-
Notifications
You must be signed in to change notification settings - Fork 8
/
innovations.html
704 lines (692 loc) · 37.8 KB
/
innovations.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
<!doctype html>
<html lang=ru>
<meta charset=utf-8>
<title>OpenBSD: Инновации</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/innovations.html">
<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
Инновации
</h2>
<hr>
<p>
Это список программ и идей, разработанных или поддерживаемых проектом
OpenBSD, отсортированный в порядке их появления.
O некоторых из них можно больше узнать благодаря
<a href="https://www.openbsd.org/events.html">докладам</a>.
<hr>
<h3>Концепты</h3>
<ul>
<li><a href="https://man.openbsd.org/ipsec.4">ipsec(4)</a>:
Started by John Ioannidis, Angelos D. Keromytis, Niels Provos, and
Niklas Hallqvist, imported February 20, 1997. OpenBSD was the first
free operating system to provide an IPSec stack.
<li><a href="https://man.openbsd.org/inet6.4">inet6(4)</a>:
First complete integration and adoption of IPv6 led by
"Itojun" (Dr. Junichiro Hagino) [WIDE/KAME], Craig Metz [NRL], and
Angelos D. Keromytis starting Jan 6, 1999.
Almost fully operational Jun 6, 1999 during the
<a href="hackathons.html">first OpenBSD hackathon</a>.
OpenBSD 2.7.
<li><strong>Privilege separation</strong>:
First implemented by
<a href="http://www.citi.umich.edu/u/provos/ssh/privsep.html">Niels Provos</a>
and Markus Friedl in OpenSSH in March 2002, released with OpenBSD 3.2.
The concept is now used in many OpenBSD programs, for example
<a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>,
<a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>,
<a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>,
<a href="https://man.openbsd.org/dvmrpd.8">dvmrpd(8)</a>,
<a href="https://man.openbsd.org/eigrpd.8">eigrpd(8)</a>,
<a href="https://man.openbsd.org/file.1">file(1)</a>,
<a href="https://man.openbsd.org/httpd.8">httpd(8)</a>,
<a href="https://man.openbsd.org/iked.8">iked(8)</a>,
<a href="https://man.openbsd.org/ldapd.8">ldapd(8)</a>,
<a href="https://man.openbsd.org/ldpd.8">ldpd(8)</a>,
<a href="https://man.openbsd.org/mountd.8">mountd(8)</a>,
<a href="https://man.openbsd.org/npppd.8">npppd(8)</a>,
<a href="https://man.openbsd.org/ntpd.8">ntpd(8)</a>,
<a href="https://man.openbsd.org/ospfd.8">ospfd(8)</a>,
<a href="https://man.openbsd.org/ospf6d.8">ospf6d(8)</a>,
<a href="https://man.openbsd.org/pflogd.8">pflogd(8)</a>,
<a href="https://man.openbsd.org/radiusd.8">radiusd(8)</a>,
<a href="https://man.openbsd.org/relayd.8">relayd(8)</a>,
<a href="https://man.openbsd.org/ripd.8">ripd(8)</a>,
<a href="https://man.openbsd.org/script.1">script(1)</a>,
<a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>,
<a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>,
<a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a>,
<a href="https://man.openbsd.org/tmux.1">tmux(1)</a>,
<a href="https://man.openbsd.org/xconsole.1">xconsole(1)</a>,
<a href="https://man.openbsd.org/xdm.1">xdm(1)</a>,
<a href="https://man.openbsd.org/Xserver.1">Xserver(1)</a>,
<a href="https://man.openbsd.org/ypldap.8">ypldap(8)</a>,
<a href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a>,
etc.
<li><strong>Privilege revocation</strong>:
Related to the work on privilege separation, some programs were refactored
to drop privileges while holding onto a tricky resource such as a raw socket,
reserved port, or modification-locked bpf(4) descriptor,
for example
<a href="https://man.openbsd.org/ping.8">ping(8)</a>,
<a href="https://man.openbsd.org/traceroute.8">traceroute(8)</a>,
etc.
<li><strong>Stack protector</strong>:
Developed since 2001 as "propolice" by Hiroaki Etoh. Integrated, and
implemented for additional hardware platforms, by Federico G. Schwindt,
Miod Vallat and Theo de Raadt. OpenBSD 3.3 was the first operating
system to enable it systemwide by default.
<li><strong>W^X</strong>:
First used for sparc, sparc64, alpha, and hppa in OpenBSD 3.3.
Strictly enforced by default since OpenBSD 6.0: a program can only
violate it if the executable is marked with <code>PT_OPENBSD_WXNEEDED</code>
and it is located on a filesystem mounted with the <code>wxallowed</code>
<a href="https://man.openbsd.org/mount.8">mount(8)</a> option.
<li><strong>GOT and PLT protection</strong> by ld.so:
first done as part of the W^X work in OpenBSD 3.3, by Dale Rahn and
Theo de Raadt. The GOT and PLT regions are read-only outside of ld.so
itself. Extended to the .init/.fini sections (constructors and
destructors) in OpenBSD 3.4.
<li><strong>ASLR</strong>:
OpenBSD 3.4 was the first widely used operating system to
provide it by default.
<li><a href="https://man.openbsd.org/gcc-local.1">gcc-local(1)</a>
__attribute__((__bounded__)) static analysis annotation
and checking mechanism:
Started by Anil Madhavapeddy on June 26, 2003
and ported to GCC 4 by Nicholas Marriott.
