Re: Proposing amd64-hardened architecture for Debian
Hi,
On 18/04/2014 00:15, Kevin Chadwick wrote:
> OpenBSD employs randomisation all over and recently starting with the
> boot loader.
I do not object to use such techniques (randomisation for example) by
default. However, it must be easy to disable them.
Indeed: not all computers are are used as servers where security must be
really strong. Some computers are used to do development. And, in this case,
randomization is sometime really annoying: each time you re-run your program,
all variables have a new address under gdb. So, if you want to use the 'watch'
command, you need first to find again and again the address of the field of
the structure you are interested on.
So please, take such usages into account when pushing for a better
security: document an easy way to revert to the less secure but
deterministic/non hidden/... runtime mode. It can be as simple as
documenting "kernel.randomize_va_space=0" sysctl parameter for example.
Regards,
Vincent
--
Vincent Danjean GPG key ID 0xD17897FA vdanjean@debian.org
GPG key fingerprint: 621E 3509 654D D77C 43F5 CA4A F6AE F2AF D178 97FA
Unofficial pkgs: http://moais.imag.fr/membres/vincent.danjean/deb.html
APT repo: deb http://people.debian.org/~vdanjean/debian unstable main
Reply to: