Proactive Security & (re)discovering OpenBSD

(Security-focused research-based Operating System)

OpenBSD — a security-focused & research-based Operating System — started auditing their source code tree in 1996. They combed their source code repository looking for bugs that could lead to security vulnerabilities. The results were hundreds of security bugs found & patched. Thankfully, some of those fixes made it to Linux, FreeBSD and NetBSD. Today, OpenBSD proudly boasts about 2 vulnerabilities in more than 10 years. Code auditing is still on-going !

Software companies today are more than willing to take requests from customers, and develop code that fits the customer’s need. The emphasis is on shipping the code as soon as possible with little regards for code quality, robustness and security. This also affects Open Source projects, where developers are paid to work on specific features that their customers need. Few Open Source companies are interested in proactively looking for security bugs. Those are invisible to their clients, and hard to sell.

In Mid-2015, several security vulnerabilities were found in NTP project. NTP is what takes care of time keeping on the Internet, and is one of the essential services that we all rely upon. I decided to look at the code. I submitted a patch that didn’t add a cool new feature to NTP, or attempted to satisfy a customer’s need. It was a patch to replace a programming interface with a more robust one copied from OpenBSD. I also replaced every instance of the old one with the new one. The patch was committed with some changes by senior NTP developers. To most software developers, that would sound like a boring thing to do.

At the beginning of 2016, I got a mail from a security company saying that they found a security issue in the old programming interface instances that I had replaced. They were issuing a security advisory, and credited me with independently discovering the issue. To be fair, I was not interested in developing exploits for security vulnerabilities that I discovered. I saw a potential security issue and simply fixed it. OpenBSD inspired me.

At my day job, I spend roughly 50% of my time doing security work. I apply the same principles that I learned from OpenBSD. The effort is already paying off. Few software companies have customers asking for OpenBSD experts who can write secure C code. However, many do get customers complaining about the deployed websites getting compromised. What is the relationship between those two ? Well, web developers can learn from the OpenBSD secure code auditing process to improve the security of their websites.

I am not re-inventing the wheel for security at my day job: I am following the decade-old, tried & proven OpenBSD principles.

Loganaden Velvindron is a Research, Development & Support Engineer working at AFRINIC, the African Internet Registry. In his spare time, he enjoys improving the security of infrastructure code for fun. Together with Selven (Pirabarlen CHEENARAMEN), he leads hackers.mu, an organization made up of local Linux & Open Source developers.

(Opinions expressed above are my own)