| |||||||||||||
What would be good combinationWhat would be good combinationPosted Oct 14, 2004 9:15 UTC (Thu) by eru (subscriber, #2753)Parent article: Security-improving technologies which could be deployed now It seems to me these are a bit overlapping. For example, if you use PaX and SSP, is there any point in adding PIE? What would be the best combination of these techniques that would have almost as good protection as using them all, and would have minimal overhead, so that it could be enabled by default in normal distributions without complaints?
(Log in to post comments)
What would be good combination Posted Oct 21, 2004 19:17 UTC (Thu) by bluefoxicy (guest, #25366) [Link] "For example, if you use PaX and SSP, is there any point in adding PIE?"
Yes. PIE is simply rebuilding executables to be position independent, as shared libraries are. This allows their code to be moved around in memory freely, which allows PaX (or Exec Shield on RH) to apply ASLR to that code as well, further protecting from ret2libc attacks (ret2exec?).
The ideal setup has all of these, and more; there are a few other things that need more research, or that I simply don't understand although they may be ready, which could be deployed as well. A good format string bug protection would be great; and digitally signed kernel modules, executables, and libraries would potentially provide a fair level of protection as well. There's also a lot that can be looked at in GrSecurity with ranomized PIDs and randomized network data such as TCP ISNs and RPC XIDs, along with chroot() jail and procfs restrictions.
This stuff is nothing more nor less than a good start. If they were everything the article would be called, "How to make your computer perfect." These are all, however, ready *now* and could be deployed by any given distribution with the commitment to put in the work to move these in.
|
|||||||||||||