Re: openwall kernel patch

[Vincent <glaume@enseirb.fr>]

According to Nik Engel:
> Hi ! 
> How are your results using the openwall kernel patch ? 
> www.openwall.com 
> Any experience ? 

Hi !

I've used it to compare its efficiency to other buffer overflow protections.

I would suggest you to have a look at the Grsecurity patch if you intend to
have OW working on a 2.4 Kernel. Moreover this also includes PaX, which is
more complete. Find it at : http://www.grsecurity.net/

OpenWall will offer you non-executablity of the stack, among others (but this
is one of its most interesting features). You have no heap protection though,
and it does not protect against return-into-libC attacks, I think.
Nevertheless it's a first protection...

PaX offers stack and heap non-executability, as well as mmap randomization and
Grsecurity adds another layer with some /proc restrictions. All this leads to
stack + heap protection, and makes return-into-libC (nearly ?) impossbile.

Of course it makes PaX "heavier" for your system (and it seems there's some
trouble with java, ada... but I haven't experienced it) but it is an excellent
solution.

I'm sorry for this digression from Open Wall to PaX, but I think this is
a great patch ! :)

Hope it will help...
Vincent


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org