North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DARPA and the network
On Tue, 06 Sep 2005 11:35:22 +0200, Henning Brauer said: (Off-topic, but needs correcting...) > so if the BSDs are en par with preventive measures, why is OpenBSD (to > my knowledge) the only one shipping ProPolice, which prevented > basically any buffer overflow seen in the wild for some time now? Not familiar with ProPolice, but much of Fedora is compiled with the FORTIFY_SOURCE option, which presumably does similar stuff? > Why is OpenBSD the only one to have randomized library loading, > rendering basicaly all exploits with fixed offsets unuseable? > Why is OpenBSD the only one to have W^X, keeping memory pages writeable > _or_ executable, but not both, unless an application fixes us to (by > respective mprotect calls)? See the ExecShield stuff in RedHat/Fedora, or the Pax patch in grsecurity, which both address these two points. There's probably more systems running a Linux with one of these than OpenBSD. Attachment:
pgp00005.pgp
|