Re: PaX on Debian

To: John Richard Moser <nigelenki@comcast.net>
Cc: debian-security@lists.debian.org, debian-devel@lists.debian.org
Subject: Re: PaX on Debian
From: Steve Kemp <skx@debian.org>
Date: Sun, 25 Jul 2004 23:20:39 +0100
Message-id: <[🔎] 20040725222039.GA31544@steve.org.uk>
Reply-to: Steve Kemp <skx@debian.org>
In-reply-to: <[🔎] 4103FB47.4000803@comcast.net>
References: <[🔎] 4103E679.2050402@comcast.net> <[🔎] 20040725175114.GA20071@steve.org.uk> <[🔎] 4103FB47.4000803@comcast.net>

On Sun, Jul 25, 2004 at 02:26:15PM -0400, John Richard Moser wrote:

> |   I have been flirting with SSP for months now, but the most recent
> |  patches included with GCC do not apply cleanly.  Watch for a bug
> |  against GCC shortly with updated SSP patches.
> |
> 
> Yeah I think on 3.3.4 on Gentoo has SSP

  It does.

> The binutils adds the header field needed for the PaX flags for paxctl.
> ~ This is important, because chpax uses an "unused" area in the header,
> which is depricated.  Also, tools like strip will zero the chpax flags,
> making them extremely volitile.

  Shouldn't strip be updated to ignore this 'unused' field, or 
 would it be more sensible to set aside a real area for the flag?  ELF
 is simple to update with new sections and maybe adding support for
 the runtime loader/linker would be more future proof..

> |   SSP is remarkably simple to apply and works with all packages I've
> |  been able to test on x86.
> |
> 
> Firefox sets off SSP itself on load.

  When you say 'sets of' do you mean disable?  I find that unlikely,
 as it's not the kind of thing that can be disabled when all the 
 canary checking code is incorporated into the binary...

> "Stack Smash Protection" is the new name of ProPolice?  o_o  Thought
> that was the name of the concept.

  SSP is the name for one implementation of stack smashing protection
 which was previously known as ProPolice.
  It's available from IBM at the following URL:

	http://www.trl.ibm.com/projects/security/ssp/

> |   I've not noticed this - Mozilla certainly seems fine with SSP
> |  compilers.  I've been using it on my own unstable boxes for some
> |  time.  What, specifically, breaks?
> |
> 
> Not sure.  I'm going by what I've been told by the Gentoo devs; I'm a
> Hardened Gentoo user.

  But interested in Debian?

> SELinux and SSP do two different things.  SSP prevents the program from
> being exploited; SELinux contains the exploit.

  That's a simplistic explaination .. but it's not too far from
 the truth ;)

> PaX also aims to prevent the program from being exploited.

  The randomization is an interesting technique and it seems
 sufficiently simple concept that it would be interesting to
 see how well it works.

Steve
--

Attachment: pgpYcOvRfuaw6.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: PaX on Debian
  - From: John Richard Moser <nigelenki@comcast.net>
- Re: PaX on Debian
  - From: John Richard Moser <nigelenki@comcast.net>

References:
- PaX on Debian
  - From: John Richard Moser <nigelenki@comcast.net>
- Re: PaX on Debian
  - From: Steve Kemp <skx@debian.org>
- Re: PaX on Debian
  - From: John Richard Moser <nigelenki@comcast.net>

Prev by Date: Bug#261413: ITP: utf8script -- binfmt_misc plugin for UTF-8 scripts
Next by Date: Re: PaX on Debian
Previous by thread: Re: PaX on Debian
Next by thread: Re: PaX on Debian
Index(es):
- Date
- Thread