FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 02-03-2008, 07:05 PM
Moritz Muehlenhoff
 
Default Introducing security hardening features for Lenny

John Goerzen wrote:
> However, I am concerned that is appears to be limited in scope to packages
> that:
>
> * Are written in C or C++
>
> * Can have hardening achieved through technical changes to the build process
>
> I think it is important to remember that other languages can have security
> problems too, perhaps just as easy as these (shell).

Sure, but we're trying to optimise for the common case here.

Everyone is welcome to start systematic security enhancement efforts for other
languages (like, checking all existing Python code for insecure sub process
invocation or something similar).

An important reason is that some features (SSP and FORTIFIED_SOURCE) allow us
to lower the amount of needed work to fix security issues. There have been
several vulnerabilities which are non-issues on e.g. RHEL5, which has both
enabled. The ASLR changes are icing on the cake.

Cheers,
Moritz


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-04-2008, 10:45 AM
Riku Voipio
 
Default Introducing security hardening features for Lenny

On Sun, Feb 03, 2008 at 08:53:00PM +0100, Moritz Muehlenhoff wrote:
> Did you followup with upstream on the SSP problems we've seen
> on ARM?

Basicly their response was basicly "why would anyone want
5-10% bigger and slower binaries on arm". It was also discussed
the possibility of --disable-ssp we use on our current arm/armel
toolchain being broken. Once I have a bit more time I'll try
seeing what happens if you build gcc-4.3 with ssp enabled.

--
"rm -rf" only sounds scary if you don't have backups


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-04-2008, 11:35 AM
Ron Johnson
 
Default Introducing security hardening features for Lenny

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/04/08 05:45, Riku Voipio wrote:
> On Sun, Feb 03, 2008 at 08:53:00PM +0100, Moritz Muehlenhoff wrote:
>> Did you followup with upstream on the SSP problems we've seen
>> on ARM?
>
> Basicly their response was basicly "why would anyone want
> 5-10% bigger and slower binaries on arm". It was also discussed

Just MNSHO:

Because ARM systems are almost always embedded, and don't get
updated very often, so from the start should be as hardened as
possible against attack.

And if that means a 10% slowdown, so be it.

> the possibility of --disable-ssp we use on our current arm/armel
> toolchain being broken. Once I have a bit more time I'll try
> seeing what happens if you build gcc-4.3 with ssp enabled.

- --
Ron Johnson, Jr.
Jefferson LA USA

PETA - People Eating Tasty Animals
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHpwaBS9HxQb37XmcRAqReAKDB0EjCnQ7eOA9/D2Ni0A4OpXyAcACdHXoz
XUDrWQyvB8uFH4rwJEI27fY=
=Iwd3
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 03:29 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org