MWR Labs: Assessing the Tux Strength
The notable exceptions in the results are Fedora and Ubuntu. Both distributions do not allow the ability to write code to a certain memory region and then execute it. This can be observed from the results of the first five tests. Fedora goes one step further and also prevents the bss, data and heap sections from being marked as executable using the 'mprotect' system call. It should be noted that there would still be numerous other memory regions where an attacker could upload their code and then use the 'mprotect' function to mark it as executable."
Posted Sep 6, 2010 17:50 UTC (Mon)
by Adi (guest, #52678)
[Link] (8 responses)
Posted Sep 6, 2010 18:37 UTC (Mon)
by foom (subscriber, #14868)
[Link] (3 responses)
Posted Sep 6, 2010 18:50 UTC (Mon)
by rahulsundaram (subscriber, #21946)
[Link] (1 responses)
Posted Sep 9, 2010 18:33 UTC (Thu)
by bronson (subscriber, #4806)
[Link]
Good luck addressing it! People have tried and failed. I hear it's like sending ten thousand similar emails in an attempt to push a wall of jello.
Posted Sep 7, 2010 17:15 UTC (Tue)
by kees (subscriber, #27264)
[Link]
http://www.mail-archive.com/debian-devel@lists.debian.org...
Posted Sep 6, 2010 19:05 UTC (Mon)
by patrick_g (subscriber, #44470)
[Link] (1 responses)
Posted Sep 6, 2010 21:42 UTC (Mon)
by hmh (subscriber, #3838)
[Link]
Posted Sep 7, 2010 10:26 UTC (Tue)
by Alterego (guest, #55989)
[Link] (1 responses)
I hope the sync between several distro (to use 2.6.32 kernel) will help to fix this, and avoid duplicate (or useless) efforts from the various maintainers.
Afaik Greg KH is one gentoo kernel maintainer, maybe this can explain several things ?
Posted Sep 9, 2010 13:17 UTC (Thu)
by blueness (guest, #56336)
[Link]
Posted Sep 6, 2010 21:18 UTC (Mon)
by maks (guest, #32426)
[Link] (4 responses)
Of course newer distributions have the newer linux-2.6 features. If they'd compared distributions that were released on the same date it be more interesting.
Posted Sep 7, 2010 7:09 UTC (Tue)
by Klavs (guest, #10563)
[Link] (2 responses)
Posted Sep 7, 2010 9:22 UTC (Tue)
by maks (guest, #32426)
[Link]
They for example didn't test Red Hat or CentOS.
Posted Sep 7, 2010 9:25 UTC (Tue)
by federico2 (guest, #70000)
[Link]
At the same time we should keep in mind that they have been released in different times and with different processes. Otherwise such comparison may be misleading.
Debian puts a lot of efforts into releasing a distribution that contains only mature software, "old by design" so to speak, where many vulnerabilities have already been found and patched.
The main reasons to do that are security and reliability.
Other distributions (including Ubuntu) are releasing much newer software, mainly to provide a better desktop experience, so they can ship new security features.
OTOH, all the cutting-edge software included inevitably contains many new vulnerabilities.
In terms of trade-offs, given that the memory protection tools mitigate a specific set of vulnerabilities only, having mature software gives much more security in my opinion.
Posted Sep 7, 2010 12:16 UTC (Tue)
by PaXTeam (guest, #24616)
[Link]
1. nothing prevents a distro from backporting features (and they often do), especially simple ones like ASLR.
2. not all tested features depend on the kernel.
Posted Sep 7, 2010 10:48 UTC (Tue)
by Alterego (guest, #55989)
[Link] (1 responses)
It would have been insteresting to compare with Debian grsecurity2 kernel (and i guess RedHat and SuSe also have hardened version)
Posted Sep 7, 2010 11:12 UTC (Tue)
by rahulsundaram (subscriber, #21946)
[Link]
Posted Sep 7, 2010 14:08 UTC (Tue)
by buchanmilne (guest, #42315)
[Link]
However, Mandriva is not a re-spin of any of the distros tested, and has enabled some of these features, and is also used as a base for a few other distros.
Posted Sep 7, 2010 20:35 UTC (Tue)
by jspaleta (subscriber, #50639)
[Link]
-jef
Posted Sep 7, 2010 21:01 UTC (Tue)
by SEJeff (guest, #51588)
[Link]
It show Kees Cook's frustration with trying to get proactive security into Debian proper where they have already been in **buntu for several releases already.
Posted Sep 8, 2010 18:26 UTC (Wed)
by gmaxwell (guest, #30048)
[Link] (2 responses)
Posted Sep 8, 2010 19:58 UTC (Wed)
by kbad (subscriber, #61983)
[Link] (1 responses)
"a note here: fedora uses exec-shield which maps libraries in two different
Posted Sep 10, 2010 7:57 UTC (Fri)
by nix (subscriber, #2304)
[Link]
MWR Labs: Assessing the Tux Strength
Quite an uneasy conclusion for distro so often used on servers.
MWR Labs: Assessing the Tux Strength
MWR Labs: Assessing the Tux Strength
MWR Labs: Assessing the Tux Strength
MWR Labs: Assessing the Tux Strength
MWR Labs: Assessing the Tux Strength
Perhaps the security level is better with Debian Squeeze (6.0) ?
MWR Labs: Assessing the Tux Strength
Debian mostly fails where Gentoo succeeds.
Debian mostly fails where Gentoo succeeds.
MWR Labs: Assessing the Tux Strength
MWR Labs: Assessing the Tux Strength
MWR Labs: Assessing the Tux Strength
MWR Labs: Assessing the Tux Strength
MWR Labs: Assessing the Tux Strength
Bias : gentoo hardened vs standard kernel
Bias : gentoo hardened vs standard kernel
Add Mandriva?
MWR Labs: Assessing the Tux Strength
MWR Labs: Assessing the Tux Strength
http://www.outflux.net/blog/archives/2010/09/07/cross-dis...
Library randomization / prelink
Library randomization / prelink
regions: ascii-armor (lower 16MB) and the rest. i think what paxtest measured there is the former where the usable entropy is necessarily less than elsewhere and may not be representative of real life apps and their address spaces (not saying the whole ascii-armor region is worth anything for security though ;)"
Library randomization / prelink