|
|
Network Stack Randomness
Ryan McBride
The OpenBSD project has been very aggressive in its use of strong pseudo-random
data in its network code; as a policy, pseudo-random data is used in protocol
fields wherever possible, in many cases in a way not envisioned by the protocol
designers. Randomness is also used within the network code to protect against
denial of service attacks.
This presentation outlines the reasons for this approach, discusses how and
where it is implemented in OpenBSD, and provides examples of attacks which this
approach has mitigated. Performance costs and comparison with the other major
BSDs will be presented.
Why this is important: This provides real security benefits. We want people to:
- implement and turn on this stuff by default in other OSes,
- in particular, the more people that do this, the less applications
will depend on the broken behaviour.
- point out any other possible randomisations that we have missed
|