article on security of various linux
Dave Jones
davej at redhat.com
Fri Sep 10 03:55:36 UTC 2010
On Thu, Sep 09, 2010 at 10:30:57AM -0400, Gregory Maxwell wrote:
> On Thu, Sep 9, 2010 at 9:45 AM, Neal Becker <ndbecker2 at gmail.com> wrote:
> > This article:
> >
> > http://labs.mwrinfosecurity.com/notices/security_mechanisms_in_linux_environment__part_1___userspace_memory_protection/
> >
> > seems to say that fedora is ranking poorly in deployment of various
> > userspace memory protection mechanisms. Is this information accurate?
>
> I asked about one point of this on LWN:
> Library randomization / prelink
> Posted Sep 8, 2010 18:26 UTC (Wed) by gmaxwell (subscriber, #30048) [Link]
> Anyone know how the library randomization is being counted? 3 bits for
> fedora doesn't sound right. Is the 3 bits the value for a system vs
> itself or for this system vs all other systems?
>
> "a note here: fedora uses exec-shield which maps libraries in two different
> regions: ascii-armor (lower 16MB) and the rest. i think what paxtest
> measured there is the former where the usable entropy is necessarily
> less than elsewhere and may not be representative of real life apps
> and their address spaces (not saying the whole ascii-armor region is
> worth anything for security though ;)"
This article was brought up on fedora-kernel-list last week.
In my tests, I've not been able to reproduce the '3 bits' result.
On current kernels, I see 12 bits for 32-bit, and 'no randomisation' for 64-bit.
I'm not entirely sure yet why we're showing different results on some of the
other tests to other distros too.
I'll poke at it some more tomorrow.
Dave
More information about the devel
mailing list