Re: NSA software in Debian

To: Andrew Merenbach <andrew@merenbach.com>
Cc: Kevin Olbrich <kolbrich@dolphin-it.de>, "debian-security@lists.debian.org" <debian-security@lists.debian.org>
Subject: Re: NSA software in Debian
From: Marko Randjelovic <markoran@eunet.rs>
Date: Thu, 23 Jan 2014 13:31:50 +0100
Message-id: <[🔎] 20140123133150.71dbc744@eunet.rs>
In-reply-to: <[🔎] B0A8F76A-E322-4CFA-870D-A4BC1FD69FB9@merenbach.com>
References: <[🔎] 87000BDF-320B-403F-AC8C-E0BCC89DA622@yahoo.de> <[🔎] 20140118200448.GA20697@morgul.net> <[🔎] 20140120004929.2e8b1ee6@eunet.rs> <[🔎] 448B4C2D-E9C5-44A0-BEF4-AB2AC60145F3@dolphin-it.de> <[🔎] 52DCB14F.6090000@merenbach.com> <[🔎] 20140122150147.0b1b3ad7@eunet.rs> <[🔎] 0FD1BA8C-5BCE-4BFF-A00A-F027B7E13C73@merenbach.com> <[🔎] 75931E0D-68D9-43FE-9E1A-9A0D9FE5C0FB@dolphin-it.de> <[🔎] 9C097BDC-7CB3-4894-B864-98FFEACF362C@merenbach.com> <[🔎] C30082CD-7E85-4F8F-A068-BDEA694C0F8C@dolphin-it.de> <[🔎] B0A8F76A-E322-4CFA-870D-A4BC1FD69FB9@merenbach.com>

On Wed, 22 Jan 2014 16:16:21 -0800
Andrew Merenbach <andrew@merenbach.com> wrote:

> I installed the i386 architecture and installed the `paxtest' suite.  My results were fairly disappointing, to be honest:

> > $ sudo paxtest blackhat
> > Executable anonymous mapping (mprotect)  : Vulnerable
> > Executable bss (mprotect)                : Vulnerable
> > Executable data (mprotect)               : Vulnerable
> > Executable heap (mprotect)               : Vulnerable
> > Executable stack (mprotect)              : Vulnerable
> > Executable shared library bss (mprotect) : Vulnerable
> > Executable shared library data (mprotect): Vulnerable
> > Writable text segments                   : Vulnerable

It's a good idea to configure the kernel (grsec options) before
recompiling. Probably MPROTECT feature is not enabled in kernel, or your
CPU doesn't have NX bit feature.

> A followup there links to the following bug, "linux-2.6: [RFC] Add a grsec featureset to Debian kernels":
> 
>     <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605090>

This would of course be the real solution.

-- 
Education is a process of making people see what is advanced and not
obvious, but also not see what is basic and obvious.

http://markorandjelovic.hopto.org

Reply to:

Follow-Ups:
- Re: NSA software in Debian
  - From: Kevin Olbrich <kolbrich@dolphin-it.de>

References:
- NSA software in Debian
  - From: Marco Saller <marcosaller@yahoo.de>
- Re: NSA software in Debian
  - From: Noah Meyerhans <noahm@debian.org>
- Re: NSA software in Debian
  - From: Marko Randjelovic <markoran@eunet.rs>
- Re: NSA software in Debian
  - From: Kevin Olbrich <kolbrich@dolphin-it.de>
- Re: NSA software in Debian
  - From: Andrew Merenbach <andrew@merenbach.com>
- Re: NSA software in Debian
  - From: Marko Randjelovic <markoran@eunet.rs>
- Re: NSA software in Debian
  - From: Andrew Merenbach <andrew@merenbach.com>
- Re: NSA software in Debian
  - From: Kevin Olbrich <kolbrich@dolphin-it.de>
- Re: NSA software in Debian
  - From: Andrew Merenbach <andrew@merenbach.com>
- Re: NSA software in Debian
  - From: Kevin Olbrich <kolbrich@dolphin-it.de>
- Re: NSA software in Debian
  - From: Andrew Merenbach <andrew@merenbach.com>

Prev by Date: Re: finding a process that bind a spcific port
Next by Date: Re: NSA software in Debian
Previous by thread: Re: NSA software in Debian
Next by thread: Re: NSA software in Debian
Index(es):
- Date
- Thread