Default disto security compared

Discussion in 'all things UNIX' started by linuxforall, Sep 7, 2010.

Thread Status:
Not open for further replies.
  1. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
  2. Spiral123

    Spiral123 Registered Member

    Joined:
    Jan 10, 2007
    Posts:
    128
    interesting read...
     
  3. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    Yes quite surprising to see that noob distro did good.
     
  4. korben

    korben Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    740
    was waiting for sth like this!

    so... Gentoo rules?
     
  5. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    and there is more........

    http://labs.mwrinfosecurity.com/notices/assessing_the_tux_strength_part_2_into_the_kernel/

    Another conclusion is that other than the Gentoo Grsecurity enabled kernel, all other distributions are vulnerable, at least to some extent, from known exploitation techniques. In particular Debian and OpenSuse do not offer any additional protection and as a result fail on every paxtest check.

    The notable exceptions in the results are Fedora and Ubuntu. Both distributions do not allow the ability to write code to a certain memory region and then execute it. This can be observed from the results of the first five tests. Fedora goes one step further and also prevents the bss, data and heap sections from being marked as executable using the ’mprotect’ system call. It should be noted that there would still be numerous other memory regions where an attacker could upload their code and then use the ‘mprotect’ function to mark it as executable.
     
  6. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136

    If you mean for running hardened kernel, yes Gentoo rules, but you can also run hardened kernels with ease on ubuntu and fedora and others as well.
     
  7. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I have paxtest and ran it on my Ubuntu Lucid box. Results:


    Code:
    Mode: blackhat
    Linux 2.6.32-24-generic #42-Ubuntu SMP Fri Aug 20 14:21:58 UTC 2010 x86_64 GNU/Linux
    
    Executable anonymous mapping             : Killed
    Executable bss                           : Killed
    Executable data                          : Killed
    Executable heap                          : Killed
    Executable stack                         : Killed
    Executable shared library bss            : Killed
    Executable shared library data           : Killed
    Executable anonymous mapping (mprotect)  : Vulnerable
    Executable bss (mprotect)                : Vulnerable
    Executable data (mprotect)               : Vulnerable
    Executable heap (mprotect)               : Vulnerable
    Executable stack (mprotect)              : Vulnerable
    Executable shared library bss (mprotect) : Vulnerable
    Executable shared library data (mprotect): Vulnerable
    Writable text segments                   : Vulnerable
    Anonymous mapping randomisation test     : 29 bits (guessed)
    Heap randomisation test (ET_EXEC)        : 14 bits (guessed)
    Heap randomisation test (PIE)            : 28 bits (guessed)
    Main executable randomisation (ET_EXEC)  : No randomisation
    Main executable randomisation (PIE)      : 28 bits (guessed)
    Shared library randomisation test        : 28 bits (guessed)
    Stack randomisation test (SEGMEXEC)      : 28 bits (guessed)
    Stack randomisation test (PAGEEXEC)      : 28 bits (guessed)
    Return to function (strcpy)              : paxtest: return address contains a NULL byte.
    Return to function (memcpy)              : Vulnerable
    Return to function (strcpy, PIE)         : paxtest: return address contains a NULL byte.
    Return to function (memcpy, PIE)         : Vulnerable
    Ubuntu scores pretty well. It kills attacks that aren't related to mprotect(). You need PaX to have everything score "killed." Also, Ubuntu randomizes most everything by default using the kernel's built-in ASLR. Again, you need PaX to get "everything" to pass.

    I also have the checksec script which tests the kernel and applications for memory protections (NX/ASLR etc.) Here are the results:

    Code:
    chrono@chrono:~/Desktop$ sudo ./checksec.sh --proc-all
    * [B]System-wide ASLR (kernel.randomize_va_space): On (Setting: 2)[/B]
    
      Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.
      This, among other things, implies that shared libraries will be loaded to random 
      addresses. Also for PIE-linked binaries, the location of code start is randomized.
    
      See the kernel file 'Documentation/sysctl/kernel.txt' for more details.
    