First released with OpenBSD 3.4.
<li><a href="https://man.openbsd.org/malloc.3">malloc(3)</a>
randomization implemented by Thierry Deval. Guard pages and randomized (delayed) free added by Ted Unangst.
Reimplemented by <a href="http://www.openbsd.org/papers/eurobsdcon2009/otto-malloc.pdf">Otto Moerbeek</a>
for OpenBSD 4.4.
<li><strong>Position-independent executables (PIE)</strong>:
OpenBSD 5.3 was the first widely used operating system to enable it
globally by default, on seven hardware platforms.
Implemented in November 2008 by
<a href="https://www.openbsd.org/papers/nycbsdcon08-pie/">Kurt Miller</a>
and enabled by default by
<a href="https://www.openbsd.org/papers/asiabsdcon2015-pie-slides.pdf">Pascal Stumpf</a>
in August 2012.
<li><strong>Random-data memory</strong>:
the ability to specify that a variable should be initialized
at load time with random byte values (placed into a new ELF
<b>.openbsd.randomdata</b> section) was implemented in
OpenBSD 5.3 by Matthew Dempsky.
<li><strong>Stack protector per shared object</strong>:
using the random-data memory feature, each shared object was given its
own stack protector cookie in OpenBSD 5.3 by Matthew Dempsky.
<li><strong>Static-PIE</strong>:
Position-independent static binaries for /bin, /sbin and ramdisks.
Implemented for OpenBSD 5.7 by Kurt Miller and Mark Kettenis.
<li><strong>SROP</strong>
(<a href="https://man.openbsd.org/sigreturn.2">sigreturn(2)</a>
oriented programming) mitigation: attacks researched by
<a href="https://www.cs.vu.nl/~herbertb/papers/srop_sp14.pdf">Eric Bosman</a>
and Herbert Bos in 2014, solution implemented by Theo de Raadt in May 2016,
enabled by default since OpenBSD 6.0.
<li><strong>Library order randomization</strong>:
In <a href="https://man.openbsd.org/rc.8">rc(8)</a>, re-link
<code>libc.so</code>, <code>libcrypto</code>, and <code>ld.so</code>
on startup, placing the objects in a random order.
Theo de Raadt and Robert Peichaer, May 2016,
enabled by default since OpenBSD 6.0 and 6.2.
<li>Kernel-assisted lazy-binding for W^X safety in multi-threaded programs.
A new syscall <a href="https://man.openbsd.org/kbind.2">kbind(2)</a>
permits lazy-binding to be W^X safe in multi-threaded programs.
Implemented for OpenBSD 5.9 by Philip Guenther in July 2015.
<li>Process layouts in memory tightened to remove execute permission from
all segmented, non-instruction data and to remove write permission from
data that is only modified during loading and relocation.
By combining the RELRO (Read-Only after Relocation) design from the
GNU project with the original ASLR work from OpenBSD 3.3 and
strict lazy-binding work from OpenBSD 5.9, this is applied to not
just a subset of programs and libraries but rather to all programs
and libraries.
Implemented for OpenBSD 6.1 by Philip Guenther in August 2016.
<li>Use of <strong>fork+exec in privilege separated programs</strong>. The
strategy is to give each process a fresh & unique address space for
ASLR, stack protector -- as protection against address space discovery attacks.
Implemented first by
Damien Miller (<a href="https://man.openbsd.org/sshd.8">sshd(8)</a> 2004),
Claudio Jeker (<a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>, 2015),
Eric Faurot (<a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>, 2016),
Rafael Zalamena (various, 2016), and others.
<li><strong>trapsleds</strong>:
Reduction of incidental NOP instructions/sequences in the instruction
stream which could be useful potentially for ROP attack methods to
inaccurately target gadgets. These NOP sequences are converted into
trap sequences where possible. Todd Mortimer and Theo de Raadt, June
2017.
<li><strong>Kernel relinking at boot</strong>:
the .o files of the kernel are relinked in random order from a
link-kit, before every reboot. This provides substantial interior
randomization in the kernel's text and data segments for layout and
relative branches/calls. Basically a unique address space for each
kernel boot, similar to the userland fork+exec model described above
but for the kernel. Theo de Raadt, June 2017.
<li>Rearranged i386/amd64 register allocator order in
<a href="https://man.openbsd.org/clang.1">clang(1)</a>
to reduce polymorphic RET instructions:
Todd Mortimer, November 20, 2017.
<li>Reencoding of i386/amd64 instruction sequences to avoid
embedded polymorphic RET instructions. Enhancements to
<a href="https://man.openbsd.org/clang.1">clang(1)</a>
Todd Mortimer, April 28, 2018 and onwards.
<li><b>MAP_STACK</b> addition to
<a href="https://man.openbsd.org/mmap.2">mmap(2)</a>
allows opportunistic verification that the stack-register
points at stack memory, therefore catching pivots to non-stack
memory (sometimes used in ROP attacks).
Theo de Raadt, April 12, 2018.
<li><b>RETGUARD</b> is a replacement for the <b>stack-protector</b>
which uses a per-function random cookie (located in the read-only ELF
<b>.openbsd.randomdata</b> section) to consistency-check the
return address on the stack. Implemented for amd64 and arm64
by Todd Mortimer in OpenBSD 6.4, for mips64 in OpenBSD 6.7, and
powerpc/powerpc64 in OpenBSD 6.9. amd64 system call stubs also
protected in OpenBSD 7.3.
