Expanding the list of "Hardened Packages"
Kevin Kofler
kevin.kofler at chello.at
Sat Apr 13 18:36:53 UTC 2013
Richard W.M. Jones wrote:
> (1) -fstack-protector{,-all} doesn't implement full bounds checking
> for every C object.
But it prevents (with probability (256^n-1)/256^n, where n is the size of
the canary in bytes, which for n=4 is approximately .99999999976717)
exploiting the overflows to change the return address of any C function.
> (2) SELinux controls what labelled resources a process can access.
> This covers far more than buffer overflows in C programs. It covers
> other programming languages, design flaws and implementation 'thinko's
> of all sorts. I would argue (separate from this) that it's good to
> define precisely what resources a program can access, rather than the
> default "access just about everything".
And I would argue that this amounts to second-guessing/duplicating what the
program tries to do in an unmaintainable morass of rules, which even for the
targeted policy (which is not even close to covering all programs in Fedora
other than as "unconfined") keeps having bugs which need to be fixed every
day, even after YEARS of debugging. SELinux just does not scale, it's a
centralized database which needs to essentially contain a variant of every
program's source code, rewritten in a rule language only few people actually
comprehend.
Instead of duplicating the information already contained in the program's
source code, the right approach is to ensure the program does not do
anything that is NOT part of its source code, which means blocking arbitrary
code execution exploits!
Kevin Kofler
More information about the devel
mailing list