On Mon, Jan 23, 2012 at 8:23 PM, Gerald Pfeifer <gp@suse.com> wrote:
On Mon, 23 Jan 2012, Claudio Freire wrote:
And again, breaking people's systems that have been running fine for years? That's a big risk that I don't think you want to take... In this case, it's worth the try.
Cui bono? The average openSUSE user will be very annoyed, up to the point of considering a different distribution of something she cares about breaks. Really, often it's just one thing not working, or even not working well. And even if there is a workaround, and she does not switch, such an experience certainly does not add bonus points.
The point is to make everything on the distribution DVD and/or main repo to work. Granted, it's easier said than done. For those not too familiar with randomization and position-independent code, all libraries (.so) already use position-independent code. Many (and I mean the great majority) of application code does not care which kind of code is being generated, and only a few cases exist that would break, which includes applications that generate position-dependent machine code at run-time (older JITs), or other code that does non-standard stuff. Most C code just works, and making it position-independent or not is just a matter of compiler flags. Randomization of program addresses helps make the attacker's work of successfully exploiting an existing vulnerability harder (not impossible). Position-independent code *without* randomization, however, is easier to attack than position-dependent code. That's because position-independent code opens up a whole class of remote code execution exploits that would be hard (not impossible) to accomplish with fixed-address code if the execute-disable bit is used on data pages (which are all pae-enabled kernels). So randomization is a very significant security feature. Some exploits are trivial without randomization, but become impossible or very hard with randomization. And this means, in the presence of vulnerabilities, that is, unpatched systems. So it's a good thing. Very good thing. And it's unlikely to break a lot of stuff, anything bsd-compatible would have to run with randomization for instance.
I am generally very much in favor of security. This, however, is not straightforward at all. Let's keep in mind that anyone on this list is _not_ an average openSUSE user!
Why not make this a setting in the YaST Security and Hardening Center?
This is a very good transitional release option. Ie: for the first release with randomization, make it an opt-in feature (perhaps ask at install time?). That would allow some time for extensive testing and, when the next release makes it the default, would allow users to just turn it on on their existing installation to check that everything works. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org