<li><b>MAP_CONCEAL</b> addition to
<a href="https://man.openbsd.org/mmap.2">mmap(2)</a>
disallows memory pages to be written to core dumps, preventing
accidental exposure of private information.
Theo de Raadt, Mark Kettenis and Scott Soule Cheloha,
February 2, 2019.
<li>Similar to the opportunistic verification in <b>MAP_STACK</b>,
system-calls can no longer be performed from PROT_WRITE memory.
Theo de Raadt, June 2, 2019.
<li>System calls may only be performed from selected code regions
(main program, ld.so, libc.so, and sigtramp). The libc.so region
is setup by <a href="https://man.openbsd.org/msyscall.2">msyscall(2)</a>.
Theo de Raadt, November 28, 2019.<br>
This mechanism was removed because later work on immutable memory +
pinned system calls was even better.
<li>Permissions (RWX, MAP_STACK, etc) on address space regions can be
made immutable, so that <a href="https://man.openbsd.org/mmap.2">mmap(2)</a>,
<a href="https://man.openbsd.org/mprotect.2">mprotect(2)</a> or
<a href="https://man.openbsd.org/munmap.2">munmap(2)</a> fail with
EPERM. Most of the program static address space is now automatically
immutable (main program, ld.so, main stack, load-time shared libraries,
and dlopen()'d libraries mapped without RTLD_NODELETE). Programmers
can request non-immutable static data using the "openbsd.mutable" section,
or manually bring immutability to (page aligned heap objects) using
<a href="https://man.openbsd.org/mimmutable.2">mimmutable(2)</a>.
Theo de Raadt, Dec 4, 2022.
<li>sshd random relinking at boot. Theo de Raadt. Jan 18, 2023.
<li>Some architectures now have non-readable code ("xonly"), both from
the perspective of userland reading its own memory, or the kernel
trying to read memory in a system call. Many sloppy practices in
userland code had to be repaired to allow this. The linker option
<b>--execute-only</b> is enabled by default. In order of
development: arm64, riscv64, hppa, amd64,
powerpc64, powerpc (G5 only), octeon.
sparc64 (sun4u only, unfinished).
Mark Kettenis, Theo de Raadt, Visa Hankala, Miod Vallat,
Dave Voutila, George Koehler in kernel and base, and
Theo Buehler, Robert Nagy, Christian Weisgerber in ports.
Dec 2022 - Feb 2023, still ongoing.
<li>On all architectures which lack hardware-enforcement of xonly,
system calls are now prevented from reading (via copyin/copyinst)
inside the program's main text, ld.so text, sigtramp text, or
libc.so text.
Theo de Raadt, Jan 2023.
<li>Architectures which lack xonly mmu-enforcement can still benefit
from switching to --execute-only binaries if the cpu generates
different traps for instruction-fetch versus data-fetch. The
VM system will not allow memory to be read before it was
executed which is valuable together with library relinking.
Architectures switched over include loongson.
Theo de Raadt, Feb 2023.
<li>ld.so and crt0 register the location of the
<a href="https://man.openbsd.org/execve.2">execve(2)</a>
libc syscall stub with the kernel using
<a href="https://man.openbsd.org/pinsyscall.2">pinsyscall(2)</a>,
after which the kernel only accepts an execve call from that
specific location. Theo de Raadt, Feb 2023. Made redundant by
<a href="https://man.openbsd.org/pinsyscalls.2">pinsyscalls(2)</a>
which handles all system calls.
<li>Mandatory enforcement of indirect branch targets (BTI on arm64,
IBT on Intel amd64), unless a linker flag (-Wl,-z,nobtcfi) requests
no enforcement.
<li>The kernel and ld.so register the precise entry location of
every system call used by a program, as described in the
new ELF section <b>.openbsd.syscalls</b> inside ld.so and
libc.so. ld.so uses the new syscall
<a href="https://man.openbsd.org/pinsyscalls.2">pinsyscalls(2)</a>
to tell the kernel the precise entry location of system calls in libc.so.
Since all syscall entries are now known to the kernel, the
pininsyscall(SYS_execve) interface becomes redundant.
<a href="https://man.openbsd.org/msyscall.2">msyscall(2)</a> mechanism
also becomes redundant (and is removed a bit later), because immutable
memory + pinsyscalls together are cheaper and more effective targeting.
Theo de Raadt, Jan 2024.
<li><b>-fret-clean</b> is a clang extension that, upon return from a function
cleans the return value off the stack (one of many information leaks which
can be used to determine where functions in a different DSO reside).
The kernel, libc, libcrypto, and ld.so(1) are compiled with this option.
amd64 only, for now.
</ul>
<h3>Функции в C</h3>
<ul>
<li><a href="https://man.openbsd.org/issetugid.2">issetugid(2)</a>:
Theo de Raadt, August 25, 1996, OpenBSD 2.0
<li><a href="https://man.openbsd.org/arc4random.3">arc4random(3)</a>:
David Mazieres, December 28, 1996, OpenBSD 2.1
<li><a href="https://man.openbsd.org/bcrypt.3">bcrypt(3)</a>:
Implemented by <a href="https://www.usenix.org/legacy/events/usenix99/provos/provos_html/node1.html">Niels Provos and David Mazieres</a>
Imported February 13, 1997 and first released with OpenBSD 2.1.
