Developers give OpenBSD to public
By Patrick Gray and Robert Lemos
CNET
May 1, 2003
The latest version of the popular OpenBSD operating system was released today, despite the U.S. Defense Advanced Research Projects Agency's (DARPA) withdrawal last month of funding for the group.
The latest, downloadable release of the open-source, Unix-style operating system includes many tweaks, from security enhancements to improved hardware support.
In a message posted to an OpenBSD list, the developers of the software were keen to point out that under a default configuration, the distribution has an impressive security record.
"We remain proud of OpenBSD's record of seven years with only a single remote hole in the default install," the message stated.
The statement described the software's new security features, the result of a $2.3 million grant from DARPA to the OpenBSD Project. The grant has since been revoked, according to a statement posted on the OpenBSD Web site.
"DARPA suddenly and unexpectedly cancelled funding for OpenBSD R&D through the University of Pennsylvania's POSSE programme," it said.
The OpenBSD team also posted a communication allegedly received from the government agency itself.
"As a result of the DARPA review of the project, and due to world events and the evolving threat posed by increasingly capable nation-states, the Government on April 21 advised the University to suspend work on the 'security fest' portion of the project," it said.
Nevertheless, the new software was released and the enhancements made possible through the grant have filtered through into the current release.
The release includes integration of "the ProPolice stack-protection technology, by Hiroaki Etoh, into the system compiler. This protection is enabled by default," according to Thursday's statement.
The OpenBSD project leader, Theo de Raadt, announced the plan to include stack protection technology--aimed at mitigating buffer overflow vulnerabilities, the most common type of security glitch--at the RSA security conference in San Francisco last month.
De Raadt said at the conference that the OpenBSD group's latest improvements would make causing a buffer overflow extremely difficult, if not impossible.
The memory bugs in question have resisted extermination for almost 30 years, and de Raadt said that any claims that an open-source group has eliminated them would need to be tested. However, some attendees at the conference were skeptical.
"It's just adding another layer" to the security, said Nicolas Fischbach, senior manager for security at Colt Telecom, a Swiss communications provider. "It won't make a huge difference, because there are always bugs that are found in software."
As for the DARPA grant, de Raadt said the research conducted by OpenBSD went further than its original scope.
"This really wasn't part of the DARPA grant," he said. "But it happened because the DARPA grant happened."
ZDNet Australia's Patrick Gray reported from Sydney.
Copyright ©2003 CNET Networks, Inc.