Expanding the list of "Hardened Packages"
Kevin Kofler
kevin.kofler at chello.at
Sat Apr 13 23:43:05 UTC 2013
Richard W.M. Jones wrote:
> I said it "doesn't implement full bounds checking for every C object",
> and I stand by that. I doesn't cover stack objects smaller than some
> cut-off size, nor any objects in static data or on the heap at all.
I never claimed it did. I said it prevents overwriting the return address on
the stack to execute arbitrary code. That's all it ever claimed to do. But
it is sufficient to prevent the majority of arbitrary code execution
exploits. And there is no cutoff size with -fstack-protector-all.
Now if you think the protection is not sufficient, then what you actually
want is to enable one of the full bound-checking solution, though the
performance and code size impact of that would be a lot larger. Still,
papering over the fact that code is exploitable by duplicating all
information about what the code is supposed to do elsewhere (in SELinux
policy) does not make sense, it is simply not a maintainable approach.
> That's your opinion. I suggest you take a look at SELinux policies as
> well as the many new policy management tools.
One needs to read pages of documentation to even do the small subset of
tweaks intended for an end user. Maintaining the actual policy is something
only a handful people are able to do.
> This would be excellent, and projects in this area could make a
> significant contribution. I suspect that any general code-to-policy
> translator will hit the Halting Problem, since it seems trivial to
> write a program which would not be possible to translate, but that
> doesn't mean it can't be solved for many useful real world cases.
That's exactly why SELinux policy is the wrong representation. It duplicates
information of the code without being automatically transformable either
way, requiring every change to be made twice.
I repeat: The proper solution is to prevent executing any machine code which
is not part of the program's source code. Block arbitrary-code execution
exploits and SELinux is just dead weight.
Kevin Kofler
More information about the devel
mailing list