<li><a href="https://man.openbsd.org/strlcpy.3">strlcpy(3)</a>,
<a href="https://man.openbsd.org/strlcat.3">strlcat(3)</a>:
Todd Miller and Theo de Raadt, July 1, 1998, OpenBSD 2.4
<li><a href="https://man.openbsd.org/strtonum.3">strtonum(3)</a>:
Ted Unangst, Todd Miller, and Theo de Raadt, May 3, 2004, OpenBSD 3.6
<li><a href="https://man.openbsd.org/imsg_init.3">imsg</a>:
Message passing API, written by Henning Brauer.
In libutil since May 26, 2010, OpenBSD 4.8;
used by various daemons before that.
<li><a href="https://man.openbsd.org/timingsafe_bcmp.3">timingsafe_bcmp(3)</a>:
Damien Miller, July 13, 2010, OpenBSD 4.9
<li><a href="https://man.openbsd.org/explicit_bzero.3">explicit_bzero(3)</a>:
Ted Unangst and Matthew Dempsky, January 22, 2014, OpenBSD 5.5
<li><a href="https://man.openbsd.org/ohash_init.3">ohash</a>:
Written and maintained by Marc Espie.
In libutil since May 12, 2014, OpenBSD 5.6;
used by make(1) and m4(1) before that.
<li><a href="https://man.openbsd.org/asr_run.3">asr</a>:
Replacement resolver written and maintained by Eric Faurot.
Imported April 14, 2012; activated on March 26, 2014, OpenBSD 5.6.
<li><a href="https://man.openbsd.org/reallocarray.3">reallocarray(3)</a>:
Theo de Raadt and Ted Unangst, April 22, 2014, OpenBSD 5.6
<li><a href="https://man.openbsd.org/getentropy.2">getentropy(2)</a>:
Matthew Dempsky and Theo de Raadt, June 13, 2014, OpenBSD 5.6
<li><a href="https://man.openbsd.org/sendsyslog.2">sendsyslog(2)</a>:
Theo de Raadt, July 10, 2014, OpenBSD 5.6
<li><a href="https://man.openbsd.org/timingsafe_memcmp.3">timingsafe_memcmp(3)</a>:
Matthew Dempsky, July 13, 2014, OpenBSD 5.6
<li><a href="https://man.openbsd.org/pledge.2">pledge(2)</a>:
Theo de Raadt, July 19, 2015, OpenBSD 5.9
<li><a href="https://man.openbsd.org/getpwnam_shadow.3">getpwnam_shadow(3)</a>,
<a href="https://man.openbsd.org/getpwuid_shadow.3">getpwuid_shadow(3)</a>:
Ted Unangst and Theo de Raadt, November 18, 2015, OpenBSD 5.9
<li><a href="https://man.openbsd.org/recallocarray.3">recallocarray(3)</a>:
Otto Moerbeek, Joel Sing and Theo de Raadt, March 6, 2017, OpenBSD 6.1
<li><a href="https://man.openbsd.org/freezero.3">freezero(3)</a>:
Otto Moerbeek, April 10, 2017, OpenBSD 6.2
<li><a href="https://man.openbsd.org/unveil.2">unveil(2)</a>:
Theo de Raadt and Bob Beck, July 13, 2018, OpenBSD 6.4
<li><a href="https://man.openbsd.org/malloc_conceal.3">malloc_conceal(3)</a>
and
<a href="https://man.openbsd.org/calloc_conceal.3">calloc_conceal(3)</a>:
Otto Moerbeek, May 10, 2019, OpenBSD 6.5
<li><a href=https://man.openbsd.org/ober_read_elements.3>ober</a>:
ASN.1 basic encoding rules API, written by Claudio Jeker and
Reyk Flöter, maintained by Rob Pierce and Martijn van Duren;
started in 2006/07, moved to libutil on May 11, 2019, OpenBSD 6.6
</ul>
<h3>Программы и подсистемы</h3>
<ul>
<li><a href="https://man.openbsd.org/ypbind.8">ypbind(8)</a>,
<a href="https://man.openbsd.org/ypset.8">ypset(8)</a>,
<a href="https://man.openbsd.org/ypcat.1">ypcat(1)</a>,
<a href="https://man.openbsd.org/ypmatch.1">ypmatch(1)</a>,
<a href="https://man.openbsd.org/ypwhich.1">ypwhich(1)</a>,
and libc support: Started by Theo de Raadt.
Imported April 26, 1993 and first released with NetBSD 0.9.
<li><a href="https://man.openbsd.org/ypserv.8">ypserv(8)</a>:
Started by Mats O. Jansson in 1994.
Imported October 23, 1995 and first released with OpenBSD 2.0.
<li><a href="https://man.openbsd.org/mopd.8">mopd(8)</a>:
Started by Mats O. Jansson in 1993.
Imported September 21, 1996 and first released with OpenBSD 2.0.
<li><a href="anoncvs.html">AnonCVS</a>:
Designed and implemented by Chuck Cranor and Theo de Raadt in 1995
(<a href="http://www.openbsd.org/papers/anoncvs-paper.pdf">paper</a>,
<a href="http://www.openbsd.org/papers/anoncvs-slides.pdf">slides</a>)
<li><a href="https://man.openbsd.org/aucat.1">aucat(1)</a>:
Started by Kenneth Stailey.
