North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DARPA and the network
This in reality protects from EVERYTHING! In theory - not, but in reality - no exploits exists at all (except DDOS exploints, of course) for such systems. ----- Original Message ----- From: "Florian Weimer" <[email protected]> To: <[email protected]> Sent: Tuesday, September 06, 2005 2:43 AM Subject: Re: DARPA and the network > > * Henning Brauer: > > > so if the BSDs are en par with preventive measures, why is OpenBSD (to > > my knowledge) the only one shipping ProPolice, which prevented > > basically any buffer overflow seen in the wild for some time now? > > Why is OpenBSD the only one to have randomized library loading, > > rendering basicaly all exploits with fixed offsets unuseable? > > Why is OpenBSD the only one to have W^X, keeping memory pages writeable > > _or_ executable, but not both, unless an application fixes us to (by > > respective mprotect calls)? > > All these pamper over the real problems and are not very helpful in a > service provider environment, where availability might well be more > important than integrity. Buffer overflows still lead to crashes. > > Some of the countermeasures also break lots of legitimate applications > (Lisp implementations, for example, or precompiled headers for GCC). > > (Isn't this quite off-topic for NANOG?)
|