Of tactical approaches, the OpenBSD team has clearly done the best job. I still advocate fixing root causes or high-confidence mechanisms wherever possible. They merit praise for what they pull off on the other side of the fence with UNIX apps I'd have little confidence in protecting outside of costly, isolation architectures and obfuscation schemes.<p>This is my favorite, though, as it's a high-assurance principle in action:<p>"When you free() an object >= pagesize, it gets unmapped using munmap(). Therefore, <i>access after free() becomes a detectable crash.</i>"<p>That's the fail-safe principle in action per Saltzer and Shroeder. Can't stop every, potential failure in some area? Just make it crash hard, noticeably, and hopefully with enough detail to spot & fix the problem. Another line of research in high-assurance CompSci is to, via hardware or software, taint the incoming data with optional profiles of system code that stops and details circumstances of any code injection. Always interesting stuff developing along these lines.<p>Far as Saltzer and Shroeder principles, I accidentally found this in Google that explains them with Star Wars scenarios. Pretty good.<p><a href="http://emergentchaos.com/the-security-principles-of-saltzer-and-schroeder" rel="nofollow">http://emergentchaos.com/the-security-principles-of-saltzer-...</a>