Imported January 2, 1997 and first released with OpenBSD 2.1.
Now maintained by Alexandre Ratchov.
<li><a href="https://www.openssh.com/">OpenSSH</a>
including <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/scp.1">scp(1)</a>,
<a href="https://man.openbsd.org/sftp.1">sftp(1)</a>,
<a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>,
<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>,
<a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>,
<a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>:
Started by Aaron Campbell, Bob Beck, Dug Song, Markus Friedl,
Niels Provos, and Theo de Raadt
as a fork of SSH 1.2.12 by Tatu Ylonen.
Imported September 26, 1999 and first released with OpenBSD 2.6.
Now maintained by Markus Friedl, Damien Miller, Darren Tucker, and
Theo de Raadt.
<li><a href="https://man.openbsd.org/mg.1">mg(1)</a>:
Started by Dave Conroy in November 1986.
Imported February 25, 2000 and first released with OpenBSD 2.7.
Now maintained by Mark Lumsden.
<li><a href="https://man.openbsd.org/m4.1">m4(1)</a>:
Originally implemented by Ozan Yigit and Richard A. O'Keefe for 4.3BSD-Reno.
Considerably extended and maintained by Marc Espie since 1999.
<li><a href="https://man.openbsd.org/pf.4">pf(4)</a>,
<a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a>,
<a href="https://man.openbsd.org/pflogd.8">pflogd(8)</a>,
<a href="https://man.openbsd.org/authpf.8">authpf(8)</a>,
<a href="https://man.openbsd.org/ftp-proxy.8">ftp-proxy(8)</a>:
Started by Daniel Hartmeier as a replacement for the non-free ipf by
Darren Reed. Imported June 24, 2001 and first released with OpenBSD
3.0. Now maintained by Henning Brauer.
<li><a href="https://man.openbsd.org/OpenBSD-5.9/systrace.4">systrace(4)</a>,
<a href="https://man.openbsd.org/OpenBSD-5.9/systrace.1">systrace(1)</a>:
Started by Niels Provos.
Imported June 4, 2002 and first released with OpenBSD 3.2.
Deleted after OpenBSD 5.9 because
<a href="https://man.openbsd.org/pledge.2">pledge(2)</a> is even better.
<li><a href="https://man.openbsd.org/spamd.8">spamd(8)</a>:
Written by Bob Beck. Imported December 21, 2002 and first released with
OpenBSD 3.3.
<li><a href="https://man.openbsd.org/dc.1">dc(1)</a>:
Written and maintained by Otto Moerbeek.
Imported September 19, 2003 and first released with OpenBSD 3.5.
<li><a href="https://man.openbsd.org/bc.1">bc(1)</a>:
Written and maintained by Otto Moerbeek.
Imported September 25, 2003 and first released with OpenBSD 3.5.
<li><a href="https://man.openbsd.org/sensorsd.8">sensorsd(8)</a>:
Started by Henning Brauer.
Imported September 24, 2003 and first released with OpenBSD 3.5.
Reworked by Constantine A. Murenin.
<li><a href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a>:
Written and maintained by Marc Espie.
Imported October 16, 2003 and first released with OpenBSD 3.5.
<li><a href="https://man.openbsd.org/carp.4">carp(4)</a>:
Written by Mickey Shalayeff, Markus Friedl, Marco Pfatschbacher,
and Ryan McBride.
Imported October 17, 2003 and first released with OpenBSD 3.5.
<li><a href="https://www.openbgpd.org/">OpenBGPD</a>
including <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>
and <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a>:
Written and maintained by Henning Brauer and Claudio Jeker,
and also maintained by Peter Hessler.
Imported December 17, 2003 and first released with OpenBSD 3.5.
<li><a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>:
Started by Ted Lemon and Elliot Poger in 1996.
Imported January 18, 2004 and first released with OpenBSD 3.5.
Reworked by Henning Brauer.
Now maintained by Kenneth Westerback.
<li><a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>:
Started by Ted Lemon in 1995.
Imported April 13, 2004 and first released with OpenBSD 3.6.
Reworked by Henning Brauer.
Now maintained by Kenneth Westerback.
<li><a href="https://man.openbsd.org/hotplugd.8">hotplugd(8)</a>:
Started by Alexander Yurchenko.
Imported May 30, 2004 and first released with OpenBSD 3.6.
<li><a href="https://www.openntpd.org/">OpenNTPD</a>
including <a href="https://man.openbsd.org/ntpd.8">ntpd(8)</a>
and <a href="https://man.openbsd.org/ntpctl.8">ntpctl(8)</a>:
Written and maintained by Henning Brauer.
Imported May 31, 2004 and first released with OpenBSD 3.6.
Portable version maintained by Brent Cook.
<li><a href="https://man.openbsd.org/dpb.1">dpb(1)</a>:
Started by Nikolay Sturm on August 10, 2004; first available for OpenBSD 3.6.
Rewritten and maintained by Marc Espie since August 20, 2010.
<li><a href="https://man.openbsd.org/ospfd.8">ospfd(8)</a>,
<a href="https://man.openbsd.org/ospfctl.8">ospfctl(8)</a>:
Started by Esben Norby and Claudio Jeker.
Imported January 28, 2005 and first released with OpenBSD 3.7.
<li><a href="https://man.openbsd.org/ifstated.8">ifstated(8)</a>:
Started by Marco Pfatschbacher and Ryan McBride.