    * [B]Does the CPU support NX: Yes[/B]
    
             COMMAND    PID RELRO             STACK CANARY           NX/PaX        PIE
                init      1 Full RELRO        Canary found           NX enabled    PIE enabled             
     gvfs-fuse-daemo   1008 Partial RELRO     No canary found        NX enabled    No PIE                  
     gvfs-gdu-volume   1013 Partial RELRO     Canary found           NX enabled    No PIE                  
     avant-window-na   1017 Partial RELRO     No canary found        NX enabled    No PIE                  
            gnome-do   1021 Partial RELRO     Canary found           NX enabled    No PIE                  
     gvfs-gphoto2-vo   1022 Partial RELRO     Canary found           NX enabled    No PIE                  
           nm-applet   1026 Partial RELRO     Canary found           NX enabled    No PIE                  
     polkit-gnome-au   1029 Partial RELRO     No canary found        NX enabled    No PIE                  
            nautilus   1030 Partial RELRO     Canary found           NX enabled    No PIE                  
         gnome-panel   1035 Partial RELRO     Canary found           NX enabled    No PIE                  
               kvirc   1039 Partial RELRO     Canary found           NX enabled    No PIE                  
           rhythmbox   1040 Partial RELRO     No canary found        NX enabled    No PIE                  
              pidgin   1041 Partial RELRO     Canary found           NX enabled    No PIE                  
            gnome-do   1045 Partial RELRO     Canary found           NX enabled    No PIE                  
     gvfs-afc-volume   1047 Partial RELRO     No canary found        NX enabled    No PIE                  
             ossxmix   1048 Partial RELRO     Canary found           NX enabled    No PIE                  
     bonobo-activati   1058 Partial RELRO     Canary found           NX enabled    No PIE                  
         gvfsd-trash   1062 Partial RELRO     Canary found           NX enabled    No PIE                  
     gnome-power-man  10624 Partial RELRO     Canary found           NX enabled    No PIE                  
     chromium-browse  10648 Partial RELRO     Canary found           NX enabled    No PIE                  
     gnome-screensav   1065 Partial RELRO     Canary found           NX enabled    No PIE                  
              auditd   1074 Partial RELRO     Canary found           NX enabled    PIE enabled             
             audispd   1076 Partial RELRO     Canary found           NX enabled    PIE enabled             
     indicator-apple   1083 Partial RELRO     No canary found        NX enabled    No PIE                  
        clock-applet   1084 Partial RELRO     Canary found           NX enabled    No PIE                  
     indicator-apple   1085 Partial RELRO     No canary found        NX enabled    No PIE                  
     multiload-apple   1086 Partial RELRO     Canary found           NX enabled    No PIE                  
              python   1088 Partial RELRO     Canary found           NX enabled    No PIE                  
     notification-ar   1089 Partial RELRO     Canary found           NX enabled    No PIE                  
         dbus-daemon   1094 Partial RELRO     Canary found           NX enabled    PIE enabled             
                  sh   1097 Partial RELRO     Canary found           NX enabled    No PIE                  
          gdm-binary   1099 Partial RELRO     Canary found           NX enabled    No PIE                  
             emerald   1100 Partial RELRO     Canary found           NX enabled    No PIE                  
                smbd   1104 Full RELRO        Canary found           NX enabled    PIE enabled             
          awn-applet   1106 Partial RELRO     No canary found        NX enabled    No PIE                  
              python   1108 Partial RELRO     Canary found           NX enabled    No PIE                  
              python   1109 Partial RELRO     Canary found           NX enabled    No PIE                  
              python   1110 Partial RELRO     Canary found           NX enabled    No PIE                  
              python   1111 Partial RELRO     Canary found           NX enabled    No PIE                  
              python   1112 Partial RELRO     Canary found           NX enabled    No PIE                  
          awn-applet   1113 Partial RELRO     No canary found        NX enabled    No PIE                  
          awn-applet   1114 Partial RELRO     No canary found        NX enabled    No PIE                  
              python   1115 Partial RELRO     Canary found           NX enabled    No PIE                  
          awn-applet   1116 Partial RELRO     No canary found        NX enabled    No PIE                  
              python   1117 Partial RELRO     Canary found           NX enabled    No PIE                  
              python   1118 Partial RELRO     Canary found           NX enabled    No PIE                  
        avahi-daemon   1121 Partial RELRO     Canary found           NX enabled    No PIE                  
        avahi-daemon   1123 Partial RELRO     Canary found           NX enabled    No PIE                  
          gvfsd-burn   1135 Partial RELRO     Canary found           NX enabled    No PIE                  
               getty   1141 Partial RELRO     Canary found           NX enabled    No PIE                  
               getty   1145 Partial RELRO     Canary found           NX enabled    No PIE                  
     gdu-notificatio   1157 Partial RELRO     No canary found        NX enabled    No PIE                  
          fancontrol   1169 Partial RELRO     Canary found           NX enabled    No PIE                  
               getty   1172 Partial RELRO     Canary found           NX enabled    No PIE                  
                smbd  11733 Full RELRO        Canary found           NX enabled    PIE enabled             
               getty   1174 Partial RELRO     Canary found           NX enabled    No PIE                  
               getty   1178 Partial RELRO     Canary found           NX enabled    No PIE                  
               acpid   1181 Partial RELRO     Canary found           NX enabled    No PIE                  
                cron   1190 Partial RELRO     Canary found           NX enabled    No PIE                  
                 atd   1191 Partial RELRO     Canary found           NX enabled    No PIE                  
             haveged   1192 Partial RELRO     Canary found           NX enabled    No PIE                  
      gvfsd-metadata   1194 Partial RELRO     Canary found           NX enabled    No PIE                  
          irqbalance   1200 Partial RELRO     Canary found           NX enabled    No PIE                  
          notify-osd   1209 Partial RELRO     Canary found           NX enabled    No PIE                  
     indicator-messa   1226 Partial RELRO     No canary found        NX enabled    No PIE                  
     indicator-appli   1227 Partial RELRO     No canary found        NX enabled    No PIE                  
     indicator-me-se   1236 Partial RELRO     No canary found        NX enabled    No PIE                  
     indicator-sessi   1239 Partial RELRO     No canary found        NX enabled    No PIE                  
     ubuntuone-syncd   1244 Partial RELRO     Canary found           NX enabled    No PIE                  
              python   1322 Partial RELRO     Canary found           NX enabled    No PIE                  
                  sh   1335 Partial RELRO     Canary found           NX enabled    No PIE                  
      gnome-terminal   1336 Partial RELRO     Canary found           NX enabled    No PIE                  
     gnome-pty-helpe   1339 Partial RELRO     Canary found           NX enabled    No PIE                  
                bash   1340 Partial RELRO     Canary found           NX enabled    No PIE                  
               conky   1368 Partial RELRO     Canary found           NX enabled    No PIE                  
      NetworkManager   1369 Partial RELRO     Canary found           NX enabled    No PIE                  
       modem-manager   1372 Partial RELRO     Canary found           NX enabled    No PIE                  
     console-kit-dae   1378 Partial RELRO     Canary found           NX enabled    No PIE                  
      wpa_supplicant   1381 Partial RELRO     Canary found           NX enabled    No PIE                  
            dhclient   1383 Full RELRO        Canary found           NX enabled    PIE enabled             
     update-notifier   1501 Partial RELRO     Canary found           NX enabled    No PIE                  
               sleep  15051 Partial RELRO     Canary found           NX enabled    No PIE                  
                nmbd   1608 Full RELRO        Canary found           NX enabled    PIE enabled             
              polipo   1626 Partial RELRO     Canary found           NX enabled    No PIE                  
              master   1727 Full RELRO        Canary found           NX enabled    PIE enabled             
                qmgr   1732 Full RELRO        Canary found           NX enabled    PIE enabled             
                 tor   1751 Partial RELRO     Canary found           NX enabled    No PIE                  
              xinetd   1811 Full RELRO        Canary found           NX enabled    PIE enabled             
                ntpd   1812 Full RELRO        Canary found           NX enabled    PIE enabled             
             apcupsd   1832 Partial RELRO     Canary found           NX enabled    No PIE                  
               cupsd   1850 Full RELRO        Canary found           NX enabled    PIE enabled             
               getty   1951 Partial RELRO     Canary found           NX enabled    No PIE                  
             polkitd   2039 Partial RELRO     No canary found        NX enabled    No PIE                  
       udisks-daemon   2044 Partial RELRO     Canary found           NX enabled    No PIE                  
       udisks-daemon   2045 Partial RELRO     Canary found           NX enabled    No PIE                  
             upowerd   2152 Partial RELRO     Canary found           NX enabled    No PIE                  
               udevd  22316 Full RELRO        Canary found           NX enabled    PIE enabled             
