Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 25 Aug 2011 09:03:59 -0400
From: "Anthony G. Basile" <>
Subject: Trying to get PaX RANDMMAP into the mainstream kernel

Hi everyone,

I had a brief conversation yesterday with solardiz on
freenode/#openwall.  The topic turned to what other hardening code could
go upstream besides the stuff you guys have already been pushing.  It
would be nice if we could get PaX RANDMMAP in.  It gives better
randomization on mmap addresses, but unfortunately breaks packages which
use pre-compiled headers. [1]

I wrote a little POC program to demonstrate this. [2]  Try running it on
vanilla ubuntu, opensuse and gentoo.  Then try running it on the same
with a hardened kernel with RANDMMAP enabled.

We came across this issue in a hardened gentoo bug. In one of the
comments, pipacs <> gives a very complete
explanation of the situation. [3]  I won't repeat it here.

If RANDMMAP does get in, then this would be incentive to the gcc people
to address the limitations of their gch code.  However, the logic works
the other way, so this is also the barrier to getting RANDMMAP upstream.
solardiz had a good idea: have some sysctl in /proc/sys/kernel either
turn it on or off, or allow you to set the amount of randomization.
This eases the impact in a running kernel, so its not something the user
is stuck with once they configure, compile and reboot.

Also, I don't know if people here are familiar with Hedrick's work.  He
has broken up the grsec 50k line monolithic patch into smaller patches
which address each feature individually.  Critical if you want to get
any of this stuff upstream.

BTW, Vasiliy, kudos on your GSoC work.



Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    :
GnuPG FP  : 8040 5A4D 8709 21B1 1A88  33CE 979C AF40 D045 5535
GnuPG ID  : D0455535

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.