Subject: Re: Importing PaX features to NetBSD
To: Elad Efrat <>
From: Jason V. Miller <>
List: tech-security
Date: 12/19/2005 13:06:02
I sent an e-mail to Elad after his original post, and he encouraged me to
forward my thoughts to the list. I'll try to be as brief as possible, as I
know this list is reserved for technical discussion.

For what it's worth, as a user of NetBSD there is no security-related
technology that I'd rather have included in the operating system than the PaX
feature-set. If implemented correctly and in its entirety, it all but
eliminates several classes of vulnerabilities from userland applications. I
don't think I'm exaggerating when I say that PaX is one of the most effective
security innovations in use today, and that it is probably the single most
important feature set that could be incorporated into NetBSD to help increase
it's resilience against attacks.

While implementing the entire PaX feature-set into NetBSD might not be a
trivial task, I believe that it's very worthwhile, and couldn't imagine a
better project to dramatically enhance the overall security of NetBSD.

Best Regards,


On Sun, Dec 18, 2005 at 02:13:34AM +0200, Elad Efrat wrote:
> Hi,
> There's a Linux hardening project called PaX. Few years ago it
> introduced some new interesting approaches to security, that over time
> proved themselves to be of help when facing mostly unknown threats. The
> idea behind this approach is that you design the security of the system
> to prevent the exploit, and not the vulnerability.
> The PaX project can be found on the web at


> What I would like to discuss is the possibility of importing two
> important features from PaX -- ASLR and MPROTECT.
> I've CC'd this mail to the PaX author, who knows about this stuff a lot
> more than I do (and is in general a very cool dude :) so he could give
> his comments during the discussion; please CC him on replies as well.
> Thanks,
> -e.
> -- 
> Elad Efrat

Jason V. Miller, Threat Analyst