DARPA and the network

• Previous message (by thread): DARPA and the network
• Next message (by thread): DARPA and the network
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 06 Sep 2005 11:35:22 +0200, Henning Brauer said:

(Off-topic, but needs correcting...)

> so if the BSDs are en par with preventive measures, why is OpenBSD (to 
> my knowledge) the only one shipping ProPolice, which prevented 
> basically any buffer overflow seen in the wild for some time now?

Not familiar with ProPolice, but much of Fedora is compiled with the
FORTIFY_SOURCE option, which presumably does similar stuff?

> Why is OpenBSD the only one to have randomized library loading, 
> rendering basicaly all exploits with fixed offsets unuseable?
> Why is OpenBSD the only one to have W^X, keeping memory pages writeable 
> _or_ executable, but not both, unless an application fixes us to (by 
> respective mprotect calls)?

See the ExecShield stuff in RedHat/Fedora, or the Pax patch in grsecurity,
which both address these two points.

There's probably more systems running a Linux with one of these than OpenBSD.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20050906/b3972eb6/attachment.sig>

• Previous message (by thread): DARPA and the network
• Next message (by thread): DARPA and the network
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]