[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: NSA software in Debian

On Wed, 22 Jan 2014 16:16:21 -0800
Andrew Merenbach <andrew@merenbach.com> wrote:

> I installed the i386 architecture and installed the `paxtest' suite.  My results were fairly disappointing, to be honest:

> > $ sudo paxtest blackhat
> > Executable anonymous mapping (mprotect)  : Vulnerable
> > Executable bss (mprotect)                : Vulnerable
> > Executable data (mprotect)               : Vulnerable
> > Executable heap (mprotect)               : Vulnerable
> > Executable stack (mprotect)              : Vulnerable
> > Executable shared library bss (mprotect) : Vulnerable
> > Executable shared library data (mprotect): Vulnerable
> > Writable text segments                   : Vulnerable

It's a good idea to configure the kernel (grsec options) before
recompiling. Probably MPROTECT feature is not enabled in kernel, or your
CPU doesn't have NX bit feature.

> A followup there links to the following bug, "linux-2.6: [RFC] Add a grsec featureset to Debian kernels":
>     <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605090>

This would of course be the real solution.

Education is a process of making people see what is advanced and not
obvious, but also not see what is basic and obvious.


Reply to: