Re: exec-shield (maybe ITP kernel-patch-exec-shield)
I am project leader of Adamantix (which was previously called Trusted Debian),
a Debian based distribution created especially to provide a high level of
security. I am also author of the paxtest program. I started writing paxtest,
to answer the question: ``Does PaX really work as advertised?''. Adding a patch
to the kernel is one thing. Proving that it does anything useful is a different
Everyone can download paxtest and compile and run it. Adamantix users can
simply apt-get install it. The design and implementation of PaX can be found
on the PaX site, where you can also download the latest version of the
patch. The paxtest test programs are small enough to be understandable for
those who have some knowledge of low-level stuff. So it should take a couple
of hours to do proper research. It is much better to gather your own facts
than to take Mr. Coker's, Mr. Spender's or my word for granted.
If exec-shield would be better than PaX, it would be a matter of reverse
patching PaX and patching in exec-shield plus a kernel compilation to switch
Adamantix to exec-shield. The reason this hasn't happened is simple,
exec-shield does not even come close. Exec-shield is also believed to be
slower than PaX (although I have not seen hard evidence to support that).
So far I have not been able to think of any technical reason why exec-shield
exists at all, let alone a reason why people would want to use it.
The Adamantix Project
Taking high-security Linux out of the labs, and into the real world