                  sh  25274 Partial RELRO     Canary found           NX enabled    No PIE                  
     chromium-browse  25275 Partial RELRO     Canary found           NX enabled    No PIE                  
     chromium-browse  25280 Partial RELRO     Canary found           NX enabled    No PIE                  
     chromium-browse  25282 Partial RELRO     Canary found           NX enabled    No PIE                  
              pickup   2531 Full RELRO        No canary found        NX enabled    PIE enabled             
     chromium-browse  25318 Partial RELRO     Canary found           NX enabled    No PIE                  
     chromium-browse  25337 Partial RELRO     Canary found           NX enabled    No PIE                  
     chromium-browse  25340 Partial RELRO     Canary found           NX enabled    No PIE                  
     chromium-browse  25343 Partial RELRO     Canary found           NX enabled    No PIE                  
     chromium-browse  25346 Partial RELRO     Canary found           NX enabled    No PIE                  
     chromium-browse  25352 Partial RELRO     Canary found           NX enabled    No PIE                  
     chromium-browse  25358 Partial RELRO     Canary found           NX enabled    No PIE                  
     chromium-browse  25360 Partial RELRO     Canary found           NX enabled    No PIE                  
     chromium-browse  25366 Partial RELRO     Canary found           NX enabled    No PIE                  
     chromium-browse  25420 Partial RELRO     Canary found           NX enabled    No PIE                  
                 exe  25469 Partial RELRO     Canary found           NX enabled    No PIE                  
     update-apt-xapi  25919 Partial RELRO     Canary found           NX enabled    No PIE                  
     chromium-browse  28163 Partial RELRO     Canary found           NX enabled    No PIE                  
               udevd  30844 Full RELRO        Canary found           NX enabled    PIE enabled             
     system-service-  31201 Partial RELRO     Canary found           NX enabled    No PIE                  
     chromium-browse  32150 Partial RELRO     Canary found           NX enabled    No PIE                  
     chromium-browse  32177 Partial RELRO     Canary found           NX enabled    No PIE                  
     upstart-udev-br    515 Full RELRO        No canary found        NX enabled    PIE enabled             
               udevd    521 Full RELRO        Canary found           NX enabled    PIE enabled             
                hald   5996 Partial RELRO     Canary found           NX enabled    No PIE                  
         hald-runner   5997 Partial RELRO     No canary found        NX enabled    No PIE                  
     hald-addon-inpu   6020 Partial RELRO     Canary found           NX enabled    No PIE                  
     hald-addon-hid-   6030 Partial RELRO     Canary found           NX enabled    No PIE                  
     hald-addon-stor   6031 Partial RELRO     Canary found           NX enabled    No PIE                  
     hald-addon-acpi   6038 Partial RELRO     Canary found           NX enabled    No PIE                  
                  sh   6873 Partial RELRO     Canary found           NX enabled    No PIE                  
         speedcrunch   6874 Partial RELRO     Canary found           NX enabled    No PIE                  
     gdm-simple-slav    840 Partial RELRO     Canary found           NX enabled    No PIE                  
                Xorg    842 Partial RELRO     Canary found           NX enabled    No PIE                  
         dbus-launch    862 Partial RELRO     Canary found           NX enabled    No PIE                  
     gdm-session-wor    880 Partial RELRO     Canary found           NX enabled    No PIE                  
     gnome-keyring-d    898 Partial RELRO     Canary found           NX enabled    No PIE                  
       gnome-session    916 Partial RELRO     Canary found           NX enabled    No PIE                  
           ssh-agent    961 Full RELRO        Canary found           NX enabled    PIE enabled             
           gpg-agent    962 Partial RELRO     Canary found           NX enabled    No PIE                  
         dbus-launch    965 Partial RELRO     Canary found           NX enabled    No PIE                  
         dbus-daemon    978 Partial RELRO     Canary found           NX enabled    PIE enabled             
            gconfd-2    981 Partial RELRO     Canary found           NX enabled    No PIE                  
     gnome-settings-    990 Partial RELRO     No canary found        NX enabled    No PIE                  
               gvfsd    992 Partial RELRO     Canary found           NX enabled    No PIE                  
                smbd    995 Full RELRO        Canary found           NX enabled    PIE enabled             
              compiz    996 Partial RELRO     Canary found           NX enabled    No PIE                  
            rsyslogd    999 Partial RELRO     Canary found           NX enabled    No PIE 
    Basically the best settings are: FULL RELRO -- Canary found -- NX enabled -- PIE enabled.