Imported January 23, 2004 and first released with OpenBSD 3.8.
<li><a href="https://man.openbsd.org/bioctl.8">bioctl(8)</a>:
Started by Marco Peereboom.
Imported March 29, 2005 and first released with OpenBSD 3.8.
<li><a href="https://man.openbsd.org/hostapd.8">hostapd(8)</a>:
Written by Reyk Flöter.
Imported May 26, 2005 and first released with OpenBSD 3.8.
<li><a href="https://man.openbsd.org/watchdogd.8">watchdogd(8)</a>:
Started by Marc Balmer.
Imported August 8, 2005 and first released with OpenBSD 3.8.
<li><a href="https://man.openbsd.org/sdiff.1">sdiff(1)</a>:
Written by Ray Lai.
Imported December 27, 2005 and first released with OpenBSD 3.9.
<li><a href="https://man.openbsd.org/dvmrpd.8">dvmrpd(8)</a>,
<a href="https://man.openbsd.org/dvmrpctl.8">dvmrpctl(8)</a>:
Started by Esben Norby.
Imported June 1, 2006 and first released with OpenBSD 4.0.
<li><a href="https://man.openbsd.org/ripd.8">ripd(8)</a>,
<a href="https://man.openbsd.org/ripctl.8">ripctl(8)</a>:
Started by Michele Marchetto.
Imported October 18, 2006 and first released with OpenBSD 4.1.
<li><a href="https://man.openbsd.org/pkg-config.1">pkg-config(1)</a>:
Started by Chris Kuethe and Marc Espie.
Imported November 27, 2006 and first released with OpenBSD 4.1.
Now maintained by Jasper Lievisse Adriaanse.
<li><a href="https://man.openbsd.org/relayd.8">relayd(8)</a>
with <a href="https://man.openbsd.org/relayctl.8">relayctl(8)</a>:
Started by Pierre-Yves Ritschard and Reyk Flöter.
Imported December 16, 2006 and first released with OpenBSD 4.1.
Now maintained by Sebastian Benoit.<br>
<li><a href="https://man.openbsd.org/cwm.1">cwm(1)</a>:
Started by <a href="https://monkey.org/~marius/cwm/README">Marius
Aamodt Eriksen</A> in 2004.
Imported April 27, 2007 and first released with OpenBSD 4.2.
Now maintained by Okan Demirmen.
<a href="https://github.com/chneukirchen/cwm">Portable version</a>
maintained by Leah Neukirchen.
<li><a href="https://man.openbsd.org/ospf6d.8">ospf6d(8)</a>,
<a href="https://man.openbsd.org/ospf6ctl.8">ospf6ctl(8)</a>:
Started by Esben Norby and Claudio Jeker.
Imported October 8, 2007 and first released with OpenBSD 4.2.
<li><a href="https://man.openbsd.org/libtool.1">libtool(1)</a>:
Written by Steven Mestdagh and Marc Espie.
Imported October 28, 2007 and first available for OpenBSD 4.3.
Now maintained by Marc Espie, Jasper Lievisse Adriaanse,
and Antoine Jacoutot.
<li><a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>:
Started by Reyk Flöter.
Imported December 5, 2007 and first released with OpenBSD 4.3.
Now maintained by Martijn van Duren.
<li><a href="https://man.openbsd.org/sysmerge.8">sysmerge(8)</a>:
Written and maintained by Antoine Jacoutot,
originally forked from mergemaster by Douglas Barton.
Imported April 22, 2008, first released with OpenBSD 4.4.
<li><a href="https://man.openbsd.org/ypldap.8">ypldap(8)</a>:
Started by Pierre-Yves Ritschard.
Imported June 26, 2008 and first released with OpenBSD 4.4.
<li><a href="https://www.opensmtpd.org/">OpenSMTPD</a>
including <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>,
<a href="https://man.openbsd.org/smtpctl.8">smtpctl(8)</a>,
<a href="https://man.openbsd.org/makemap.8">makemap(8)</a>:
Started by Gilles Chehade.
Imported November 1, 2008 and first released with OpenBSD 4.6.
Now maintained by Gilles Chehade and Eric Faurot.
<li><a href="https://tmux.github.io/">tmux</a>,
<a href="https://man.openbsd.org/tmux.1">tmux(1)</a>:
Started in 2007 and maintained by Nicholas Marriott.
Imported June 1, 2009, first released with OpenBSD 4.6.
<li><a href="https://man.openbsd.org/ldpd.8">ldpd(8)</a>,
<a href="https://man.openbsd.org/ldpctl.8">ldpctl(8)</a>:
Started by Michele Marchetto.
Imported June 1, 2009 and first released with OpenBSD 4.6.
Now maintained by Claudio Jeker.
<li><a href="https://mdocml.bsd.lv/">mandoc</a>
including <a href="https://man.openbsd.org/mandoc.1">mandoc(1)</a>,
<a href="https://man.openbsd.org/man.1">man(1)</a>,
<a href="https://man.openbsd.org/apropos.1">apropos(1)</a>,
<a href="https://man.openbsd.org/makewhatis.8">makewhatis(8)</a>,
<a href="https://man.openbsd.org/man.cgi.8">man.cgi(8)</a>:
Started by Kristaps Dzonsons in November 2008.
Imported April 6, 2009, first released with OpenBSD 4.8.
Now maintained by Ingo Schwarze.
