LWN: Comments on "MWR Labs: Assessing the Tux Strength"

Library randomization / prelink

nix — Fri, 10 Sep 2010 07:57:05 +0000

It's still higher than three bits. Not much higher though: there's simply not much room down there. ASCII-armouring was a nice idea, but I'm not sure how effective it is.

MWR Labs: Assessing the Tux Strength

bronson — Thu, 09 Sep 2010 18:33:16 +0000

It should be, yes. But it isn't.

Good luck addressing it! People have tried and failed. I hear it's like sending ten thousand similar emails in an attempt to push a wall of jello.

Debian mostly fails where Gentoo succeeds.

blueness — Thu, 09 Sep 2010 13:17:54 +0000

I'm currently maintaining Gentoo's hardened-sources. Ask away.

Library randomization / prelink

kbad — Wed, 08 Sep 2010 19:58:24 +0000

From the pax dev (gentoo-hardened list):

"a note here: fedora uses exec-shield which maps libraries in two different
regions: ascii-armor (lower 16MB) and the rest. i think what paxtest measured there is the former where the usable entropy is necessarily less than elsewhere and may not be representative of real life apps and their address spaces (not saying the whole ascii-armor region is worth anything for security though ;)"

Library randomization / prelink

gmaxwell — Wed, 08 Sep 2010 18:26:32 +0000

Anyone know how the library randomization is being counted? 3 bits for fedora doesn't sound right. Is the 3 bits the value for a system vs itself or for this system vs all other systems?

MWR Labs: Assessing the Tux Strength

SEJeff — Tue, 07 Sep 2010 21:01:42 +0000

Fodder for spender and perhaps jspaleta:
http://www.outflux.net/blog/archives/2010/09/07/cross-dis...

It show Kees Cook's frustration with trying to get proactive security into Debian proper where they have already been in **buntu for several releases already.

MWR Labs: Assessing the Tux Strength

jspaleta — Tue, 07 Sep 2010 20:35:23 +0000

So no discussion about the value/trade-offs of prelink when PIE is not in use. That's unfortunate.

-jef

MWR Labs: Assessing the Tux Strength

kees — Tue, 07 Sep 2010 17:15:44 +0000

See the thread for yourself. Here is why Debian rejected a global compiler change:

http://www.mail-archive.com/debian-devel@lists.debian.org...

Add Mandriva?

buchanmilne — Tue, 07 Sep 2010 14:08:05 +0000

I know it is more effort to test on more distributions, but many other popular distros people might request are re-spins of one of the distros that have been tested.

However, Mandriva is not a re-spin of any of the distros tested, and has enabled some of these features, and is also used as a base for a few other distros.

MWR Labs: Assessing the Tux Strength

PaXTeam — Tue, 07 Sep 2010 12:16:25 +0000

> Of course newer distributions have the newer linux-2.6 features.

1. nothing prevents a distro from backporting features (and they often do), especially simple ones like ASLR.

2. not all tested features depend on the kernel.

Bias : gentoo hardened vs standard kernel

rahulsundaram — Tue, 07 Sep 2010 11:12:56 +0000

No. Neither Red Hat nor SUSE have alternative kernels with more security features. Either it is in the default kernel or not.

Bias : gentoo hardened vs standard kernel

Alterego — Tue, 07 Sep 2010 10:48:00 +0000

The study compares hardened version of gentoo with standard kernel.

It would have been insteresting to compare with Debian grsecurity2 kernel (and i guess RedHat and SuSe also have hardened version)

Debian mostly fails where Gentoo succeeds.

Alterego — Tue, 07 Sep 2010 10:26:20 +0000

We just need to take a gento hardened-kernel and put it in Debian.

I hope the sync between several distro (to use 2.6.32 kernel) will help to fix this, and avoid duplicate (or useless) efforts from the various maintainers.

Afaik Greg KH is one gentoo kernel maintainer, maybe this can explain several things ?

MWR Labs: Assessing the Tux Strength

federico2 — Tue, 07 Sep 2010 09:25:54 +0000

> evaluating the latest stable for each distro seems fair to me.

At the same time we should keep in mind that they have been released in different times and with different processes. Otherwise such comparison may be misleading.

Debian puts a lot of efforts into releasing a distribution that contains only mature software, "old by design" so to speak, where many vulnerabilities have already been found and patched.

The main reasons to do that are security and reliability.

Other distributions (including Ubuntu) are releasing much newer software, mainly to provide a better desktop experience, so they can ship new security features.

OTOH, all the cutting-edge software included inevitably contains many new vulnerabilities.

In terms of trade-offs, given that the memory protection tools mitigate a specific set of vulnerabilities only, having mature software gives much more security in my opinion.

MWR Labs: Assessing the Tux Strength

maks — Tue, 07 Sep 2010 09:22:02 +0000

It is only fair if the compared distros have the same release cycle. So comparing Ubuntu with Fedora is just fine, they release every 6 month. Other wise the time of the experiement is just arbitrary and will effectively disfavor distributions with longer release cycles that don't shipp newer linux-2.6.

They for example didn't test Red Hat or CentOS.

MWR Labs: Assessing the Tux Strength

Klavs — Tue, 07 Sep 2010 07:09:49 +0000

evaluating the latest stable for each distro seems fair to me. There will most likely never be a time where distro releases are in sync :)

MWR Labs: Assessing the Tux Strength

hmh — Mon, 06 Sep 2010 21:42:54 +0000

It is a bit better, but nowhere close to something you'd write home about.

MWR Labs: Assessing the Tux Strength

maks — Mon, 06 Sep 2010 21:18:27 +0000

Comparing apples with pears.

Of course newer distributions have the newer linux-2.6 features. If they'd compared distributions that were released on the same date it be more interesting.

MWR Labs: Assessing the Tux Strength

patrick_g — Mon, 06 Sep 2010 19:05:13 +0000

The Debian version which was assessed is Lenny (5.0.4).
Perhaps the security level is better with Debian Squeeze (6.0) ?

MWR Labs: Assessing the Tux Strength

rahulsundaram — Mon, 06 Sep 2010 18:50:06 +0000

That would be a organizational failure to address. It should be possible to make technical changes consistently across package boundaries especially when it brings obvious benefits like security improvements.

MWR Labs: Assessing the Tux Strength

foom — Mon, 06 Sep 2010 18:37:37 +0000

It seems to me that it's fairly difficult for Debian as an organization to manage to make global settings changes like for those features.

MWR Labs: Assessing the Tux Strength

Adi — Mon, 06 Sep 2010 17:50:26 +0000

It's said to see that Debian has lost in virtually all tests.
Quite an uneasy conclusion for distro so often used on servers.