Grsec/PaX and Exec-shield

[Tiago Assumpção <module@whatever.org.ar>]

Hello.
I would like to point out certain things.

 

First of all, maybe the most important, we have the freedom problem here.
It´s CLEAR, after analyzing his own words, that our friend Russell Coker
has a big interest of getting Exec-shield as part of Debian Linux.
That becomes even more clear when you see the affirmation, again his own
words, he's employed by Red Hat.

 

I won't say here that Red Hat, Inc. would be manipulating information
to force Debian users to use one of their products, because I would be going
down, at the same level as Coker. Since I don't know Red Hat's relationship
to this issue, I would go for how non-professional Russel Coker has been
with his posts.

 

In practice:

 

"It seems that exec-shield does 99% of what PaX does (PaX is the most desirable
feature in GRSec)"

 

- I won't go on technical issues since there is the a article Brad (grsecurity),
  comparing OpenBSD's W^X, PaX and exec-shield, that can be found here:
  -> http://grsecurity.net/PaX-presentation_files/frame.htm
  But basicly I am so sure that exec-shield doesn't do half of PaX work.

 

"Maybe we should solve the debate about grsec and standard kernels by adding
exec-shield to the standard Debian kernel source?  Then people who use a
kernel.org kernel can apply the grsec patch (which will not apply to a Debian
kernel source tree), and people who use the Debian kernel source will get
exec-shield by default?"

 

- Who are -you- (the ONLY individual) to define standards on linux kernel
  security designs?

 

"The plan is to get Linus to accept it as a feature for 2.6, but to do this we
need to get it tested more.  It is being tested in Fedora, I think that we
should do the same for Debian.  Getting this patch deployed on large numbers
of Debian machines is what is necessary to get it accepted by Linus."

 

"I will make a kernel-patch package."

 

- Again, I don't understand why you should worry so much about some project
  you don't even own/manage. Or this is for Red Hat?

 

Second of all, in a technical approach, you should compare all of W^X, Grsec/PaX,
Exec-shield. My personal opinion (which doesn't really matter) is that of there
is nothing like grsec/PaX, they are above all the others in so many ways. Will
be easy you people to see, checking the references, reading the theories, studying
the implementations.

 

References should be pointed out:

 

- http://grsecurity.net/PaX-presentation_files/frame.htm
- http://lists.insecure.org/lists/bugtraq/2003/Aug/0137.html
- http://people.redhat.com/mingo/exec-shield/
- http://marc.theaimsgroup.com/?l=openbsd-misc&m=105056000801065&w=2

 

 

 

This is a lot of information, but google for much more! Users need to build their
ideas, and choose what to pick!
Don´t let somebody right the rules and sign out without being aware of what's up.