<li><a href="https://man.openbsd.org/ldapd.8">ldapd(8)</a>,
<a href="https://man.openbsd.org/ldapctl.8">ldapctl(8)</a>:
Written by Martin Hedenfalk.
Imported May 31, 2010 and first released with OpenBSD 4.8.
<li><a href="https://www.openiked.org/">OpenIKED</a>
including <a href="https://man.openbsd.org/iked.8">iked(8)</a>
and <a href="https://man.openbsd.org/ikectl.8">ikectl(8)</a>:
Started by Reyk Flöter.
Imported June 3, 2010 and first released with OpenBSD 4.8.
Now maintained by Tobias Heider.
<li><a href="https://man.openbsd.org/iscsid.8">iscsid(8)</a>,
<a href="https://man.openbsd.org/iscsictl.8">iscsictl(8)</a>:
Written and maintained by Claudio Jeker.
Imported September 24, 2010 and first released with OpenBSD 4.9.
<li><a href="https://man.openbsd.org/rc.d.8">rc.d(8)</a>,
<a href="https://man.openbsd.org/rc.subr.8">rc.subr(8)</a>:
Written and maintained by Robert Nagy and Antoine Jacoutot.
Imported October 26, 2010 and first released with OpenBSD 4.9.
<li><a href="https://man.openbsd.org/tftpd.8">tftpd(8)</a>:
Written and maintained by David Gwynne.
Imported March 2, 2012 and first released with OpenBSD 5.2.
<li><a href="https://man.openbsd.org/npppd.8">npppd(8)</a>,
<a href="https://man.openbsd.org/npppctl.8">npppctl(8)</a>:
Started by Internet Initiative Japan Inc.
Imported January 11, 2010, first released with OpenBSD 5.3.
Maintained by YASUOKA Masahiko.
<li><a href="https://man.openbsd.org/ldomd.8">ldomd(8)</a>,
<a href="https://man.openbsd.org/ldomctl.8">ldomctl(8)</a>:
Written and maintained by Mark Kettenis.
Imported October 26, 2012 and first released with OpenBSD 5.3.
<li><a href="https://man.openbsd.org/sndiod.8">sndiod(8)</a>:
Written and maintained by Alexandre Ratchov.
Imported November 23, 2012 and first released with OpenBSD 5.3.
<li><a href="https://man.openbsd.org/cu.1">cu(1)</a>:
Written and maintained by Nicholas Marriott.
Imported July 10, 2012 and first released with OpenBSD 5.4.
<li><a href="https://man.openbsd.org/identd.8">identd(8)</a>:
Written and maintained by David Gwynne.
Imported March 18, 2013 and first released with OpenBSD 5.4.
<li><a href="https://man.openbsd.org/slowcgi.8">slowcgi(8)</a>:
Written and maintained by Florian Obser.
Imported May 23, 2013 and first released with OpenBSD 5.4.
<li><a href="https://man.openbsd.org/signify.1">signify(1)</a>:
Written and maintained by <a href="https://www.tedunangst.com/flak/post/signify">Ted Unangst</a>.
Imported December 31, 2013 and first released with OpenBSD 5.5.
<li><a href="https://man.openbsd.org/htpasswd.1">htpasswd(1)</a>:
Written and maintained by Florian Obser.
Imported March 17, 2014 and first released with OpenBSD 5.6.
<li><a href="https://www.libressl.org/">LibreSSL</a>:
Started by Ted Unangst, Bob Beck, Joel Sing, Miod Vallat, Philip Guenther,
and Theo de Raadt on April 13, 2014, as a fork of OpenSSL 1.0.1g.
First released with OpenBSD 5.6.
Portable version maintained by Brent Cook.
<li><a href="https://man.openbsd.org/httpd.8">httpd(8)</a>:
Started by Reyk Flöter.
Imported July 12, 2014 and first released with OpenBSD 5.6.
<li><a href="https://man.openbsd.org/rcctl.8">rcctl(8)</a>:
Written and maintained by Antoine Jacoutot.
Imported August 19, 2014 and first released with OpenBSD 5.7.
<li><a href="https://man.openbsd.org/file.1">file(1)</a>:
Rewritten from scratch and maintained by Nicholas Marriott.
Imported April 24, 2015 and first released with OpenBSD 5.8.
<li><a href="https://man.openbsd.org/doas.1">doas(1)</a>:
Written and maintained by Ted Unangst.
Imported July 16, 2015 and first released with OpenBSD 5.8.
<li><a href="https://man.openbsd.org/radiusd.8">radiusd(8)</a>:
Written and maintained by YASUOKA Masahiko.
Imported July 21, 2015 and first released with OpenBSD 5.8.
<li><a href="https://man.openbsd.org/eigrpd.8">eigrpd(8)</a>,
<a href="https://man.openbsd.org/eigrpctl.8">eigrpctl(8)</a>:
Written and maintained by Renato Westphal.
Imported October 2, 2015 and first released with OpenBSD 5.9.
<li><a href="https://man.openbsd.org/vmm.4">vmm(4)</a>,
<a href="https://man.openbsd.org/vmd.8">vmd(8)</a>,
<a href="https://man.openbsd.org/vmctl.8">vmctl(8)</a>:
Written by Mike Larkin and Reyk Flöter.
Imported November 13, 2015 and first released with OpenBSD 5.9.
