Re: openwall kernel patch
According to Nik Engel:
> Hi !
> How are your results using the openwall kernel patch ?
> www.openwall.com
> Any experience ?
Hi !
I've used it to compare its efficiency to other buffer overflow protections.
I would suggest you to have a look at the Grsecurity patch if you intend to
have OW working on a 2.4 Kernel. Moreover this also includes PaX, which is
more complete. Find it at : http://www.grsecurity.net/
OpenWall will offer you non-executablity of the stack, among others (but this
is one of its most interesting features). You have no heap protection though,
and it does not protect against return-into-libC attacks, I think.
Nevertheless it's a first protection...
PaX offers stack and heap non-executability, as well as mmap randomization and
Grsecurity adds another layer with some /proc restrictions. All this leads to
stack + heap protection, and makes return-into-libC (nearly ?) impossbile.
Of course it makes PaX "heavier" for your system (and it seems there's some
trouble with java, ada... but I haven't experienced it) but it is an excellent
solution.
I'm sorry for this digression from Open Wall to PaX, but I think this is
a great patch ! :)
Hope it will help...
Vincent
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: