Re: [kernel-hardening] overview of PaX features

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Vasiliy Kulikov <segoon@openwall.com>
To: kernel-hardening@lists.openwall.com
Subject: Re: [kernel-hardening] overview of PaX features
Date: Thu, 30 Jun 2011 20:03:45 +0400	[thread overview]
Message-ID: <20110630160345.GA15258@albatros> (raw)
In-Reply-To: <20110629194339.GA15379@openwall.com>

Solar,

On Wed, Jun 29, 2011 at 23:43 +0400, Solar Designer wrote:
> On Wed, Jun 29, 2011 at 10:37:28PM +0400, Vasiliy Kulikov wrote:
> > That's not only about old apps, but also a default relaxed policy for
> > the toolchain:
> > 
> > http://www.gentoo.org/proj/en/hardened/gnu-stack.xml
> 
> Of course.  In my experience, most programs that currently get
> executable stack actually don't need it.
> 
> And for gcc trampolines we can include the emulation code in the kernel.

I've looked over -ow and PaX' implementations of trampolines emulation.
Two notes:

1) Are trampolines the only widespread user of executable stack?
(widespread among executable stack needings ;)

2) In -ow patch the trampolines emulation is very tolerant: it supports
up to 8 movs and then one of 2 jmps.  PaX' version distinguishes only 2
specific trampolines implementations and alerts if the code doesn't fit
into these strict patterns.  Taking into consideration how long PaX
patch exists, I suppose the restricted version cover all (or almost all)
realworld trampolines implementations.   The -ow variant would relax the
stack too much.

Btw, there is a tool to change executable stack settings per binary,
written by Jakub Jelinek (Red Hat):

http://linux.die.net/man/8/execstack

Thanks,

-- 
Vasiliy

next prev parent reply	other threads:[~2011-06-30 16:03 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-06-26 18:33 [kernel-hardening] overview of PaX features Vasiliy Kulikov
2011-06-29 18:25 ` Solar Designer
2011-06-29 18:37   ` Vasiliy Kulikov
2011-06-29 19:43     ` Solar Designer
2011-06-30 16:03       ` Vasiliy Kulikov [this message]
2011-07-02 17:21         ` Solar Designer
2011-07-02 17:46           ` Vasiliy Kulikov
2011-07-03  1:06       ` Anthony G. Basile

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110630160345.GA15258@albatros \
    --to=segoon@openwall.com \
    --cc=kernel-hardening@lists.openwall.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.