North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: DARPA and the network
- From: Valdis.Kletnieks
- Date: Tue Sep 06 14:05:19 2005
On Tue, 06 Sep 2005 11:35:22 +0200, Henning Brauer said:
(Off-topic, but needs correcting...)
> so if the BSDs are en par with preventive measures, why is OpenBSD (to
> my knowledge) the only one shipping ProPolice, which prevented
> basically any buffer overflow seen in the wild for some time now?
Not familiar with ProPolice, but much of Fedora is compiled with the
FORTIFY_SOURCE option, which presumably does similar stuff?
> Why is OpenBSD the only one to have randomized library loading,
> rendering basicaly all exploits with fixed offsets unuseable?
> Why is OpenBSD the only one to have W^X, keeping memory pages writeable
> _or_ executable, but not both, unless an application fixes us to (by
> respective mprotect calls)?
See the ExecShield stuff in RedHat/Fedora, or the Pax patch in grsecurity,
which both address these two points.
There's probably more systems running a Linux with one of these than OpenBSD.
Description: PGP signature