From: "Anthony G. Basile" <blueness@gentoo.org>
To: kernel-hardening@lists.openwall.com
Subject: [kernel-hardening] Trying to get PaX RANDMMAP into the mainstream kernel
Date: Thu, 25 Aug 2011 09:03:59 -0400 [thread overview]
Message-ID: <4E56483F.3070701@gentoo.org> (raw)
Hi everyone,
I had a brief conversation yesterday with solardiz on
freenode/#openwall. The topic turned to what other hardening code could
go upstream besides the stuff you guys have already been pushing. It
would be nice if we could get PaX RANDMMAP in. It gives better
randomization on mmap addresses, but unfortunately breaks packages which
use pre-compiled headers. [1]
I wrote a little POC program to demonstrate this. [2] Try running it on
vanilla ubuntu, opensuse and gentoo. Then try running it on the same
with a hardened kernel with RANDMMAP enabled.
We came across this issue in a hardened gentoo bug. In one of the
comments, pipacs <pageexec@freemail.hu> gives a very complete
explanation of the situation. [3] I won't repeat it here.
If RANDMMAP does get in, then this would be incentive to the gcc people
to address the limitations of their gch code. However, the logic works
the other way, so this is also the barrier to getting RANDMMAP upstream.
solardiz had a good idea: have some sysctl in /proc/sys/kernel either
turn it on or off, or allow you to set the amount of randomization.
This eases the impact in a running kernel, so its not something the user
is stuck with once they configure, compile and reboot.
Also, I don't know if people here are familiar with Hedrick's work. He
has broken up the grsec 50k line monolithic patch into smaller patches
which address each feature individually. Critical if you want to get
any of this stuff upstream.
BTW, Vasiliy, kudos on your GSoC work.
Refs:
[1] http://gcc.gnu.org/onlinedocs/gcc/Precompiled-Headers.html
[2] http://opensource.dyc.edu/pub/misc/pch-poc.tgz
[3] https://bugs.gentoo.org/show_bug.cgi?id=301299#c31
[4]
https://www.kernel.org/pub/linux/kernel/people/hedrick/security/README.grsecurity
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
next reply other threads:[~2011-08-25 13:03 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-25 13:03 Anthony G. Basile [this message]
2011-08-25 17:56 ` [kernel-hardening] Trying to get PaX RANDMMAP into the mainstream kernel Vasiliy Kulikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E56483F.3070701@gentoo.org \
--to=blueness@gentoo.org \
--cc=kernel-hardening@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox