===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/33.html,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- www/33.html 2003/03/27 23:29:02 1.21
+++ www/33.html 2003/03/29 03:12:50 1.22
@@ -75,22 +75,37 @@
Integration of the
ProPolice
stack protection technology into the system compiler. This protection is
-enabled by default.
+enabled by default. With this change, function prologues are modified
+to rearrange the stack: a random canary is placed before the return
+address, and buffer variables are moved closer to the canary so that
+regular variables are below, and harder to smash. The function
+epilogue then checks if the canary is still intact. If it is not,
+the process is terminated. This change makes it very hard for an
+attacker to modify the return address used when returning from a
+function.
-
W^X (pronounced: "W xor X") binaries on architectures capable of
+W^X (pronounced: "W xor X") on architectures capable of
pure execute-bit support in the MMU (sparc, sparc64, alpha,
hppa). This is a fine-grained memory permissions layout, ensuring that
memory which can be written to by application programs can not be
-executable at the same time and vice versa. This raises the bar on
-potential buffer overflows and other attacks.
+executable at the same time and vice versa. This raises the bar on
+potential buffer overflows and other attacks: as a result, an attacker
+is unable to write code anywhere in memory where it can be executed.
+(NOTE: i386 and powerpc do not support W^X in 3.3; however, 3.4 will
+make this change on those architectures as well).
Still more reduction in setuid and setgid binaries, and more chroot
-use throughout the system.
+use throughout the system. While some programs are still setuid or
+setgid, almost all of them grab a resource and then quickly revoke
+privilege.
-
The X window system uses privilege separation, for better security.
+The X window server and xconsole now use privilege separation,
+for better security. Also, xterm has been modified to do privilege
+revocation. xdm runs as a special user and group, to further constrain
+what might go wrong.
As usual, improvements to the documentation, notably the man pages and
@@ -124,7 +139,11 @@
Full CIDR support
Early checksum verification return on invalid packets
Performance boost: large rulesets load much faster now
-spamd, a spam deferral daemon, to whom smtp connections can be redirected to
+spamd,
+ a spam deferral daemon, which SMTP connections can be redirected to.
+ This daemon handles connections based on black lists and white lists,
+ tar-pits the connections, and ensures that the spammer knows why their
+ mail has not been accepted.
@@ -421,7 +440,7 @@
alt="OpenBSD">
www@openbsd.org
-$OpenBSD: 33.html,v 1.21 2003/03/27 23:29:02 henning Exp $
+$OpenBSD: 33.html,v 1.22 2003/03/29 03:12:50 deraadt Exp $