Improving security
Arjan van de Ven
arjanv at redhat.com
Wed Jan 19 21:49:43 UTC 2005
> Stack Smash Protection sounds like a cool feature to me. I don't know
> what the performance impact is, but as a developer even if it is to slow
> to use by default I would love to have it intergrated into the gcc
> shipped by Fedora to make debugging easier.
well.. gcc in fc4 (well rawhide right now) has something that has a
quite similar effect, with basically zero performance impact.
Try it ;)
>
> PAX uses tricks to get a non executable stack, and assignes random
> addresses to PIE executables, which Fedora already has in the form of
> Exec Shield, good! But if I undertand it correctly PAX does more for
> example also make data pages non executable, this might be something
> worth looking into.
Exec-Shield makes datapages also non-executable. There is very little
practical difference between PAX and Exec-Shield protection wise. There
are theoretical differences, mostly comming from a different viewpoint
(Exec-Shield is about being as secure as possible without breaking
things, while PaX does make the deliberate choice to break things. The
difference is small, the things that "break" are rare. very rare.)
The reason Exec-Shield does this is because the worst thing that can
happen is to be too secure, so secure that all sysadmins just turn it
off entirely.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20050119/604abe3f/attachment.sig>
More information about the fedora-devel-list
mailing list