[rsbac] Fwd: some PaX Q&A
Amon Ott
ao at rsbac.org
Wed Feb 26 11:16:53 MET 2003
---------- Forwarded Message ----------
Subject: some PaX Q&A
Date: Wed, 26 Feb 2003 01:13:14 +0100
From: pageexec at freemail.hu
To: Amon Ott <ao at rsbac.org>
hello,
i was just browsing the RSBAC mail archives and saw that you and
others were discussing PaX. i'd like to clarify some of the issues
raised:
1. PaX and Solar Designer's patch: they are unrelated to each other,
the link on our site is because his is another attempt for a similar
thing that PaX does (along w/ RSX and kNoX). note also that his
patch is not a true non-executable patch like PaX, it makes only
the primary thread's stack non-executable (and only the upper 8 MB
of it, but that's probably not a problem in real life for most apps).
2. stability: anything before last december is not comparable in quality
to the current patches, so (bad) experiences based on them should be
reevaluated before making a decision.
3. recompilation/linking: this is indeed the encouraged way to fully
utilize randomization, and since one of the guys seems to be working
on a distro (trusted debian if i'm not mistaken), it'd actually be an
interesting initiative to begin to provide new make targets for the
most affected daemons and produce the ET_DYN ELF executables without
further user intervention. for some examples you can take a look at
http://www.grsecurity.net/grsec-et_dyn.tar.gz which should give you
an idea about the changes needed (normally a few lines of change in
the makefiles). also check out et_dyn.zip on the PaX site, it'll be
needed to produce position independent executables.
-------------------------------------------------------
--
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list