Despite popular belief, OpenBSD's security is actually lacking in a lot of ways.

Half-Baked Mitigations

Many of OpenBSD's exploit mitigations are half-baked or even useless. This is a non-exhaustive list of a few of them.

Missing Mitigations

As well as developing half-baked mitigations, OpenBSD also lacks plenty of modern mitigations completely. Again, this is a non-exhaustive list and there are still plenty more examples than the ones listed here.

Lack of Innovations

OpenBSD hasn't really innovated much and many of its (real) mitigations were developed long before OpenBSD implemented them, such as W^X and ASLR which were developed by PaX (PAX_MPROTECT and PAX_ASLR). OpenBSD tries to hide this fact with sly wording, such as: "ASLR: OpenBSD 3.4 was the first widely used operating system to provide it by default.".

The Good Things

Although despite the many issues with it, some of OpenBSD's mitigations are pretty solid like their malloc implementation and OpenBSD excels in their cryptography and standalone tools, just not really when it comes to general OS security.

Other Security Researcher Views on OpenBSD

Many security experts also share these views about OpenBSD.

This website especially goes very in-depth into the issues with most of OpenBSD's mitigations:


A more promising alternative to OpenBSD is HardenedBSD. There are advantages and disadvantages of HardenedBSD over OpenBSD. HardenedBSD has many mitigations OpenBSD does not, such as CFI, SafeStack, SEGVGUARD, a proper W^X implementation and more, but it lacks things OpenBSD has, such as LibreSSL, a hardened memory allocator, etc.

Go back