[84138] in North American Network Operators' Group
Re: DARPA and the network
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Sep 6 14:04:34 2005
To: Henning Brauer <hb-nanog@bsws.de>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Tue, 06 Sep 2005 11:35:22 +0200."
<20050906093521.GL2561@nudo.bsws.de>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 06 Sep 2005 14:03:42 -0400
Errors-To: owner-nanog@merit.edu
--==_Exmh_1126029822_2971P
Content-Type: text/plain; charset=us-ascii
On Tue, 06 Sep 2005 11:35:22 +0200, Henning Brauer said:
(Off-topic, but needs correcting...)
> so if the BSDs are en par with preventive measures, why is OpenBSD (to
> my knowledge) the only one shipping ProPolice, which prevented
> basically any buffer overflow seen in the wild for some time now?
Not familiar with ProPolice, but much of Fedora is compiled with the
FORTIFY_SOURCE option, which presumably does similar stuff?
> Why is OpenBSD the only one to have randomized library loading,
> rendering basicaly all exploits with fixed offsets unuseable?
> Why is OpenBSD the only one to have W^X, keeping memory pages writeable
> _or_ executable, but not both, unless an application fixes us to (by
> respective mprotect calls)?
See the ExecShield stuff in RedHat/Fedora, or the Pax patch in grsecurity,
which both address these two points.
There's probably more systems running a Linux with one of these than OpenBSD.
--==_Exmh_1126029822_2971P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFDHdn+cC3lWbTT17ARAuR9AKCpUdtAmfjfO9FTmRhpWw8JnzZZ5QCgtc9/
P+AGoNYRFy5bDzvwR49BDY0=
=5B9M
-----END PGP SIGNATURE-----
--==_Exmh_1126029822_2971P--
