[84116] in North American Network Operators' Group
Re: DARPA and the network
daemon@ATHENA.MIT.EDU (Henning Brauer)
Tue Sep 6 06:41:14 2005
Date: Tue, 6 Sep 2005 12:40:41 +0200
From: Henning Brauer <hb-nanog@bsws.de>
To: nanog@merit.edu
Mail-Followup-To: nanog@merit.edu
In-Reply-To: <87k6huleez.fsf@mid.deneb.enyo.de>
Errors-To: owner-nanog@merit.edu
* Florian Weimer <fw@deneb.enyo.de> [2005-09-06 11:44]:
> * Henning Brauer:
> > so if the BSDs are en par with preventive measures, why is OpenBSD (to
> > my knowledge) the only one shipping ProPolice, which prevented
> > basically any buffer overflow seen in the wild for some time now?
> > Why is OpenBSD the only one to have randomized library loading,
> > rendering basicaly all exploits with fixed offsets unuseable?
> > Why is OpenBSD the only one to have W^X, keeping memory pages writeable
> > _or_ executable, but not both, unless an application fixes us to (by
> > respective mprotect calls)?
> All these pamper over the real problems and are not very helpful in a
> service provider environment, where availability might well be more
> important than integrity. Buffer overflows still lead to crashes.
oh, so turning a remote root into an application crash is something I
value quite a bit. this is propolice and w^x, mostly.
you skipped all the other stuff I listed that we do.
> Some of the countermeasures also break lots of legitimate applications
> (Lisp implementations, for example, or precompiled headers for GCC).
clisp is the only thing I am aware of that got broken.
even emancs works, and those who know how emacs works can value that :)
> (Isn't this quite off-topic for NANOG?)
yes, it is. we can further dicuss that in private if you wish; however,
claiming OpenBSD is just more vocal about security is just far off
reality, and that had to be put in perspective.
--
Henning Brauer, hb@bsws.de, henning@openbsd.org
BS Web Services, http://bsws.de
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
