[rescue] A perverse thought (SGI security division)

Clayton Wheeler csw at thirdshoe.net
Fri Mar 12 11:05:40 CST 2004

On Mar 11, 2004, at 1:59 PM, Joshua Boyd wrote:

> On Thu, Mar 11, 2004 at 04:46:43PM -0500, Caleb Shay wrote:
>> Well, I know many people swear by openbsd for their firewalls.  I'm
>> sure it's good, but I figure any firewall I set up with openbsd is
>> going to be less secure than one I set up with linux since I know
>> linux and I don't know openbsd.
> If the machine is stripped down properly, I doubt the OS matters much
> (assuming we are talking about reasonably sane OSes, unlike Windows).

Recent versions of OpenBSD actually have pretty nice security features 
at the kernel and C runtime level. It makes sure that writable pages 
are not executable, and vice versa, to prevent buffer overflows from 
inserting code successfully; Solaris and some other OSs do this to some 
extent. However, OpenBSD also puts guard words (or something) around 
stack frames, so programs will be terminated if they clobber the stack. 
And I think the most recent version loads shared libraries in random 
order and at random offsets, so hostile inserted code can't make 
assumptions about where (for example) libc is found.

All of this does make me a bit more confident running sendmail and BIND 
on OpenBSD than on Linux or Solaris.

Clayton Wheeler
csw at thirdshoe.net

More information about the rescue mailing list