<li><a href="https://man.openbsd.org/pdisk.8">pdisk(8)</a>:
Originally written by Eryk Vershen in 1996-1998,
rewritten and maintained by Kenneth Westerback since January 11, 2016
and first released with OpenBSD 5.9.
<li><a href="https://man.openbsd.org/mknod.8">mknod(8)</a>:
Original version from Version 6 AT&T UNIX (1975),
last rewritten by Marc Espie on March 5, 2016
and first released with OpenBSD 6.0.
<li><a href="https://man.openbsd.org/audioctl.1">audioctl(1)</a>:
Originally written by Lennart Augustsson in 1997,
rewritten and maintained by Alexandre Ratchov since June 21, 2016
and first released with OpenBSD 6.0.
<li><a href="https://man.openbsd.org/acme-client.1">acme-client(1)</a>:
Written by Kristaps Dzonsons, imported August 31, 2016; released
with OpenBSD 6.1.
<li><a href="https://man.openbsd.org/syspatch.8">syspatch(8)</a>:
Written and maintained by Antoine Jacoutot.
Imported September 5, 2016; released with OpenBSD 6.1.
<li><a href="https://man.openbsd.org/ping.8">ping(8)</a>:
Restructured to include IPv6 functionality and maintained by Florian Obser.
The separate
<a href="https://man.openbsd.org/OpenBSD-6.0/ping6.8">ping6(8)</a>
was superseded on September 17, 2016,
and the new, combined version was released with OpenBSD 6.1.
<li><a href="https://man.openbsd.org/xenodm.1">xenodm(1)</a>:
Cleaned-up fork of
<a href="https://man.openbsd.org/OpenBSD-6.0/xdm.1">xdm(1)</a>
maintained by Matthieu Herrb.
Imported October 23, 2016; released with OpenBSD 6.1.
<li><a href="https://man.openbsd.org/ocspcheck.8">ocspcheck(8)</a>:
Written and maintained by Bob Beck.
Imported January 24, 2017; released with OpenBSD 6.1.
<li><a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>:
Written and maintained by Florian Obser.
Imported March 18, 2017; released with OpenBSD 6.2.
<li><a href="https://man.openbsd.org/rad.8">rad(8)</a>:
Written and maintained by Florian Obser.
Imported July 10, 2018; released with OpenBSD 6.4.
<li><a href="https://man.openbsd.org/unwind.8">unwind(8)</a>:
Written and maintained by Florian Obser.
Imported January 23, 2019; released with OpenBSD 6.5.
<li><a href="https://man.openbsd.org/openrsync.1">openrsync(1)</a>:
Written by Kristaps Dzonsons.
Imported February 10, 2019; released with OpenBSD 6.5.
<li><a href="https://man.openbsd.org/sysupgrade.8">sysupgrade(8)</a>:
Written by Christian Weisgerber, Florian Obser, and Theo de Raadt.
Imported April 25, 2019; released with OpenBSD 6.6.
<li><a href="https://man.openbsd.org/snmp.1">snmp(1)</a>:
Written and maintained by Martijn van Duren.
Imported August 9, 2019; released with OpenBSD 6.6.
<li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>:
Written by Kristaps Dzonsons; maintained by Claudio Jeker,
Theo Buehler, and Job Snijders.
Imported June 17, 2019; released with OpenBSD 6.7.
<li><a href="https://man.openbsd.org/resolvd.8">resolvd(8)</a>:
Written and maintained by Florian Obser and Theo de Raadt.
Imported February 24, 2021; released with OpenBSD 6.9.
<li><a href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a>:
Written and maintained by Florian Obser.
Imported February 26, 2021; released with OpenBSD 6.9.
</ul>
<h3>Проекты, поддерживаемые разработчиками за пределами проекта OpenBSD</h3>
<ul>
<li><a href="https://www.sudo.ws/">sudo</a>:
Started by Bob Coggeshall and Cliff Spencer around 1980.
Imported November 18, 1999, first released with OpenBSD 2.7.
Now maintained by Todd Miller.
<li><a href="http://bulabula.org/femail/">femail</a>:
Written and maintained by Henning Brauer.
Started in 2005, port available since September 22, 2005.
<li><a href="https://www.midish.org/">midish</a>:
Written and maintained by Alexandre Ratchov.
Started in 2003, port available since November 4, 2005.
<li><a href="https://github.com/nicm/fdm">fdm</a>:
Written and maintained by Nicholas Marriott.
Started in 2006, port available since January 18, 2007.
<li><a href="https://github.com/ajacoutot/toad/">toad</a>:
Written and maintained by Antoine Jacoutot.
Started in 2013, port available since October 8, 2013.
<li><a href="https://mandoc.bsd.lv/docbook2mdoc/">docbook2mdoc</a>:
Started by Kristaps Dzonsons in 2014, maintained by Ingo Schwarze.
Port available since April 3, 2014.
<li><a href="https://jasperla.github.io/portroach/">portroach</a>:
Written and maintained by Jasper Lievisse Adriaanse,
originally forked from FreeBSD's portscout.
Started in 2014, port available since September 5, 2014.
<li><a href="https://github.com/yasuoka/cvs2gitdump">cvs2gitdump</a>:
Written and maintained by YASUOKA Masahiko.
Started in 2012, port available since August 1, 2016.
<li><a href="https://gameoftrees.org">Game of Trees</a>:
Written and maintained by Stefan Sperling.
Started in 2017, port available since August 9, 2019.
</ul>