Posted by: Michael Shigorin
on September 01, 2007 10:56 AM
Just think, everything else more than likely cannot be made that.
What's easier, several dozen glibc sanitization patches and review of the basesystem or a custom kernel? Privilege separated services running in preferably empty chroots under OpenVZ (if one really wants, that can be stuffed under Xen yet) or "flexibility" which is sharp two-sided weapon regarding security? (and I'd start on someWeirdHardwarePlatform side when applying the principle of most surprise to potential intruder)