nanog mailing list archives
Re: DARPA and the network
From: Valdis.Kletnieks () vt edu
Date: Tue, 06 Sep 2005 14:03:42 -0400
On Tue, 06 Sep 2005 11:35:22 +0200, Henning Brauer said: (Off-topic, but needs correcting...)
so if the BSDs are en par with preventive measures, why is OpenBSD (to my knowledge) the only one shipping ProPolice, which prevented basically any buffer overflow seen in the wild for some time now?
Not familiar with ProPolice, but much of Fedora is compiled with the FORTIFY_SOURCE option, which presumably does similar stuff?
Why is OpenBSD the only one to have randomized library loading, rendering basicaly all exploits with fixed offsets unuseable? Why is OpenBSD the only one to have W^X, keeping memory pages writeable _or_ executable, but not both, unless an application fixes us to (by respective mprotect calls)?
See the ExecShield stuff in RedHat/Fedora, or the Pax patch in grsecurity, which both address these two points. There's probably more systems running a Linux with one of these than OpenBSD.
Attachment:
_bin
Description:
Current thread:
- Re: DARPA and the network Henning Brauer (Sep 06)
- Re: DARPA and the network Florian Weimer (Sep 06)
- Re: DARPA and the network Henning Brauer (Sep 06)
- Re: DARPA and the network Michael . Dillon (Sep 06)
- Re: DARPA and the network Jay R. Ashworth (Sep 06)
- Re: DARPA and the network Paul Jakma (Sep 06)
- Re: DARPA and the network Henning Brauer (Sep 06)
- Re: DARPA and the network Alexei Roudnev (Sep 06)
- Re: DARPA and the network Florian Weimer (Sep 06)
- Re: DARPA and the network Valdis . Kletnieks (Sep 06)
- Re: DARPA and the network Henning Brauer (Sep 06)