OpenBSD Journal

OpenBSD at PacSec

Contributed by jose on from the asia-pacific-tour dept.

If you've been wondering why the postings have been bursty for the past week, it's because I'm at PacSec in Tokyo , along with Theo and Itojun. I spoke yesterday, Itojun spoke this morning about IPv6 security, and Theo is talking this very moment about OpenBSD's anti-exploit technologies.

Slides will be up soon, and your schedule here at deadly will be back to normal soon.
UPDATE: Slides are up. Theo's English slides and translated into Japanese are available. Itojun's slides are also available now.

(Comments are closed)

  1. By Anonymous Coward () on

    What crappy slides. I didn't notice any mention of "the subtle concept of mprotect." In fact, I didn't see any discussion of the weaknesses of W^X. I guess Theo wanted people to think it was flawless. Again he spreads the myth that random library ordering is useful. It is not. Theo has apparently never written an exploit before. As for POSIX compliance, I'm pretty certain POSIX specifies that if an mprotect call is made on a certain address range, that only that address range should be affected. Mprotect one of your data mappings executable, and watch everything below that point become executable too. So how about that POSIX compliance, eh? Well, I guess you can get away with a lot of things when you make grand claims and no one bothers to verify them.

    1. By Anonymous Coward () on

      Is it that difficult to publish a paper, e.g. in phrack, to point out W^X weaknesses? I don't think these Anonymous Coward comments get noticed.

      1. By Anonymous Coward () on

        spender of GR-security already has published the weaknesses. Of course OpenBSD will never point you to them.

        1. By Can Erkin Acar () on

          spender of GR-security already has published the weaknesses.

          Thanks, for the link, although the content, afaik, is not different from what has been discussed/debated/beaten to death here already. I must say I am a bit disappointed, I expected more technical content...

          Of course OpenBSD will never point you to them.

          I could not find _any_ link to this presentation from neither PaX nor grsecurity pages (or anywhere else). May I ask where (and when and how) this presentation was announced/presented/linked-from?

          g-con? probably, there are also no links from there, however.

          Mailing lists? Hmm, no mailing list information on PaX homepage, nothing useful from google searches either, there is a grsecurity mailing list linked from the grsecurity page, but archives is _not_ open. Even reading the archives requires subscription. This is where I gave up, end of my time and patience, and NO, I will not subscribe to a list just to read/search the archives.

          Seesh, and the PaX people complain about the _closed_ development of OpenBSD. They dont even have a public mailing list!

          Contrary to the opinion of the PaX people, OpenBSD developers do not follow PaX mailing lists or such so how would they supposed to know about it, much less point it to others?

          1. By gwyllion () on

            I also find it very strange that this presentation was never announced.

            Yesterday I discovered this presentation by accident. I search google for PaX page exec (to find the official PaX URL) and found as the first match. I then looked at the official grsecurity website under papers and saw it wasn't mentioned there. exists as well. Now some Anonymous Coward points us to . How are we supposed to know this presentation exists, if it's not announced to the public? I also checked the grsecurity forum, but no official announcement either.

            1. By Anonymous Coward () on

              SNAFU's military use comes to mind. ;)

              Systems Normal, All Fucked Up.

          2. By PaX Team () pageexec at on mailto:pageexec at

            1. 'no links'

            the grsec site has a 'papers' section:


            2. 'no public mailing list'

            you're comparing apples to oranges, everyone can subscribe to the grsec lists, you can't say the same about the internal OpenBSD mailing lists. as to why browsing is restricted, i don't know, better ask Mr. Spender.

            PS: does anyone know if the pacsec presentation is available in .mgp or whatever format as well?

            1. By grey () on

              1. Yup, grsec has a papers section that's linked. Unfortunately the g-con presentation is not yet linked from there. Nice to see it mentioned here though, I've been trying to find g-con presentations as I could not attend, and have come up empty until now.

              2. I think this came up because of previous 'demands' that OpenBSD development lists be open or something. Yes, it's apples to oranges comparing PaX & Grsec with OpenBSD, still seems to be happening a lot on this forum for one reason or another. At any rate, the only non-public forum I'm aware of is the hackers@ mailing list, and from what I hear it's usually pretty trivial stuff [like, travel information for c2k3 like events, that really aren't in the public interest as far as the project goes]. Some people mention icb - but last I checked, the icb service was not filtered or anything, anyone can [and has] accessed it, it being 'private' is therefore a social implication, and not a technical one; and honestly - that's probably how hackers@ is in character.

