Software Update: OpenBSD 6.4

A few days ago, the new semi-annual release of OpenBSD came out. on this page a comprehensive list of ftp and http download locations can be found. OpenBSD descends from the original Berkeley Software Distribution and has the characteristic that the developers only want to use open source software. Furthermore, the operating system is known for its excellent documentation and safety. Extensive release notes can be found on this page are being found; Below is an overview of the most important improvements:

BSD Release: OpenBSD 6.4
The project has released OpenBSD 6.4 which includes many driver improvements, a feature which allows OpenSSH’s configuration files to use service names instead of port numbers, and the Clang compiler will now replace some risky ROP instructions with safe alternatives.

Perhaps the most interesting feature is the unveil() system call which allows applications to sandbox themselves, blocking their own access to the file system. This is especially useful for programs which operate on unknown data which may try to exploit or crash the application: “New unveil(2) system call to restrict file system access of the calling process to the specified files and directories. It is most powerful when properly combined with privilege separation and pledge(2).”

Other security improvements include: “Implemented MAP_STACK option for mmap(2); new RETGUARD security mechanism on amd64 and arm64 – use per-function random cookies to protect access to function return instructions, making them harder to use in ROP gadgets…. “