[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: exec-shield (maybe ITP kernel-patch-exec-shield)


I am project leader of Adamantix (which was previously called Trusted Debian),
a Debian based distribution created especially to provide a high level of
security. I am also author of the paxtest program. I started writing paxtest,
to answer the question: ``Does PaX really work as advertised?''. Adding a patch
to the kernel is one thing. Proving that it does anything useful is a different

Everyone can download paxtest[1] and compile and run it. Adamantix users can
simply apt-get install it. The design and implementation of PaX[2] can be found
on the PaX site[3], where you can also download the latest version of the
patch. The paxtest test programs are small enough to be understandable for
those who have some knowledge of low-level stuff. So it should take a couple
of hours to do proper research. It is much better to gather your own facts
than to take Mr. Coker's, Mr. Spender's or my word for granted.

If exec-shield would be better than PaX, it would be a matter of reverse
patching PaX and patching in exec-shield plus a kernel compilation to switch
Adamantix to exec-shield. The reason this hasn't happened is simple,
exec-shield does not even come close. Exec-shield is also believed to be
slower than PaX (although I have not seen hard evidence to support that).

So far I have not been able to think of any technical reason why exec-shield
exists at all, let alone a reason why people would want to use it.

[1] http://mail.adamantix.org/paxtest-0.9.4.tar.gz.
[2] http://pageexec.virtualave.net/doc/
[3] http://pageexec.virtualave.net/

Peter Busser
The Adamantix Project
Taking high-security Linux out of the labs, and into the real world

Reply to: