North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DARPA and the network

  • From: Valdis.Kletnieks
  • Date: Tue Sep 06 14:05:19 2005

On Tue, 06 Sep 2005 11:35:22 +0200, Henning Brauer said:

(Off-topic, but needs correcting...)

> so if the BSDs are en par with preventive measures, why is OpenBSD (to 
> my knowledge) the only one shipping ProPolice, which prevented 
> basically any buffer overflow seen in the wild for some time now?

Not familiar with ProPolice, but much of Fedora is compiled with the
FORTIFY_SOURCE option, which presumably does similar stuff?

> Why is OpenBSD the only one to have randomized library loading, 
> rendering basicaly all exploits with fixed offsets unuseable?
> Why is OpenBSD the only one to have W^X, keeping memory pages writeable 
> _or_ executable, but not both, unless an application fixes us to (by 
> respective mprotect calls)?

See the ExecShield stuff in RedHat/Fedora, or the Pax patch in grsecurity,
which both address these two points.

There's probably more systems running a Linux with one of these than OpenBSD.

Attachment: pgp00005.pgp
Description: PGP signature