Re: Here is my plan for firewall implementation

["Joseph S. D. Yao" <jsdy () cospo osis gov>]

> These days I'd use qmail (Dan Bernstein's minimalist
> mailer) or sendmail running on a hacked kernel in a
> restricted environment. Smap was intended to be a
> place for hooking additional mail processing into a
> firewall, but nothing ever got hung on the hooks.

Well, a few things here and there.

> Another fun fix I'd like to see on firewall boxes (but
> this takes more kernel expertise than I have) is
> modifications to the memory management to make
> stack space protected so it's not executable. When
> someone tries to hit a buffer overrun, *poof* instant
> SIGSEGV.

This is an entirely reasonable and logical thing to be able to want to
do.  It's also quite easy, given hardware support.

Of the hardware architectures I just glanced at, it appears that the
Alpha and HP-PA allow this, the x86 and MIPS and possibly the Sparc do
not.  Software implementations slow the system down, unforgivable to
the Marketing departments [;-)].  It's possible/probable that hardware
implementations also slow the system down by a nanosecond or two per
command, and cost $0.02 more per chip, and so were nixed.  ;-)/2

--
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
COSPO Computer Support                                          EMT-A/B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.