[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: exec-shield (maybe ITP kernel-patch-exec-shield)

On Mon, 3 Nov 2003 13:47, Gustavo Franco wrote:
> Russell Coker wrote:
> >http://people.redhat.com/mingo/exec-shield/
> >http://kerneltrap.org/node/view/913
> >
> >It seems that exec-shield does 99% of what PaX does (PaX is the most
> > desirable feature in GRSec).  Exec-shield also has support for 2.6 and
> > looks like it will be a standard feature in Red Hat.
> I believe that exec-shield doesn't 99% of what PaX does, do some tests
> with paxtest[1], but
> i like the idea of merge the patch with "debian kernel" in the future.

I quickly checked out paxtest, there are a number of issues listed as 
"Vulnerable", but I believe that some of those are necessary for full 
functionality of programs such as X servers.  The aim of exec-shield is to 
have no need of a "chpax" type program.  Also exec-shield will do even better 
when we have a tool chain supporting PIE, this is already in Fedora, and will 
be in Debian by gcc 3.4 if not before.

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to: