We may not catch all bugs in time -
OpenBSD exploit mitigation:
stack smashing/random stack gap
jump to fixed addr: you die
W^X: memory can be eXecutable XOR Writable
write X mem: you die
randomized mmap(), malloc()
ref after free: you die
Note: buggy software dies, too (firefox)
simple deamons (services) drop to low (non-root) priv
larger tasks: large worker process in chroot jail; smaller process retains privs, called only for specific tasks