{"guid":"88a7a303-c577-4a7b-80eb-c96e344c1db2","title":"A systematic evaluation of OpenBSD's mitigations","subtitle":null,"slug":"36c3-10519-a_systematic_evaluation_of_openbsd_s_mitigations","link":"https://fahrplan.events.ccc.de/congress/2019/Fahrplan/events/10519.html","description":"OpenBSD markets itself as a secure operating system, but doesn't provide much evidences to back this claim. The goal of this talk is to evaluate how effective OpenBSD's security mitigation are, in a systematic, rational and comprehensive way.\n\n\u003ca href=\"https://openbsd.org\"\u003eOpenBSD's website\u003c/a\u003e advertises a secure and modern operating system, with cool and modern mitigations. But no rational analysis is provided: are those mitigations effective? what are their impacts on performances, inspectability and complexity? against what are they supposed to defend? how easy are they to bypass? where they invented by OpenBSD or by others? is OpenBSD's reputation warranted?\n\nThis talk aims at answering all those questions, for all OpenBSD's mitigations, because, in the words of \u003ca href=\"https://twitter.com/ryiron/status/1150924668020203521\"\u003eRyan Mallon\u003c/a\u003e:\n\n\u003cquote\u003eThreat modelling rule of thumb: if you don’t explain exactly what you are securing against and how you secure against it, the answers can be assumed to be: “bears” and “not very well”.\u003c/quote\u003e\n\nFor example, OpenBSD added last year a \u003ca href=\"https://man.openbsd.org/mmap.2#MAP_STACK\"\u003eMAP_STACK\u003c/a\u003e flag to its \u003ccode\u003emmap\u003c/code\u003e function, and branded it as a security measure against \"ROPchains\". But this mitigation used to be part of Windows until 2012, and was removed because of at least generic public bypasses. It's also implemented on Linux since 2008, but for other reasons :)\n\nAll the research done for this talk is available on \u003ca href=\"https://isopenbsdsecu.re\"\u003eisopenbsdsecu.re\u003c/a\u003e","original_language":"eng","persons":["stein"],"view_count":10151,"promoted":false,"date":"2019-12-29T11:30:00.000+01:00","release_date":"2019-12-29T01:00:00.000+01:00","updated_at":"2026-04-21T15:45:05.596+02:00","tags":["36c3","10519","2019","Security","Main"],"length":3181,"duration":3181,"thumb_url":"https://static.media.ccc.de/media/congress/2019/10519-hd.jpg","poster_url":"https://static.media.ccc.de/media/congress/2019/10519-hd_preview.jpg","timeline_url":"https://static.media.ccc.de/media/congress/2019/10519-hd.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/congress/2019/10519-hd.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/36c3-10519-a_systematic_evaluation_of_openbsd_s_mitigations","url":"https://api.media.ccc.de/public/events/88a7a303-c577-4a7b-80eb-c96e344c1db2","conference_title":"36C3: Resource Exhaustion","conference_url":"https://api.media.ccc.de/public/conferences/36c3","related":[],"recordings":[{"size":null,"length":null,"mime_type":"application/x-subrip","language":"eng","filename":"DRAFT_36c3-10519-eng-deu-fra-A_systematic_evaluation_of_OpenBSDs_mitigations.en_DRAFT.srt","state":"todo","folder":"","high_quality":true,"width":null,"height":null,"updated_at":"2022-01-15T16:42:25.999+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/DRAFT_36c3-10519-eng-deu-fra-A_systematic_evaluation_of_OpenBSDs_mitigations.en_DRAFT.srt","url":"https://api.media.ccc.de/public/recordings/51479","event_url":"https://api.media.ccc.de/public/events/88a7a303-c577-4a7b-80eb-c96e344c1db2","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":453,"length":3181,"mime_type":"video/mp4","language":"eng-deu-fra","filename":"36c3-10519-eng-deu-fra-A_systematic_evaluation_of_OpenBSDs_mitigations_hd-slides.mp4","state":"new","folder":"slides-h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2019-12-29T19:49:40.014+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/slides-h264-hd/36c3-10519-eng-deu-fra-A_systematic_evaluation_of_OpenBSDs_mitigations_hd-slides.mp4","url":"https://api.media.ccc.de/public/recordings/43199","event_url":"https://api.media.ccc.de/public/events/88a7a303-c577-4a7b-80eb-c96e344c1db2","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":217,"length":3181,"mime_type":"video/mp4","language":"eng-deu-fra","filename":"36c3-10519-eng-deu-fra-A_systematic_evaluation_of_OpenBSDs_mitigations_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2019-12-29T19:48:46.917+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/h264-sd/36c3-10519-eng-deu-fra-A_systematic_evaluation_of_OpenBSDs_mitigations_sd.mp4","url":"https://api.media.ccc.de/public