How about adopting an architecture that incorporates special-purpose security safeguards into the CPU? Routers and switches don't need to execute arbitrary code, Cisco knows ahead of time, before they deploy a product, what code that product should be allowed to execute.
But how many times over the years has a IOS upgrade added a useful feature? .. securing the physical hardware to not accept new (aka: 'arbitrary') code would make a *lot* of rack-mount paperweights.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