              PS. Haven't seen any 'raw' mgp version yet - but put in a request or give it some time and I'm sure it would be trivial to have turn up?

              1. By grey () on

                Whoops, must've clicked on the wrong link - the new presentation is there, the rest of my #1 comment about it being good to finally see a g-con (presumably, since it wasn't there before that conf) presentatin still stands. Anyone have any updates on that event other than this?

            2. By Can Erkin Acar () on

              the grsec site has a 'papers' section:

              Yes, and the presentation was not there the last time I looked. Funny how things can change in 8 hours :)

              ... as to why browsing is restricted, i don't know, better ask Mr. Spender.

              Although it is probably an oversight of Mr. Spender, the lists are obviously not public right now. Archives are not searchable, browsable, publicly, and I have stopped "subscribing to unknown lists just in case there is something intresting" long time ago.

              1. By Anonymous Coward () on

                hey retard. funny how you're blind. maybe you can explain why the mirrors have it on their papers section too? or how it's indexed by google? if it appeared within the last 8 hours as you claim. you're full of shit. thank you.

                1. By tedu () on

                  surely an open project like grsecurity has a browsable cvs archive of their website available?

                2. By gwyllion () on

                  I think you are full of shit. I checked the first mirror ( and it doesn't contain a link to this presentation. This proves it was added in the last 8 hours. No stop insulting people.

                  1. By gwyllion () on

                    BTW if you search google for PaX The Guaranteed End of Arbitrary Code Execution , the name of the presentation, you see that was updated 7 nov 2003. Who's blind now?

                  2. By Anonymous Coward () on

                    The first mirror is out of date. Look at ALL the other mirrors. Also, google doesn't update every day. Get your facts straight and stop accusing people you stupid motherfucker.

                    1. By gwyllion () on

                      It appears I was wrong: papers.php was updated Oct 21 09:15 (so just after the g-con 2 conference) and the first mirror,, just isn't up to date.

                      My apologies for this mistake. Aparently I'm not the only one who looked over this entry on grsecurity website; maybe it happened because the last entry clearly states it contains the presentation slides of LSM2002, while this description is missing for the g-con2 presentation. Sorry.

                      Sorry, but my mother died a few years ago. No use in fucking her now. I'm not in to necrofilia.

                    2. By SH () on

                      Your contributions appears to consist mostly of vulgar, immature pissing in other peoples forums. Why don't you talk to a councillor for you personal problems?

          3. By gwyllion () on

            I found a publicly accessable mailing list archive:

            It doesn't contain an annoucement of the presentation either, only an announcement that spender would give a presentation at g-con 2: [grsec] G-Con 2 presentation

        2. By Marc Espie () on

          You've got to love the slant of PaX presentations.

          Of course, it doesn't require you to change the binary format. But duh, it also doesn't protect destructors against write.

          Not surprisingly, you find these points on distinct pages, and no logic link between those...

          As far as mprotect goes, wow. mprotect has GOT to work. If mprotect does not work, you lose a LOT of recent programming languages THAT RELY ON THE POSSIBILITY OF WRITING CODE SOMEWHERE, and then marking the location executable...

          considering I *am* the guy who fixed gcc to handle this correctly for:
          - an extension to C called nested functions;
          - languages such as ada that require this;

          I think I know what I'm talking about.

          Removing this from POSIX gives you a crippled POSIX system. Yes, I know of several crippled POSIX systems. Those pathetic things that are marketed as `POSIX-compliant' to meet the management tag... and cannot compile a real program.

          1. By Anonymous Coward () on

            it's funny that you mention destructors. i guess you haven't looked at your 3.4 binaries recently.


            btw: you don't know what you're talking about.

            thanks for your time.

            1. By Marc Espie () on

              No, I haven't looked at 3.4 binaries recently.
              It might just be that things have gone forward, and still are going forward, as far as these things go.

              Maybe you don't know what's going on in current OpenBSD development ?

