North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DARPA and the network
* Florian Weimer <[email protected]> [2005-09-06 11:44]: > * Henning Brauer: > > so if the BSDs are en par with preventive measures, why is OpenBSD (to > > my knowledge) the only one shipping ProPolice, which prevented > > basically any buffer overflow seen in the wild for some time now? > > Why is OpenBSD the only one to have randomized library loading, > > rendering basicaly all exploits with fixed offsets unuseable? > > Why is OpenBSD the only one to have W^X, keeping memory pages writeable > > _or_ executable, but not both, unless an application fixes us to (by > > respective mprotect calls)? > All these pamper over the real problems and are not very helpful in a > service provider environment, where availability might well be more > important than integrity. Buffer overflows still lead to crashes. oh, so turning a remote root into an application crash is something I value quite a bit. this is propolice and w^x, mostly. you skipped all the other stuff I listed that we do. > Some of the countermeasures also break lots of legitimate applications > (Lisp implementations, for example, or precompiled headers for GCC). clisp is the only thing I am aware of that got broken. even emancs works, and those who know how emacs works can value that :) > (Isn't this quite off-topic for NANOG?) yes, it is. we can further dicuss that in private if you wish; however, claiming OpenBSD is just more vocal about security is just far off reality, and that had to be put in perspective. -- Henning Brauer, [email protected], [email protected] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
|