A new version of the free Unix-like operating system, OpenBSD 7.4, has been released. OpenBSD was founded in 1995 after a conflict with NetBSD developers resulted in a feasibility study being cut off from the NETBSD CVS Repository. The study’s leader then formed a team and created a new open operating system based on the source code of NetBSD. The project’s primary goals include interoperability on 13 different platforms, standardization, reliability, safety, and built-in cryptographic functions. The base system installation ISO image of OpenBSD 7.4 occupies 630 MB.
The OpenBSD project is well-known for its components that have been successfully integrated into other operating systems and are recognized as some of the safest and highest-quality solutions. Notable components include libressl (an alternative to Openssl), Openssh, packet filter PF, routing demons Openbgpd and Openospfd, OpenSMTPD server, text terminal multiplexer tmux (similar to GNU Screen), Identd daemon with IDent protocol implementation, Mandoc (an alternative to GNU Groff package), Carp (Common Address Redundance Protocol) for system reliability, a lightweight HTTP server, and Openrsync file synchronization utility.
The latest version of OpenBSD, 7.4, introduces several improvements:
- Support for updating the AMD processor microcode has been added for the AMD64 and i386 architectures. New microcode versions are now automatically installed during system boot. A port of Ports/Sysutils/Firmware/AMD has been developed to distribute binary files with microcode. The FW_UPDATE utility is used to install the updated microcode.
- Mechanisms for IBT (Indirect Branch Tracking, AMD64) and BTI (Branch Target Identification, ARM64) have been added for both the kernel and user space. These mechanisms aim to prevent the exploitation of memory alterations that change the function pointers, by using specialized ARM64 instructions to validate return addresses using digital signatures stored in the upper bits of pointers. This enhances the system’s security.
- The Clang system compiler settings and Clang and GCC from the ports have been modified to leverage the aforementioned protection mechanisms. This significantly enhances the security of core applications and most applications from the ports against exploits that utilize Return-Oriented Programming (ROP) techniques.