggests. "The most popular, most technically advanced BSD, FreeBSD, but they don't have as many developers as Linux, and that basically means they're a little behind on security features"."We are able to do a huge amount of work with a much smaller developer base, phenomenal in terms of quantity and quality of work compared to Linux"says Maste.
"The suggestion that our future somehow undermined by the lack of absolutely false developers"
Do FreeBSD kernel vulnerabilities affect macOS?
There is a lot of FreeBSD code on the Mac and the FreeBSD security team coordinates the release with Apple, says van Sprundel. It is not yet clear whether these reported vulnerabilities affect Apple laptops. The Darwin kernel diverged sharply from FreeBSD 15 years ago, and macOS has received much more dedication from security researchers over the years.
"When I sent the errors I had to FreeBSD's Guys, they asked," Do you mind if we send this to the Apple guys? Said Van Sprundel. "So the Apple security team has this list of errors. I have no idea how much this applies to them. There are probably some errors that apply there. "Apple did not respond to our request for comment, and Maste declined to speculate, pointing out that only Apple would know the answer to that question. NetBSD Maxwell is quick to point out that macOS includes code not only FreeBSD, but also NetBSD and OpenBSD.
Are the BSD dying?
BSDs have lost the battle for Linux, and this may well no longer support the future sustainability of BSDs as safe and living operating systems. "Say what you want of the Linux kernel, but the truth is that it has more magnitude."concludes Van Sprundel."Based on my result, code quality alone cannot explain the discrepancy between error numbers (BSD versus Linux)"
OpenBSD may be the most likely to survive, although it is much less popular than FreeBSD at the moment, Argyroudis suggests. "I see a greater chance that OpenBSD will survive because it has a more focused use case and targets specific things. FreeBSD, I find it much harder for him to survive than OpenBSD"
Measuring the popularity of BSDs is difficult, argues Maste. "One of the challenges of trying to measure or quantify the popularity of FreeBSD or other BSDs is that, in many cases, it is used in applications or implementations that are not particularly visible.", he says, as devices or products that develop from FreeBSD.
The permissive BSD license makes it even harder to quantify the popularity of BSDs. "For end users, things like license code may not matter much"says MaxBSD of NetBSD,"But for the people who make up embedded systems, for the people who are building products, licensing the code is very important."
Argyroudis remains pessimistic about the future of BSDs. "I love the base of BSD code"he says,"and I would love to tell you different things, especially about FreeBSD, Linux's biggest rival. Unfortunately, I don't think that's the case, I think this boils down to a lack of developers"
See you next time!
_____________________________________________________________________________ See any errors or would you like to add any suggestions to this article? Collaborate, click here.
