DARPA and the network
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Tue Sep 6 18:03:42 UTC 2005
On Tue, 06 Sep 2005 11:35:22 +0200, Henning Brauer said:
(Off-topic, but needs correcting...)
> so if the BSDs are en par with preventive measures, why is OpenBSD (to
> my knowledge) the only one shipping ProPolice, which prevented
> basically any buffer overflow seen in the wild for some time now?
Not familiar with ProPolice, but much of Fedora is compiled with the
FORTIFY_SOURCE option, which presumably does similar stuff?
> Why is OpenBSD the only one to have randomized library loading,
> rendering basicaly all exploits with fixed offsets unuseable?
> Why is OpenBSD the only one to have W^X, keeping memory pages writeable
> _or_ executable, but not both, unless an application fixes us to (by
> respective mprotect calls)?
See the ExecShield stuff in RedHat/Fedora, or the Pax patch in grsecurity,
which both address these two points.
There's probably more systems running a Linux with one of these than OpenBSD.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20050906/b3972eb6/attachment.sig>
More information about the NANOG
mailing list