          2. By PaX Team () pageexec at on mailto:pageexec at

            there's nothing wrong with mprotect() in PaX, it's a kernel configuration time option to enable the related restrictions or not, up to the user whether he does it or not. and no, it's not on by default, in fact, nothing is, every single PaX feature must be explicitly enabled by the user - what distros (or individual users) do with them is another question and is beyond my control of course, although i do recommend the more strict and hence secure setup and to use a userland properly prepared for it (e.g., Adamantix or Hardened Gentoo).

            you're telling me there's a LOT of recent programming languages that generate code at runtime... aha, so would care to give me a list of said languages and apps that are run on any significant number of systems (so that we can estimate the impact of restricting page protections by default)? off the top of my head, i can't think of a single one (java is already handled in PaX systems). on the other hand i can think of at least one widely used program that you broke for good: XFree86 modules (it's broken for good because you cannot fix the problem without changing XFree86 itself - that's not what i or you call backwards compatible, is it).

            also, you're wrong on why you needed to change the binary format, it is not because of .dtors but because a.out does not allow a non-contiguous memory layout which is what you need under your approach on i386.

    2. By DIGITAL MAN () on

      Mprotect one of your data mappings executable, and watch everything below that point become executable too.

      Does this happen only on i386?

    3. By PaX Team () pageexec at on mailto:pageexec at

      just one point: POSIX compliance is ok with the OpenBSD i386 W^X approach because POSIX explicitly says nothing about PROT_EXEC support, it's up to the implementation to do what it wants with it, however weird (and in this case, unsecure) sideeffects that may mean.

  2. By Anonymous Coward () on

    I hope Dave Aitel doesn't let Theo get away with spreading lies at the conference. I hope he points out the weaknesses in W^X, since it's clear Theo didn't think it was important to do so.

    1. By Anonymous Coward () on

      Is it that difficult to publish a paper, e.g. in phrack, to point out W^X weaknesses? I don't think these Anonymous Coward comments get noticed.

    2. By ann onimous () on

      Dear AC,

      little quote for you:

      It ain't Braggin' if you can back it up--J.Pastorius

      You're Bragging

    3. By tony () on

      Dave Aitel? I love that guy. He's funny as a bastard and I love his show Insomniac. I didnt know he was into computers and technology!

      (haha :P)

  3. By Anonymous Coward () on

    I notice that OpenBSD developers always use MagicPoint. What presentation apps work on OpenBSD at this moment apart from MagicPoint? Do OpenOffice and KOffice work? How about running MS Powerpoint on CrossOver Office?

    1. By gwyllion () on

      LaTeX works as well ;-)

    2. By mirabile () on

      magicpoint is great.
      xover office doesnt work yet, we lack some
      syscalls in the linuxulator.
      OOo impress might work if you get OOo to work.
      As for koffice, I didnt know it has a presentation
      acroread-linux and xpdf are nice, too.

      i prefer magicpoint/bsd xor powerpoint/win,
      though I like the former more.

      bsd spirit: "use the right tool for the job",
      i.e. don't die while getting ppt to work on bsd hard.

    3. By zp () on

      ppower4 is also available in ports tree.
      It takes a LaTeX presentation in, for example, foiltex class,
      and images in all sorts of formats, including Multiple MetaPost, and using java turns it into a PDF presentation with PowerPoint like effects. You can see examples at

      I like this format the best because you can bring your presentation file to any kind of OS. All of them have a PDF viewer -- most likely Acrobat. Yet I develop the presentation on my favourite platform -- UNIX -- using the tools I know the best.

    4. By Anonymous Coward () on

      If you like LaTeX, try prosper.

    5. By waldo () on

      hm... anybody else think it looks like theo used ms comic sans for the font in his slides? ew.

    6. By Marc Espie () on

      MagicPoint works just great. It's simple and gets the work done (in fact, thanks to this presentation, we found out that it needs an extra configure switch for 16 bits truetype fonts).

      One very nice feature of it is using TrueType2, and thus having a large range of very nice, anti-aliased fonts.

      Now, koffice works as well, but speaking for myself, it's much easier and quicker to write presentations with magicpoint.

  4. By Anonymous Coward () on

    PAX: No read-only GOT/PLT/.ctors/.dtors (yet)
    W^X: Read-only GOT/PLT/.ctors/.dtors

    Can someone explain if/when PAX supports "Read-only GOT/PLT/.ctors/.dtors", it won't be copying W^X?

    If someone attended PacSec, did Theo get into the "arms race"? I didn't see any slides mentioning PAX, and they don't deserve the free advertising.

    1. By PaX Team () pageexec at on mailto:pageexec at

      this was written around a year ago and published early february or so (section c.1 in particular):


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]