Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 7 Nov 2011 01:02:00 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: Re: pax-utils

On Sun, Nov 06, 2011 at 09:48:57PM +0400, Vasiliy Kulikov wrote:
> SSP can be tested by:
> 
> http://www.trapkit.de/tools/checksec.html

On a couple of occasions, I used this one to check GNU stack and relro
on programs in our /bin, /sbin, /usr/bin, /usr/sbin dirs.

Apparently, there are no PGP signatures for checksec.sh updates (I think
we should request those), but luckily the script is reviewable and is
mostly usable as non-root (although some features require root).

> ASLR and ASCII-armor can be tested by paxtest:
> 
> http://grsecurity.net/~spender/paxtest-0.9.9.tgz
> https://forums.grsecurity.net/viewtopic.php?f=1&t=1908

I think packaging these and pax-utils is reasonable.

A related concern, though, is that these are commonly used to judge
security of one distro vs. another, even though there are many other
factors - e.g., a sshd binary that passes all these tests but uses 20+
libraries (think Red Hat'ish distros) may be a higher risk than one that
has non-perfect results per these tests but uses a lot fewer libraries
(such as Owl's).

That said, we're now catching up on this kind of hardening, so our
binaries will look just as good as other distros' per these tests soon,
and we definitely need this kind of test tools ourselves.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.