by Anonymous Coward writes:
on Saturday July 25, 2015 @08:24PM (#50183061)
This list [hup.hu] should clarify things a bit. While OpenBSD had ASLR it is lacking in many other ways. That is the thing with security, it isn't the doors you locked that matters, it's that single one you didn't lock that is the problem.
This list [hup.hu] should clarify things a bit. While OpenBSD had ASLR it is lacking in many other ways. That is the thing with security, it isn't the doors you locked that matters, it's that single one you didn't lock that is the problem.
Hmmm... While I agree with you on the general principle, here are a couple of things, off the top of my head:
1. False positives ("Vulnerable" tests in your example) do exist, you know. How are you sure that OpenBSD (or FreeBSD) is vulnerable in such and such case? Have you created an exploit specifically for the things being tested by paxtest? Maybe OpenBSD has other capabilities
2. False negatives are also a thing. Even if paxtest says: "such-and-such is OK", how do you know if a clever hacker won't be able
You can achieve the same level of security with Hardened Gentoo Linux (PaX, Grsecurity2, which is Gentoo with different flags) https://wiki.gentoo.org/wiki/H... [gentoo.org]. The only small difference is that strcpy is still allowed (applications should move to strlcpy/strpcpy instead).
Then again, I don't use hardened Gentoo, because last time I tried (couple of years back), it was hard to maintain on a simple desktop.
OpenBSD? (Score:2, Interesting)
I believe OpenBSD already added this functionality. Yer or two ago. How is this implementation better than theirs?
Re:OpenBSD? (Score:0)
This list [hup.hu] should clarify things a bit.
While OpenBSD had ASLR it is lacking in many other ways.
That is the thing with security, it isn't the doors you locked that matters, it's that single one you didn't lock that is the problem.
Re: (Score:2, Interesting)
This list [hup.hu] should clarify things a bit.
While OpenBSD had ASLR it is lacking in many other ways.
That is the thing with security, it isn't the doors you locked that matters, it's that single one you didn't lock that is the problem.
Hmmm... While I agree with you on the general principle, here are a couple of things, off the top of my head:
1. False positives ("Vulnerable" tests in your example) do exist, you know. How are you sure that OpenBSD (or FreeBSD) is vulnerable in such and such case? Have you created an exploit specifically for the things being tested by paxtest? Maybe OpenBSD has other capabilities
2. False negatives are also a thing. Even if paxtest says: "such-and-such is OK", how do you know if a clever hacker won't be able
Re: (Score:2)
You can achieve the same level of security with Hardened Gentoo Linux (PaX, Grsecurity2, which is Gentoo with different flags) https://wiki.gentoo.org/wiki/H... [gentoo.org] .
The only small difference is that strcpy is still allowed (applications should move to strlcpy/strpcpy instead).
Then again, I don't use hardened Gentoo, because last time I tried (couple of years back), it was hard to maintain on a simple desktop.
Other distributions that use PaX: https://en.wikipedia.org/wiki/... [wikipedia.org]