Fighting back

We may not catch all bugs in time -

OpenBSD exploit mitigation:

Note: buggy software dies, too (firefox)

simple deamons (services) drop to low (non-root) priv

larger tasks: large worker process in chroot jail; smaller process retains privs, called only for specific tasks

See Theo de Raadt: Exploit mitigation techniques