OpenBSD is often marked as being a very niche operating system. And it is in fact niche but it is well known in the security circles and for a good reason. It is arguably the only general purpose OS that actually hates its own code which is what makes it so secure.
The reputation
If you visit the OpenBSD website you will see their famous slogan being “Only two remote holes in the default install, in a heck of a long time!”. Basically if you read about it you will come to find out that since 2007 they haven’t had a single Remote Code Execution (RCE) vulnerability in its default install. Now compare that number to Linux which has had dozens of RCEs over the years and wind*ws hahaha I think we will loose the count there.
Moreover, OpenBSD is built by the same guys who wrote and maintain OpenSSH and LibreSSL.
No bloat
OpenBSD is secure by default. It follows the Keep it stupid simple (KISS) philosophy and hence when you install you it get a nice, secure operating system without tens of daemons and ports. The devs at OpenBSD are famous for their code edits where anything even remotely complex enough to be secured is deleted.
The magic syscalls
If you ever developed on Linux you know seccomp-bpf. It is very powerful indeed but man it is a total pain to deal with. OpenBSD has two syscalls that are just genius. I am of course talking about pledge and unveil.
With pledge a process can basically restrict its own capabilities. For instance, a text editor can say I only plan on using stdio and rpath. If this text editor is now compromised and tries to open up a network socket it is killed immediately by the kernel. No matter if you had root: you basically gave up your rights of using network syscalls.
Similarly unveil is like pledge but for files. It allows a process to restrict its filesystem view so a browser can unveil only in your Downloads folder. For the browser your filesystem doesn’t exist other then the downloads.
These two are baked into even the coreutils so even cat and ls are pledged.
ASLR huhhhh we have KARL
We know how Linux uses Address Space Layout Randomization (ASLR) basically shuffling memory addresses to make buffer overflows very hard to exploit. Notice how I said hard, you can use Return-Oriented Programming chains for a linux and do the buffer overflows. However, in OpenBSD there is KARL (Kernel Address Randomized Link). Basically, the kernel links itself in a random order so good-luck exploiting that as every time you boot you have a unique kernel binary. The offsets found on one machine won’t work on another.
Conclusion
Now I probably missed some security hardening measures that OpenBSD uses. However you might still ask so why doesn’t everyone use OpenBSD? Well my friends everything comes at a cost. In this case this security mainly comes are speed. Linux is a lot faster then OpenBSD. KARL, pledge and unveil all of these extra features requires more CPU cycles.
Another big drawback(or a nice feature depending on how you look) is that OpenBSD devs don’t include every single proprietary binary blob. This means your nvidia cards, many wifi chipsets and bluetooth(apart from the fact that it is a security nightware) won’t work. This is why most people won’t use it. Of course then there is the normal missing apps thing but everything runs in a browser.
Anyways, this has been it for OpenBSD. I still love GNU/Linux and I probably missed a lot more nice things about OpenBSD. I didn’t even mention Libressl, or PF but perhaps I will save those for another day.