===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/33.html,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- www/33.html	2003/03/27 23:29:02	1.21
+++ www/33.html	2003/03/29 03:12:50	1.22
@@ -75,22 +75,37 @@
 <li>Integration of the
 <a href="http://www.trl.ibm.com/projects/security/ssp">ProPolice</a>
 stack protection technology into the system compiler. This protection is
-enabled by default.
+enabled by default.  With this change, function prologues are modified
+to rearrange the stack: a random canary is placed before the return
+address, and buffer variables are moved closer to the canary so that
+regular variables are below, and harder to smash.  The function
+epilogue then checks if the canary is still intact.  If it is not,
+the process is terminated.  This change makes it very hard for an
+attacker to modify the return address used when returning from a
+function.
 <p>
 
-<li>W^X (pronounced: "W xor X") binaries on architectures capable of
+<li>W^X (pronounced: "W xor X") on architectures capable of
 pure execute-bit support in the MMU (sparc, sparc64, alpha,
 hppa). This is a fine-grained memory permissions layout, ensuring that
 memory which can be written to by application programs can not be
-executable at the same time and vice versa. This raises the bar on
-potential buffer overflows and other attacks.
+executable at the same time and vice versa.  This raises the bar on
+potential buffer overflows and other attacks: as a result, an attacker
+is unable to write code anywhere in memory where it can be executed.
+(NOTE: i386 and powerpc do not support W^X in 3.3; however, 3.4 will
+make this change on those architectures as well). 
 <p>
 
 <li>Still more reduction in setuid and setgid binaries, and more chroot
-use throughout the system.
+use throughout the system.  While some programs are still setuid or
+setgid, almost all of them grab a resource and then quickly revoke
+privilege.
 <p>
 
-<li>The X window system uses privilege separation, for better security.
+<li>The X window server and xconsole now use privilege separation,
+for better security.  Also, xterm has been modified to do privilege
+revocation.  xdm runs as a special user and group, to further constrain
+what might go wrong.
 <p>
 
 <li>As usual, improvements to the documentation, notably the man pages and
@@ -124,7 +139,11 @@
 <li>Full CIDR support
 <li>Early checksum verification return on invalid packets
 <li>Performance boost: large rulesets load much faster now
-<li>spamd, a spam deferral daemon, to whom smtp connections can be redirected to
+<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=spamd">spamd</a>,
+    a spam deferral daemon, which SMTP connections can be redirected to.
+    This daemon handles connections based on black lists and white lists,
+    tar-pits the connections, and ensures that the spammer knows why their
+    mail has not been accepted.
 </ul>
 
 <p>
@@ -421,7 +440,7 @@
 alt="OpenBSD"></a> 
 <a href="mailto:www@openbsd.org">www@openbsd.org</a>
 <br><small>
-$OpenBSD: 33.html,v 1.21 2003/03/27 23:29:02 henning Exp $
+$OpenBSD: 33.html,v 1.22 2003/03/29 03:12:50 deraadt Exp $
 </small>
 
 </body>