Here is your last #OpenBSD story before the summer break: that one time OpenSSH was used in a supply-chain attack, before that expression was even coined.

http://miod.online.fr/software/openbsd/stories/trojan.html

By the way, our first two publications on evaluating #OpenBSD mitigations are out. Both of these papers evaluate some amd64 anti-ROP mitigations: specifically changing the register selection order and semantically equivalent rewriting of instructions that may produce a potential polymorphic gadget instruction. This tracks a paper by mortimer@ back in 2019 at AsiaBSDCon.

The TL;DR is "OpenBSD can shrink binaries a little and gain a little performance without any security loss simply by reverting these mitigations." The mitigations did not hold up to independent evaluation.

The first paper did an exact 1:1 port of these mitigations to FreeBSD and found that register reallocation eliminates only about 0.3% of unique gadgets, for a 0.5% increase in binary size (mortimer@ claimed 6% reduction and "entirely free"). It is useless at best but more likely actively detrimental, as it produces a false sense of security. It also found the instruction rewriting reduces unique gadgets by about 3.5% with a binary size increase of about 1.8% (mortimer@ claimed 5% reduction with 0.15% binary size increase).

We then did a separate implementation of the instruction rewriting mitigation to GCC in the second paper. Our GCC implementation does the older <xchg; op; xchg> dance, as that's what mortimer@'s paper described. This is way worse; producing about a 3% performance hit for no security benefit at all.

The only part of both mitigations worth saving is for basic arithmetic, OpenBSD LLVM now takes advantage of the fact that basic arithmetic has two forms. For example, the newer instruction rewriting mitigation turns
addq %rax, %rbx (48 01 c3)
into
{load} addq %rax, %rbx (48 03 d8)

The new instruction rewriting mitigation is genuinely free in terms of binary size and execution speed, but doesn't move the security needle, so this one can stay as it is harmless. Other rewritings still have the flaw of increasing binary size and reducing performance for no security benefit.

Anyhow feel free to read the papers:
https://ieeexplore.ieee.org/abstract/document/11458911
https://www.researchgate.net/publication/405728967_A_Final_Return_for_OpenBSD_Anti-Return-Oriented_Programming_Mitigations

#BSD #FreeBSD #NetBSD #DragonFlyBSD #Linux #Unix #security #cybersecurity

[Kirill's journal]

⇒ OpenBSD under QEMU

Architecture specific notes for OpenBSD guests under QEMU, with working command lines where installation succeeds and failure points where it does not.

• https://kirill.korins.ky/articles/openbsd-under-qemu/

⇒ OpenBSD under QEMU

Architecture specific notes for OpenBSD guests under QEMU, with working command lines where installation succeeds and failure points where it does not.

• https://kirill.korins.ky/articles/openbsd-under-qemu/

(#openbsd #qemu)

New disclosure: CL.TE HTTP request smuggling in OpenBSD relayd.
Latent in relay_http.c since 2012 (OpenBSD 5.2). The body was parsed as chunked but a co-present Content-Length header wasn't stripped before forwarding to backend, contrary to RFC 9112 §6.1.
Found by a targeted source-review pass against the RFC framing rules. Fixed in -current 2026-06-03 in a single commit.
https://stuart-thomas.com/research/relayd-cl-te-smuggling/
#infosec #OpenBSD #vulndisclosure

https://blog.odicforcesounds.com/brutalBSD.html
Just another #Tribute to #OpenBSD with a #creative touch of #Magic #Colors and some #Music to describe OpenBSD Library.

If you don't love my syspatch, you don't deserve my uptime