[1][2]: xxvii [3] According to author Michael W. Lucas, OpenBSD "is widely regarded as the most secure operating system available anywhere, under any licensing terms.
There are two common alternatives, strncpy and strncat, but they can also be difficult to understand and easy to misuse,[4][5] so OpenBSD developers Todd C. Miller and Theo de Raadt designed the strlcpy and strlcat functions.
[8] On OpenBSD, the linker has been changed to issue a warning when unsafe string manipulation functions, such as strcpy, strcat, or sprintf, are found.
[citation needed] In addition, a static bounds checker is included in OpenBSD in an attempt to find other common programming mistakes at compile time.
[15] The extension works on all the CPU architectures supported by OpenBSD and is enabled by default, so any C code compiled will be protected without user intervention.
[vague] The malloc implementation now in OpenBSD makes use of the mmap system call, which was modified so that it returns random memory addresses and ensures that different areas are not mapped next to each other.
In addition, allocation of small blocks in shared areas are now randomized and the free function was changed to return memory to the kernel immediately rather than leaving it mapped into the process.
[citation needed] These features make program bugs easier to detect and harder to exploit: instead of memory being corrupted or an invalid access being ignored, they often result in a segmentation fault and abortion of the process.
This has brought to light several issues with software running on OpenBSD 3.8, particularly with programs reading beyond the start or end of a buffer, a type of bug that would previously not be detected directly but can now cause an error.
Starting from OpenBSD 7.3, the installer supports enabling full disk encryption using a guided procedure, not requiring manual intervention anymore.
[22][23] To protect sensitive information such as passwords from leaking on to disk, where they can persist for many years, OpenBSD supports encryption of swap space.
The network stack also makes heavy use of randomization to increase security and reduce the predictability of various values that may be of use to an attacker, including TCP initial sequence numbers and timestamps, and ephemeral source ports.
The OpenBSD project had invented their own utility for cryptographic signing and verification of files, signify,[29] instead of using existing standards and software such as OpenPGP and GnuPG.
The server and some of the default applications are patched to make use of privilege separation, and OpenBSD provides an "aperture" driver to limit X's access to memory.
Some examples of third-party applications updated with these features (by their developers or in OpenBSD's app ports) include the Chromium and Firefox web browsers.