|
[20061004]
|
Article: Recent Security Enhancements in NetBSD
SecurityFocus
published
a report by Elad Efrat on "Recent Security Enhancements in NetBSD:
``Running on almost twenty different architectures, and easily portable to others, NetBSD gained its reputation as the most portable operating system on the planet. While that may indicate high quality code, the ever demanding networked world cares about more than just that. Over the past year, NetBSD evolved quite a bit in various areas. This paper, however, will focus on those aspects relating to security. ''
The article covers
overall security considerations like code auditing, exploit mitigation
and layered security, then gives mode details about NetBSD's
perception of security. It continues with an overview of recent NetBSD
security enhancements, including details on kernel authorization,
verified exec (veriexec) and measures for exploit mitigation like
PaX MPROTECT and the SSP (Stack Smashing Protection) compiler extensions.
Further features discussed include information filtering, strong
digital checksum support and the fileassoc framework. After hilighting
those features that are already present in NetBSD today, the article
outlines current and future security research and development. Items
of interest there are deprecation of using the kernel virtual memory
interface, digitally signed files, access control lists (ACLs) and
capabilities. An analysis of the component's interaction in light
of layered security follows, discussion measures that can be taken
on five different levels.
To cite from the conclusion of the article:
`` While it is true that a lot of work is still ahead of us, this paper exposed the lot of work that is behind us. Over the past year NetBSD improved a lot on the security front, and it is expected that these efforts will pay off - if not already - within the next major release.''
[Tags: Articles, Security]
|
