Re: Enabling hardened build flags for Wheezy

[Arno Töll <debian@toell.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On 01.03.2012 17:01, Joey Hess wrote:
> Moritz Muehlenhoff wrote:
>> 1. dpkg-buildflags exports hardened build flags. These hardened
>> build flags mitigate/nullify some classes of security
>> vulnerabilities and make exploitation of security problems more
>> difficult.
> 
> At least temporarily. Are you familiar with Return Oriented
> Programming and similar technologies for getting around these
> protections?

ASLR and similar technologies can further mitigate effects of
return-to-libc and type of attacks. That would lead us back to the
grsecurity/PaX discussion we had a few weeks ago.

The vanilla kernel itself has some ASLR protection as well, although I
think it is still not enabled by default in Debian (and is perhaps
weaker than PaX).


- -- 
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPT63aAAoJEMcrUe6dgPNtkvcP/0WYSZkPKv04VQFS9ljgO+qP
wLtSXvOYvIoizIzwylhY+hkSzHVCJdOBoLM43WVaM4SKDcr6DXC9CUtdkVJ36mm6
gG1CUpBo3GggDk5RTPXUkJAOld4uvjfRuB6LeDo5bXRqX9az2QSuSc3nr1r35Jx9
ICsXKIm/q9ECakxarPtVNXWQi7Y6UQVDfZ9ZElnya9Q3E97096DAhWwtp9NjQKRx
y5e93uhBB6zSxmfMoXCjB4zkSGPIuN0SYfdQevPYRPxLGPl/ImoBRWQVMRZ8gdrG
nfPQh5A/pWfaqzHzcEWJyY0KNd/FPpL3LvOcznUg49kdb73JhRVcLAz6u4dBlBpo
cuxIrnBnP35KeMYjE9QuMr8gZRTixg/4oJ/X7cuGlQqzZc0zVHMt4UepG60a50Zw
1bhhs+3NvbrFa3KNl5QSoOxdYeD/Ix6QqbwdtDbiwHQ2frSbfZzvYi4ouS5Tij4f
qKzN2v3N+z1tX4g2Ke1JBEXkkxGljmpV/4saEkHVVBNJ5sY+kzkiWaMwbZAgGS/5
CVhtgEKO9s3Tj9XbV3cMtzmZJCvg9OJMRFC9XXvBVdTKf+TovNZuu5Kxxr1urasp
AXe1YhzA8yTlcQr/XwZg8kjeeO5Dje5DMeJtDKDiZ22HProMk5138hlBriwIwery
VoMBm+kGED44ev/Qpi9F
=SBxE
-----END PGP SIGNATURE-----