[84115] in North American Network Operators' Group
Re: DARPA and the network
daemon@ATHENA.MIT.EDU (Florian Weimer)
Tue Sep 6 05:44:38 2005
From: Florian Weimer <fw@deneb.enyo.de>
To: nanog@merit.edu
Date: Tue, 06 Sep 2005 11:43:32 +0200
In-Reply-To: <20050906093521.GL2561@nudo.bsws.de> (Henning Brauer's message of
"Tue, 6 Sep 2005 11:35:22 +0200")
Errors-To: owner-nanog@merit.edu
* Henning Brauer:
> so if the BSDs are en par with preventive measures, why is OpenBSD (to
> my knowledge) the only one shipping ProPolice, which prevented
> basically any buffer overflow seen in the wild for some time now?
> Why is OpenBSD the only one to have randomized library loading,
> rendering basicaly all exploits with fixed offsets unuseable?
> Why is OpenBSD the only one to have W^X, keeping memory pages writeable
> _or_ executable, but not both, unless an application fixes us to (by
> respective mprotect calls)?
All these pamper over the real problems and are not very helpful in a
service provider environment, where availability might well be more
important than integrity. Buffer overflows still lead to crashes.
Some of the countermeasures also break lots of legitimate applications
(Lisp implementations, for example, or precompiled headers for GCC).
(Isn't this quite off-topic for NANOG?)
