Re: Switch on compiler hardening defaults

To: debian-devel@lists.debian.org, debian-gcc@lists.debian.org
Subject: Re: Switch on compiler hardening defaults
From: Bastian Blank <waldi@debian.org>
Date: Tue, 27 Oct 2009 23:51:35 +0100
Message-id: <[🔎] 20091027225135.GC18983@wavehammer.waldi.eu.org>
Mail-followup-to: debian-devel@lists.debian.org, debian-gcc@lists.debian.org
In-reply-to: <[🔎] 1256589719.4282.14.camel@fermat.scientia.net>
References: <[🔎] 20091025185525.GI6711@outflux.net> <[🔎] 1256589719.4282.14.camel@fermat.scientia.net>

On Mon, Oct 26, 2009 at 09:41:59PM +0100, Christoph Anton Mitterer wrote:
> Ever thought about integrating PaX [0] per default in Debian?

What features does the grsecurity patch provide currently? I know that
several of the mentioned PaX features are supported in vanilla kernel in
the meantime:
- Non-executable memory on x86-32 with PAE.
- Randomized stack and heap bases.
- /dev/mem is highly restricted now, /dev/kmem removed.

What would be a step forward:
- Move all newer x86 32bit machines to PAE to support non-executable
  pages.
- Make any code PIC, including binaries (PIE) and static libs.

> I'm however not sure how much this actually breaks ;)

It takes to much compile time configuration, so don't even think about
it.

Bastian

-- 
Phasers locked on target, Captain.

Reply to:

References:
- Switch on compiler hardening defaults
  - From: Kees Cook <kees@debian.org>
- Re: Switch on compiler hardening defaults
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Re: Lintian based autorejects
Next by Date: Re: Lintian based autorejects
Previous by thread: Re: Switch on compiler hardening defaults
Next by thread: Bug#552366: ITP: ocaml-usb -- OCaml bindings to libusb-1.0
Index(es):
- Date
- Thread