    A little explanation for those not in the know: RELRO protects ELF binaries, Canaries are compiler flags that protect the stack, NX is built into the CPU and is what is known as DEP on Windows, and PIE is when programs support ASLR.

    You can see that Ubuntu has full protections on most kernel level daemons and NX enabled on everything. It also has canaries on most everything and at least partial Relro on everything. Also, even though I didn't have Firefox running during my test, Ubuntu enables all of these protections for Firefox by default! I don't think any other major distro does that. One place that needs improvement, however, is the number of apps that are compiled with PIE -- very few right now have it (again Firefox does have it).

    It would be interesting to see how the other distros stack up. (I haven't read the article yet, going to go now).

    EDIT: Just read the article and realized I had seen it before. Their results on Ubuntu basically match up with mine above. Also, you can get part 2 of their series here.
     
    Last edited: Sep 8, 2010
  8. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    Thanks a lot Chronomatic for your detailed report.
     
  9. katio

    katio Guest

    The defaults in Ubuntu are pretty much as secure as it's going to get (on a desktop). Full PAX is incompatible with most larger GUI application and of course especially those using JIT (all browsers) so you'd end up making exceptions for those apps where it would matter most.

    One aspect they could also look into is documentation. Debian and derivatives are pretty poor when it comes to documenting security features and hardening options compared to Gentoo and RHEL/Fedora.

    Eagerly waiting for the next installment :) The first two parts were more on the theoretical side so I'm curious how this translates into real world scenarios.
    The Apparmor vs SELinux vs ... comparisons I've seen have also been more low level/theoretical and less about hard data, hope they'll cover that too.
     
  10. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    On Debian 5 64 bit:
    My paxtest results were the same as chronomatic; however the checksec.sh results are as follows:

    Code:
    $ ./checksec.sh --proc-all
    * System-wide ASLR (kernel.randomize_va_space): On (Setting: 2)
    
      Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.
      This, among other things, implies that shared libraries will be loaded to random 
      addresses. Also for PIE-linked binaries, the location of code start is randomized.
    
      See the kernel file 'Documentation/sysctl/kernel.txt' for more details.
    
