On Thu, Sep 09, 2010 at 10:30:57AM -0400, Gregory Maxwell wrote:
> On Thu, Sep 9, 2010 at 9:45 AM, Neal Becker <[email protected]> wrote:
> > This article:
> >
> > http://labs.mwrinfosecurity.com/notices/security_mechanisms_in_linux_environment__part_1___userspace_memory_protection/
> >
> > seems to say that fedora is ranking poorly in deployment of various
> > userspace memory protection mechanisms. Is this information accurate?
>
> I asked about one point of this on LWN:
> Library randomization / prelink
> Posted Sep 8, 2010 18:26 UTC (Wed) by gmaxwell (subscriber, #30048) [Link]
> Anyone know how the library randomization is being counted? 3 bits for
> fedora doesn't sound right. Is the 3 bits the value for a system vs
> itself or for this system vs all other systems?
>
> "a note here: fedora uses exec-shield which maps libraries in two different
> regions: ascii-armor (lower 16MB) and the rest. i think what paxtest
> measured there is the former where the usable entropy is necessarily
> less than elsewhere and may not be representative of real life apps
> and their address spaces (not saying the whole ascii-armor region is
> worth anything for security though ;)"
This article was brought up on fedora-kernel-list last week.
In my tests, I've not been able to reproduce the '3 bits' result.
On current kernels, I see 12 bits for 32-bit, and 'no randomisation' for 64-bit.
I'm not entirely sure yet why we're showing different results on some of the
other tests to other distros too.
I'll poke at it some more tomorrow.
Dave
--
devel mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/devel