/recordings/43196","event_url":"https://api.media.ccc.de/public/events/88a7a303-c577-4a7b-80eb-c96e344c1db2","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":48,"length":3163,"mime_type":"audio/mpeg","language":"eng","filename":"36c3-10519-eng-A_systematic_evaluation_of_OpenBSDs_mitigations_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2019-12-29T19:47:55.069+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/mp3/36c3-10519-eng-A_systematic_evaluation_of_OpenBSDs_mitigations_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/43193","event_url":"https://api.media.ccc.de/public/events/88a7a303-c577-4a7b-80eb-c96e344c1db2","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":28,"length":3163,"mime_type":"audio/opus","language":"eng","filename":"36c3-10519-eng-A_systematic_evaluation_of_OpenBSDs_mitigations_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2019-12-29T19:47:27.539+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/opus/36c3-10519-eng-A_systematic_evaluation_of_OpenBSDs_mitigations_opus.opus","url":"https://api.media.ccc.de/public/recordings/43191","event_url":"https://api.media.ccc.de/public/events/88a7a303-c577-4a7b-80eb-c96e344c1db2","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":784,"length":3181,"mime_type":"video/webm","language":"eng-deu-fra","filename":"36c3-10519-eng-deu-fra-A_systematic_evaluation_of_OpenBSDs_mitigations_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2019-12-29T19:47:18.903+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/webm-hd/36c3-10519-eng-deu-fra-A_systematic_evaluation_of_OpenBSDs_mitigations_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/43190","event_url":"https://api.media.ccc.de/public/events/88a7a303-c577-4a7b-80eb-c96e344c1db2","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":268,"length":3181,"mime_type":"video/webm","language":"eng-deu-fra","filename":"36c3-10519-eng-deu-fra-A_systematic_evaluation_of_OpenBSDs_mitigations_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2019-12-29T19:41:09.401+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/webm-sd/36c3-10519-eng-deu-fra-A_systematic_evaluation_of_OpenBSDs_mitigations_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/43175","event_url":"https://api.media.ccc.de/public/events/88a7a303-c577-4a7b-80eb-c96e344c1db2","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":731,"length":3181,"mime_type":"video/mp4","language":"eng-deu-fra","filename":"36c3-10519-eng-deu-fra-A_systematic_evaluation_of_OpenBSDs_mitigations_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2019-12-29T16:45:15.931+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/h264-hd/36c3-10519-eng-deu-fra-A_systematic_evaluation_of_OpenBSDs_mitigations_hd.mp4","url":"https://api.media.ccc.de/public/recordings/43129","event_url":"https://api.media.ccc.de/public/events/88a7a303-c577-4a7b-80eb-c96e344c1db2","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":327,"length":3181,"mime_type":"video/mp4","language":"fra","filename":"36c3-10519-fra-A_systematic_evaluation_of_OpenBSDs_mitigations.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2019-12-29T16:44:20.450+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/h264-hd/36c3-10519-fra-A_systematic_evaluation_of_OpenBSDs_mitigations.mp4","url":"https://api.media.ccc.de/public/recordings/43128","event_url":"https://api.media.ccc.de/public/events/88a7a303-c577-4a7b-80eb-c96e344c1db2","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":327,"length":3181,"mime_type":"video/mp4","language":"deu","filename":"36c3-10519-deu-A_systematic_evaluation_of_OpenBSDs_mitigations.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2019-12-29T16:43:46.337+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/h264-hd/36c3-10519-deu-A_systematic_evaluation_of_OpenBSDs_mitigations.mp4","url":"https://api.media.ccc.de/public/recordings/43127","event_url":"https://api.media.ccc.de/public/events/88a7a303-c577-4a7b-80eb-c96e344c1db2","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":327,"length":3181,"mime_type":"video/mp4","language":"eng","filename":"36c3-10519-eng-A_systematic_evaluation_of_OpenBSDs_mitigations.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2019-12-29T16:43:14.106+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/h264-hd/36c3-10519-eng-A_systematic_evaluation_of_OpenBSDs_mitigations.mp4","url":"https://api.media.ccc.de/public/recordings/43126","event_url":"https://api.media.ccc.de/public/events/88a7a303-c577-4a7b-80eb-c96e344c1db2","conference_url":"https://api.media.ccc.de/public/conferences/36c3"}]}