[rescue] A perverse thought (SGI security division)
Clayton Wheeler
csw at thirdshoe.net
Fri Mar 12 11:05:40 CST 2004
On Mar 11, 2004, at 1:59 PM, Joshua Boyd wrote:
> On Thu, Mar 11, 2004 at 04:46:43PM -0500, Caleb Shay wrote:
>
>> Well, I know many people swear by openbsd for their firewalls. I'm
>> sure it's good, but I figure any firewall I set up with openbsd is
>> going to be less secure than one I set up with linux since I know
>> linux and I don't know openbsd.
>
> If the machine is stripped down properly, I doubt the OS matters much
> (assuming we are talking about reasonably sane OSes, unlike Windows).
Recent versions of OpenBSD actually have pretty nice security features
at the kernel and C runtime level. It makes sure that writable pages
are not executable, and vice versa, to prevent buffer overflows from
inserting code successfully; Solaris and some other OSs do this to some
extent. However, OpenBSD also puts guard words (or something) around
stack frames, so programs will be terminated if they clobber the stack.
And I think the most recent version loads shared libraries in random
order and at random offsets, so hostile inserted code can't make
assumptions about where (for example) libc is found.
All of this does make me a bit more confident running sendmail and BIND
on OpenBSD than on Linux or Solaris.
--
Clayton Wheeler
csw at thirdshoe.net
More information about the rescue
mailing list