The World's Most Secure Operating System

August 17, 2000 |
Click here to read this full article.

The cartoon character on Theo de Raadt's business card is surprisingly uncuddly. Most upstart software companies employ cute mascots -- Linux's bemused penguin, for example -- but de Raadt, project leader for the open-source operating system OpenBSD, favors a smirking, muscular demon clad in policeman's garb. The fiend brandishes a badge reading: "OpenBSD: To Serve and Protect."

This satanic cop may not make a great stuffed animal, but he's a fitting symbol of de Raadt's singular aim -- to create the world's most secure operating system. Coded by hundreds of volunteers worldwide, the freely downloadable OpenBSD is hailed by security buffs as uncrackable; it's been over three years, for example, since a vulnerability was discovered in the system's off-the-shelf version. The airtight security is the product of a labor-intensive approach that many experts feel should become standard. De Raadt and his cohorts are not only motivating the nascent open-source industry to rethink its basic security policies, they've honed a set of principles that promise to make all systems -- open source or not -- safer.

"OpenBSD is probably one of the most secure operating systems out there," says Chris Brenton, author of Mastering Network Security. "The crew does a fantastic job of locking down and being responsive when vulnerabilities are found." Such a good job that the U.S. Department of Justice uses 260 copies of OpenBSD to store and transmit its most sensitive data.

Like other projects bearing the BSD moniker, OpenBSD traces its origins to the University of California at Berkeley. (The acronym stands for Berkeley Software Distribution.) Unhappy with Unix's clunkiness, the school's programmers started tweaking the code in the late 1970s to create several variants, culminating with the release of 4.4 BSD-Lite in 1992. Legal wrangles with AT&T (T) , the original Unix developer, forced the university to abandon the project, but open-source devotees picked up the slack.

De Raadt began experimenting with BSD code during his student days at the University of Calgary. Along with several friends, he created an open-source project called NetBSD in 1993; his friends booted him from the project the following year. In archived e-mail, his former colleagues claim he was guilty of "rudeness toward and abuse of users and developers." De Raadt denies those allegations.

De Raadt used NetBSD's code as the foundation for the OpenBSD project, which he formed in 1995. After his machine was hacked by a colleague in 1996, he adopted a security tactic that has become the project's trademark: "proactive auditing."

Over an 18-month period, a team of 10 volunteers vetted OpenBSD's entire source code -- all 350 megabytes -- weeding out thousands of bugs. Though not necessarily related to security features, those glitches could have been targeted by attackers using "buffer overflows" (which overwhelm a machine with data packets), denial-of-service tools or other elementary hacking techniques. For two years, de Raadt worked 14-hour days, seven days a week to debug his system. Despite his notoriously prickly personality, de Raadt also has managed to attract a legion of collaborators to help him build OpenBSD.

"It's security through quality," says de Raadt, who runs the project out of his Calgary home, surviving on donations and proceeds from T-shirt sales. "It's like in airplanes, [where] safety is a side effect of good engineering."

A sincere passion for technological tinkering motivates de Raadt. Though he lives modestly, his house is bursting with wall-to-wall hardware. He owns over a dozen computers, and his basement is so jammed with Unix machines that several acquaintances have requested guided tours.

OpenBSD's proactive approach is unique among open-source systems, which normally rely on user reports and public forums to find vulnerabilities. The Linux security philosophy, for example, can be summed up as "more eyes means better security" -- that is, since the source code is open to peer review, bugs will be quickly spotted and patched.

De Raadt scoffs at that credo. Most reviewers of open-source code, he says, are amateurs. "These open-source eyes that people are talking about, who are they?" he asks. "Most of them, if you asked them to send you some code they had written, the most they could do is 300 lines long. They're not programmers."

Proactive auditing is the key to OpenBSD's vaunted security. Many security professionals would like to see the model duplicated elsewhere, especially in Linux offshoots struggling to seize market share from notoriously buggy Microsoft (MSFT) products.

"I'm surprised there's not a version of Linux out there that has grown supersecure," says Ron Gula, chief technology officer for Network Security Wizard, a developer of intrusion detection systems who says that Linux developers could augment its security using de Raadt's painstaking methods.

OpenBSD is designed to be "secure by default." Most comparable operating systems, by contrast, come out of the box with settings that are inherently insecure. Last year, for example, when hundreds of servers running Red Hat (RHAT) Linux were compromised by buffer overflow attacks, the company blamed system administrators for failing to reconfigure the defaults.

"Linux distributions tend to take the approach of throwing everything possible onto the default install, which leads to a clueless user ending up with a highly insecure operating system," says Matt Barringer of WireX Communications, a vendor of software solutions for Linux server appliances. "OpenBSD takes the opposite approach, by only including the essential and not allowing, by default, services that may not be essential -- FTP, for instance."

The secure-by-default policy is also a stress reliever for veteran administrators. "The 10 percent [of these users] who do know how to secure their machines, they get bored with it," says de Raadt. "It's no more exciting than ditch digging. OpenBSD means they can get along with their day-to-day jobs."

Unlike its American counterparts, which until July were bound by strict encryption-export laws, the Canadian-based OpenBSD ships with built-in encryption. (In a subtle display of Maple Leaf pride, labels on OpenBSD discs read: "Made in Canada -- Land of Free Cryptography.") The latest version includes OpenSSH, which enables traffic to avoid "sniffers" designed to detect users' passwords.

While it's ideal for security-sensitive tasks, such as running firewalls or data warehousing applications, OpenBSD is probably not the best option for desktops. "Linux is more flexible than OpenBSD, which is a direct result of OpenBSD being more focused on security," says Brenton. "As you lock things down, you lose functionality."

De Raadt sounds unconcerned about customer satisfaction. "I don't pay attention to who's using it," he says. "We don't write OpenBSD for the people, we write it for ourselves. If people end up getting benefits from it, that's great."

Nevertheless, the system is catching on in corporate America. The project doesn't track the number of free downloads or CD-ROMs purchased, but a rough estimate places the number of users in the tens of thousands. Potential investors regularly contact de Raadt with offers of financial backing, he notes, but he has rebuffed them all: "I talked to a venture capitalist a couple of weeks ago. I ended up convincing him to just give us a donation."

De Raadt has devoted himself to OpenBSD with a mathematician's love of constructing elegant systems. He fears that commercialization could compromise security, since bottom-line-obsessed executives would be tempted to skimp on time-consuming audits. Even worse, those image-conscious suits might force de Raadt to abandon his fearsome business-card mascot in favor of something more huggable. For now, the demonic policeman is safe.

Related Programs