Methods: a significant caveat


Any one mechanism (alone) may be insufficient to stop an attack:

People have found ways around ASLR (in isolation)
People have found ways around W^X (in isolation)
SSP does not discover all types of  frame damage
Too much address-space randomizaton -> fragmentation
    in kernel page management -> performance lost,
    feature gets disabled...

No mathematical proof that a collection of these mechanisms
blocks attacks

But that is not same as saying "Don't try"

With those thoughts in mind, we started work and deploying them
in OpenBSD releases.