http://blogs.zdnet.com/security/?p=1325
All are very good improvements. Apple has expressed interest in implementing more restrictions with code signing and making core system components require it will make it that much harder for someone to install stuff in the system and go undetected. It seems they're already moving towards 64 bit processes for all their apps as well.
- Full address space randomization
- No Execute on heap, not just the stack
- 64 bit processes: Function arguments passed in registers, not the stack. Makes it much harder to exploit with address space randomization and NX on heap and stack
- Fully sandbox vulnerable applications like Safari & Mail
- Mandatory code signing for kernel extensions. This would stop a malicious kernel extension from being loaded if it wasn't cryptographically signed by the author.
All are very good improvements. Apple has expressed interest in implementing more restrictions with code signing and making core system components require it will make it that much harder for someone to install stuff in the system and go undetected. It seems they're already moving towards 64 bit processes for all their apps as well.