First page Back Continue Last page Graphics
Why use OpenBSD? Proactive security (cont)
All of these have been enabled by default for 10+ years:
Exploit mitigation (cont)
- Privilege revocation privsep'd daemons drop privilege as soon as possible
- chroot jail daemons run in restricted environment ($HOME /var/empty, no shell)
- ProPolice random stack gap inserted, fixed returns fail
In addition, OpenBSD 5.9 introduced
- pledge(2) syscall to restrict program behavior to predeclared profile
"Where it is possible to spot damage, fail hard"