Date: Wed, 30 Jun 2004 07:52:22 -0500 From: Kevin Lyons <kevin_lyons@ofdengineering.com> To: Christian Weisgerber <naddy@mips.inka.de> Cc: freebsd-chat@freebsd.org Subject: Re: "TrustedBSD" addons Message-ID: <40E2B786.8030005@ofdengineering.com> In-Reply-To: <cbt15e$20hq$1@kemoauc.mips.inka.de> References: <40E1A6C0.2040406@ofdengineering.com> <cbt15e$20hq$1@kemoauc.mips.inka.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Christian Weisgerber wrote: > Kevin Lyons <kevin_lyons@ofdengineering.com> wrote: > > >>Is this the right way to go? We're adding more bloat while openbsd is >>cleaning itself and reworking kernal memory allocation to make exploits > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > >>near impossible. > > ^^^^^^^^^^^^^^^ > > Er, what? Er, read the following (from http://www.openbsd.org/security.html). I believe they've been doing the random malloc/mmap since 3.4. Almost a year ago. 1) "As we audit source code, we often invent new ways of solving problems. Sometimes these ideas have been used before in some random application written somewhere, but perhaps not taken to the degree that we do. * strlcpy() and strlcat() * Memory protection purify o W^X o .rodata segment o Guard pages o Randomized malloc() o Randomized mmap() o atexit() and stdio protection * Privilege seperation * Privilege revocation * Chroot jailing * New uids * ProPolice * ... and others " 2) If that is not clear enough... from http://www.eweek.com/article2/0,3959,1111894,00.asp OpenBSD 3.3 adds page-level memory permissions (on SPARC, Alpha and PA-RISC CPUs) that mark each memory page as either writable or executable (but not both at once), to make it harder for an attacker to write attack code into a memory location and execute it. Unfortunately, this feature isn't provided on x86 or PowerPC chips yet, although it's planned for the OpenBSD 3.4 release. The OpenBSD project has made a decision against trusted-operating-system-style mandatory access controls that place kernel-enforced limits on what particular processes or users can do. "People who use such things build systems which cannot be administered later," said Theo de Raadt, OpenBSD project leader, in Calgary, Alberta. "I am holding the fort against such complexity." -- Kevin Lyons OFD Engineering, 950 Threadneedle Suite 250, Houston Texas 77079 Phone: 281-679-9060, ext. 118, E-mail: kevin_lyons@ofdengineering.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40E2B786.8030005>