Re: exec-shield (maybe ITP kernel-patch-exec-shield)
Hi!
I am project leader of Adamantix (which was previously called Trusted Debian),
a Debian based distribution created especially to provide a high level of
security. I am also author of the paxtest program. I started writing paxtest,
to answer the question: ``Does PaX really work as advertised?''. Adding a patch
to the kernel is one thing. Proving that it does anything useful is a different
thing.
Everyone can download paxtest[1] and compile and run it. Adamantix users can
simply apt-get install it. The design and implementation of PaX[2] can be found
on the PaX site[3], where you can also download the latest version of the
patch. The paxtest test programs are small enough to be understandable for
those who have some knowledge of low-level stuff. So it should take a couple
of hours to do proper research. It is much better to gather your own facts
than to take Mr. Coker's, Mr. Spender's or my word for granted.
If exec-shield would be better than PaX, it would be a matter of reverse
patching PaX and patching in exec-shield plus a kernel compilation to switch
Adamantix to exec-shield. The reason this hasn't happened is simple,
exec-shield does not even come close. Exec-shield is also believed to be
slower than PaX (although I have not seen hard evidence to support that).
So far I have not been able to think of any technical reason why exec-shield
exists at all, let alone a reason why people would want to use it.
[1] http://mail.adamantix.org/paxtest-0.9.4.tar.gz.
[2] http://pageexec.virtualave.net/doc/
[3] http://pageexec.virtualave.net/
Groetjes,
Peter Busser
--
The Adamantix Project
Taking high-security Linux out of the labs, and into the real world
http://www.adamantix.org/
Reply to: