Re: DARPA and the network

["Alexei Roudnev" <alex () relcom net>]

This in reality protects from EVERYTHING! In theory - not, but in reality -
no exploits exists at all (except DDOS exploints, of course) for such
systems.



----- Original Message ----- 
From: "Florian Weimer" <fw () deneb enyo de>
To: <nanog () merit edu>
Sent: Tuesday, September 06, 2005 2:43 AM
Subject: Re: DARPA and the network


> * Henning Brauer:
>
> > so if the BSDs are en par with preventive measures, why is OpenBSD (to
> > my knowledge) the only one shipping ProPolice, which prevented
> > basically any buffer overflow seen in the wild for some time now?
> > Why is OpenBSD the only one to have randomized library loading,
> > rendering basicaly all exploits with fixed offsets unuseable?
> > Why is OpenBSD the only one to have W^X, keeping memory pages writeable
> > _or_ executable, but not both, unless an application fixes us to (by
> > respective mprotect calls)?
>
> All these pamper over the real problems and are not very helpful in a
> service provider environment, where availability might well be more
> important than integrity.  Buffer overflows still lead to crashes.
>
> Some of the countermeasures also break lots of legitimate applications
> (Lisp implementations, for example, or precompiled headers for GCC).
>
> (Isn't this quite off-topic for NANOG?)