From: "Barry Dexter A. Gonzaga" barryg-plug@kssp.upd.edu.ph
To: plug@lists.q-linux.com
Subject: OT: Hardware and OpenBSD was Re: [plug] Defend ..
User-Agent: Mutt/1.5.4i
Date: Thu, 3 Apr 2003 09:34:50 +0800
On Wed, Apr 02, 2003 at 03:25:32PM -0800, Rick Moen wrote:
<SNIP>
> would be a compelling argument in their favour. In my
experience, the
> key ingredient required to protect a system from attack is
for the
> sysadmin to be minutely familiar with how it works, and
familiar with
> the software that runs on it. You want to use what people
know.
Amen to that.
<SNIP>
> There are also hardware considerations. It might be worth
considering
> using one of the CPU architectures with fewer
buffer-overflow problems
> (PowerPC, SPARC, Alpha), and you might be able to operate
with most of
Also architectures like sparc, sparc64, alpha, hppa and
the
upcoming AMD Hammer support W^X [0], which ensures that memory
that can
be written by programs cannot be executable at the same time
and
vice-versa. At the moment only OpenBSD supports this. This
makes
buffer overflows a trifle hard to exploit.
<SNIP>
The soon to be released OpenBSD 3.3[1](and -current
snapshots)
has ProPolice[2][3] enabled by default, this lessens the risk of
priviledge
escalation through buffer overflows. ProPolice enabled sendmail
is safe
from the recently released exploit/bug on it[4].
--
Barry Dexter A. Gonzaga, bofh
barryg@kssp.upd.edu.ph
To: plug@lists.q-linux.com
Subject: Re: OT: Hardware and OpenBSD was Re: [plug] Defend
..
User-Agent: Mutt/1.4i
From: Rick Moen rick@linuxmafia.com
Date: Wed, 2 Apr 2003 18:28:42 -0800
Quoting Orlando Andico (orly@mozcom.com):
> You can get mostly the same effect by using the StackGuarded GCC.
Also, libsafe blocks the most common way of doing buffer
overruns -- if
you can live without the ability run antique libc5
applications.
--
Cheers, "Normal? Normal is a setting on my dryer."
Rick Moen -- heard at BayCon 2001, http://www.baycon.org/
rick@linuxmafia.com
From: "Barry Dexter A. Gonzaga" barryg-plug@kssp.upd.edu.ph
To: plug@lists.q-linux.com
Subject: Re: OT: Hardware and OpenBSD was Re: [plug] Defend
..
User-Agent: Mutt/1.5.4i
Date: Thu, 3 Apr 2003 10:19:04 +0800
On Thu, Apr 03, 2003 at 10:12:54AM +0800, Orlando Andico wrote:
> You can get mostly the same effect by using the StackGuarded GCC.
No, but StackGuard is similar to ProPolice. Though OpenBSD
folks
integrated ProPolice as it supports architectures other than
i386.
More on OpenBSD recent security enhancements[0].
[0] http://marc.theaimsgroup.com/?l=openbsd-misc&m=104391783312978
--
Barry Dexter A. Gonzaga, bofh
barryg@kssp.upd.edu.ph