OpenBSD Journal

SecurityFocus Covers Mmap Malloc

Contributed by jolan on from the # ln -s AFGJ /etc/malloc.conf dept.

Thanks to Nikns Siankin for pointing us to the article over at SecurityFocus entitled "Security-related innovation in Unix". This a nice layman's terms write up which details the malloc improvements that we covered previously. Here's a great quote from the article:

"The more hurdles that one has to jump through for good security, the less likely people will go through the trouble. OpenBSD allows even the most inexperienced users to take advantage of these technologies without any effort."

(Comments are closed)


Comments
  1. By Anonymous Coward (195.224.109.30) on

    The article mentions NetBSD's Non-executable stack and heap.
    This is similar to OpenBSD's W^X
    A long time ago there was talk about support for MacPPC at the segment rather than the page level.
    It looks like NetBSD have implemented it in their 2.0 releases.

    Did this feature ever make it in to OpenBSD ? I thought for some reason it hadn't.

    Comments
    1. By Nate (65.95.228.253) on

      Odd that sparc is listed on both the completely supported and unspported sections.

      Comments
      1. By Anonymous Coward (83.226.184.135) on

        Try again:

        Supported: sparc (sun4m, sun4d)
        Unsupported sparc (sun, sun4c)

        Notice the difference?

        Comments
        1. By Nate (65.95.228.253) on

          Exactly.

    2. By Anonymous Coward (12.33.122.68) on

      why? is it any better?

      Comments
      1. By Anonymous Coward (195.224.109.30) on

        is what any better ?

        a non-executable stack and heap compared to an executable one ?

        Comments
        1. By Anonymous Coward (147.162.55.11) on

          Is any better a per-segment implementation vs a per-page one?

          Comments
          1. By Anonymous Coward (131.202.10.5) on

            I'm not an expert, but (as I understand it) per-segment and per-page implementations have to do with granularity with with the non-executable regions can be marked. I *think* per-page is better than per-segment, but per-segment is better than 'not at all'. I reserve the right to be wrong.

            Comments
            1. By Anonymous Coward (195.224.109.30) on

              I think "per-segment is better than 'not at all" would be right.

              On PowerPC the segment size is fixed which can be a bit awkward.

              You can get per-page on book-e type chips, but none of the Macs have those types of chips.

          2. By Anonymous Coward (195.224.109.30) on

            No, but you cannot get it per-page

      2. By Marco Peereboom (67.64.89.177) marco@peereboom.us on http://www.peereboom.us

        Read! http://www.openbsd.org/papers/auug04/index.html

        Comments
        1. By Anonymous Coward (195.224.109.30) on

          I guess this sorta answers my question

          Comments
          1. By Anonymous Coward (143.166.255.18) on

            There is also that stuff called "code" that you could cross reference.

            Comments
            1. By Anonymous Coward (204.101.180.70) on

              Here is the code.

    3. By Anonymous Coward (195.224.109.30) on

      am I to assume that no one knows the answer and thus resort to modding my question down ?

      Comments
      1. By Anonymous Coward (12.33.122.68) on

        i agree. just a bunch of asses mouthfull of buzzwords

      2. By Anonymous Coward (143.166.255.18) on

        Read the posted link instead og whining like a little slashdot bitch.

    4. By Miod Vallat (213.41.172.147) miod@ on

      I'm afraid the non-executable stack and heap changes (which are in NetBSD and OpenBSD, among other systems) are only a component of the whole W^X scheme. NetBSD does not have the binary address space layout changes which allow W^X to become a reality.

      As for the PowerPC execute permission granularity, some recent PowerPC processors indeed have a per-page execute bit, instead of a per-segment execute bit (the segment being 256MB). There are currently no plans under OpenBSD to use the finer granularity when available, but this may change with the ongoing G5 support. Of course, this will depend on people spare time as usual.

      Comments
      1. By Anonymous Coward (195.224.109.30) on

        Is this the comment that Theo said "let the cat out of the bag" ?
        W^X on a G5

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]