[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PaX on Debian



On Mon, 26 Jul 2004 02:57, John Richard Moser <nigelenki@comcast.net> wrote:
> I'm interested in discussing the viability of PaX on Debian.  I'd like
> to discuss the changes to the base system that would be made, the costs
> in terms of overhead and compatibility, the gains in terms of security,
> and the mutability (elimination) of the costs.

Before we can even start thinking about PaX on Debian we need to find a 
maintainer for the kernel patch who will package new versions of the patch 
which apply to the Debian kernel source tree.  We have had a few flame-wars 
about this in the past which have had no positive result because no-one has 
volunteered to do the kernel coding work.

> A PaX protected base system would be best compiled ET_DYN, which can be
> done by using modified spec files or a specially patched gcc to make
> pies-by-default binaries.  Certain things don't compile this way; and
> thus would need this functionality disabled (modified spec, -fno-pic
> -nopie).  This will be discussed in greater detail later.

Debian does not use spec files, spec files are for RPM based distributions.  
It would have to be a modification to debian/rules in all the packages, or a 
modification to gcc and/or dpkg-buildpackage.

> A PaX protected base would also benefit from Stack Smash Protection,
> which can be done via the gcc patch ProPolice.  This imposes minimal
> overhead, which will be discussed in greater detail later.  It overlaps
> and extends many of the protections PaX offers, but catches earlier on;
> and is thus a good system to pair with PaX.

We have recently discussed this on at least one of the lists you posted to.  
The end result of the discussion is that GCC is getting another SSP type 
technology known as "mudflap".  Mudflap depends on some major new features of 
GCC 3.5, so it looks like we won't be getting this until GCC 3.5 as the 
Debian GCC people don't want to merge in other patches which have no apparent 
chance of being included upstream.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



Reply to: