What is OpenBSD's pledge in short?

What is Pledge?

pledge is a system call.

Calling pledge in a program is to promise that the program will only use certain resources.

Another way of saying is to limit the operation of a program to its needs, e.g.,

"I pledge not to use any other ports except port 63"
"I pledge not to use any other system-call except lseek() and fork()"

How does it make a program more secure?

It limits the operation of a program. Example:

  • You wrote a program named xyz that only needs the read system-call.
  • Then you add pledge to use only read but nothing else.
  • Then a malicious user found out that in your program there is a vulnerability by which one can invoke a root shell.
  • Exploiting your program to open a root shell will result that the kernel will kill the process with SIGABRT (which cannot be caught/ignored) and generate a log (which you can find with dmesg).

It happens because before executing other codes of your program, it first pledge not to use anything other than read system call. But opening root shell will call several other system-calls which is forbidden because its already promised not to use any other but read.

Where is Pledge?

Its usually in a program. Usage from OpenBSD 6.5 man page:

#include <unistd.h>

int pledge(const char *promises, const char *execpromises);

Example Code: Example code of cat command from cat.c

........
#include <unistd.h>
........
int ch;
if (pledge("stdio rpath", NULL) == -1)
    err(1, "pledge");

while ((ch = getopt(argc, argv, "benstuv")) != -1)
..........

A program normally makes use of only a certain set of system or library calls. With pledge you can restrict the set of allowed system calls to only this set. For example, if a program does not need to read the password database, you can forbid calling the getpwnam() function.

How is this useful? It is an extra line of defense against vulnerabilities. If the program contains a bug, somebody might be able to use exploit the bug to alter the execution flow of the program or inject some extra code into the process. The bug can be, for example, a buffer overflow error in a network facing daemon, which the attacker can trigger by sending the program more data than it can handle, possibly arranging for the program to read and send the contents of the /etc/passwd file over the network.


Your program "pledges" to only use functionality {A,B,C}

If a hacker could inject code into your pledged process and attempt functionality D, then the OS crashes your program

For example, say you have an NTP server. It has pledged to only use DNS and CLOCK functionality. But it has a flaw that allows remote code execution. Hacker asks it to WRITE FILE. But pledge will detect this and shutdown the program and log the error