    * Does the CPU support NX: Yes
    
             COMMAND    PID RELRO             STACK CANARY           NX/PaX        PIE
                bash  15936 No RELRO          No canary found        NX enabled    No PIE                  
                  gv  17900 No RELRO          No canary found        NX enabled    No PIE                  
                bash  18970 No RELRO          No canary found        NX enabled    No PIE                  
                  gs  19998 No RELRO          No canary found        NX enabled    No PIE                  
     gnome-volume-co  25398 No RELRO          No canary found        NX enabled    No PIE                  
           audacious   2548 No RELRO          No canary found        NX enabled    No PIE                  
         firefox-bin  26331 No RELRO          No canary found        NX enabled    No PIE                  
            kaffeine  27944 No RELRO          No canary found        NX enabled    No PIE                  
             kdeinit  27946 No RELRO          No canary found        NX enabled    No PIE                  
          dcopserver  27949 No RELRO          No canary found        NX enabled    No PIE                  
           klauncher  27951 No RELRO          No canary found        NX enabled    No PIE                  
                kded  27953 No RELRO          No canary found        NX enabled    No PIE                  
          gam_server  27955 No RELRO          No canary found        NX enabled    No PIE                  
            kio_file  27959 No RELRO          No canary found        NX enabled    No PIE                  
             azureus  31233 No RELRO          No canary found        NX enabled    No PIE                  
                java  31295 No RELRO          No canary found        NX enabled    No PIE                  
            gconfd-2   3158 No RELRO          No canary found        NX enabled    No PIE                  
     gnome-keyring-d   3160 No RELRO          No canary found        NX enabled    No PIE                  
       gnome-session   3161 No RELRO          No canary found        NX enabled    No PIE                  
         dbus-launch   3210 No RELRO          No canary found        NX enabled    No PIE                  
         dbus-daemon   3211 Partial RELRO     No canary found        NX enabled    PIE enabled             
      seahorse-agent   3217 No RELRO          No canary found        NX enabled    No PIE                  
     gnome-settings-   3220 No RELRO          No canary found        NX enabled    No PIE                  
            nautilus   3232 No RELRO          No canary found        NX enabled    No PIE                  
         gnome-panel   3233 No RELRO          No canary found        NX enabled    No PIE                  
     bonobo-activati   3238 No RELRO          No canary found        NX enabled    No PIE                  
     gnome-screensav   3239 No RELRO          No canary found        NX enabled    No PIE                  
     update-notifier   3242 No RELRO          No canary found        NX enabled    No PIE                  
      gnome-terminal   3243 No RELRO          No canary found        NX enabled    No PIE                  
         fusion-icon   3244 No RELRO          No canary found        NX enabled    No PIE                  
     bluetooth-apple   3245 No RELRO          No canary found        NX enabled    PIE enabled             
     gnome-vfs-daemo   3248 No RELRO          No canary found        NX enabled    No PIE                  
               artsd  32486 No RELRO          No canary found        NX enabled    No PIE                  
     system-config-p   3250 No RELRO          No canary found        NX enabled    No PIE                  
     kerneloops-appl   3255 No RELRO          Canary found           NX enabled    No PIE                  
           nm-applet   3256 No RELRO          No canary found        NX enabled    No PIE                  
            gnome-do   3257 No RELRO          No canary found        NX enabled    No PIE                  
     gnome-volume-ma   3260 No RELRO          No canary found        NX enabled    No PIE                  
     gnome-power-man   3264 No RELRO          No canary found        NX enabled    No PIE                  
      mapping-daemon   3322 No RELRO          No canary found        NX enabled    No PIE                  
       mixer_applet2   3334 No RELRO          No canary found        NX enabled    No PIE                  
                bash   3350 No RELRO          No canary found        NX enabled    No PIE                  
                bash   3354 No RELRO          No canary found        NX enabled    No PIE                  
                bash   3357 No RELRO          No canary found        NX enabled    No PIE                  
                bash   3360 No RELRO          No canary found        NX enabled    No PIE                  
                bash   3363 No RELRO          No canary found        NX enabled    No PIE                  
                bash   3366 No RELRO          No canary found        NX enabled    No PIE                  
                bash   3369 No RELRO          No canary found        NX enabled    No PIE                  
         compiz.real   3435 No RELRO          No canary found        NX enabled    No PIE                  
     evolution-data-   3441 No RELRO          No canary found        NX enabled    No PIE                  
             emerald   3442 No RELRO          No canary found        NX enabled    No PIE                  
     evolution-excha   3448 No RELRO          No canary found        NX enabled    No PIE                  
     notification-da   3524 No RELRO          No canary found        NX enabled    No PIE                  
    
    
    I wonder how much extra security do Ubuntu's stronger defaults buy?


     
  11. katio

    katio Guest

    Especially with Firefox (I think it's save to say it's the most attacked application with the most remote code execution vulns found) this means you aren't protected against 0 day exploits, which are pretty common, check the changelog. Consider there's always a time window between vulnerabilities being disclosed till the patch gets through the usual testing to your security repo so that's really not far fetched or theoretical.
    The additional protections enabled in Ubuntu and other distros only make it harder to exploit a vulnerable application, it's never 100% and I don't know how effective it is against real world exploits. That's why I confine Firefox with AppArmor where I can easily verify that if an exploit gets through the defenses any damage will be limited.

    Running a browser without MAC _and_ without any hardening certainly is more risky. But remember on Linux that still doesn't translate to any imminent threat.

    Anyway, we'll know more when part 3 is released.
     
  12. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    I'm wondering if SeLinux (which is included in Debian) can be configured so that the extra hardening is redundant.
     
  13. katio

    katio Guest

    Basically MACs limit what an exploit can do, they do not prevent it from executing in the first place (not to be confused with executing of dropped malware which is confined AFTER the initial shellcode is executed). In the case of a browser exploit that could mean session hijacking, cookie stealing, back-dooring the browser. But: SELinux unlike other MACs also includes some memory protection and other prevention technologies.

    However again I have to admit that I don't know how that transfers into real world exploits. If I had to guess I'd say either (SELinux OR compiler/kernel hardening) is "good enough".
     
  14. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I would say it would make a difference in the real world. Most of the exploits out there aren't going to work when, say, a browser is compiled with PIE support and stack protection, etc.

    As for SELinux, it does have memory protections and can achieve some of the same things as PaX.
     
Loading...
Thread Status:
Not open for further replies.