Re: [opensuse-security] Security features of current openSUSE versions?
I spent this day by reading some documentations and examining openSUSE 10.2, and there is something, I don't understand: Why are there PIE compileg packages in openSUSE, if the kernel doesn't do ASLR on the program codes? Or does it do? (Am I correct if I say that PIE programs are the ones recognized as "ET_DYN" by scanelf?) Sorry but I forgot to send a copy of my previous mail to the list (I thought it should happen automatically.) 2007. május 24. 17.22 dátummal ezt írta:
On Thu, May 24, 2007 at 05:18:36PM +0200, Németh Tamás wrote:
Thank you for the quick answer!
2007. május 24. 16.39 dátummal ezt írta:
-openSUSE 10.3 or older versions have all packages compiled as PIE or PIC to utilize the ASLR capabilities of the 2.6.20 and newer Linux kernels? (Does openSUSE 10.3 have an ASLR capability comparable to that of PaX?)
We have a selected set of packages (but not all) compiled as PIE since 10.1.
Can I benefit from this by replacing your kernel by some PaX patched one?
If PAX allows it, yes.
The kernel has various parts of ASLR:
- MMAP and Stack location: is in the kernel since 10.1
- PIE binaries location: is not in the mainline kernel yet, so we do not have it.
We are however working on bringing binary location randomization into the mainline kernel.
Oh. Wikipedia (http://en.wikipedia.org/wiki/Address_space_layout_randomization) states that: "ASLR is enabled by default in the linux kernel since 2.6.20".
ASLR has multiple parts ... since there are multiple parts of the address space. Binary, Heap, MMAP area, Stack, VDSO ... Only some of them are randomized (Stack, Heap with 2.6.13?16? and VDSO with 2.6.20).
But in the file http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20 one can read that:
"commit 90cb28e8f76e57751ffe14abd09c2d53a6aea7c8 Author: Linus Torvalds <torvalds@woody.osdl.org> Date: Sat Jan 6 13:28:21 2007 -0800
Revert "[PATCH] binfmt_elf: randomize PIE binaries (2nd try)"
This reverts commit 59287c0913cc9a6c75712a775f6c1c1ef418ef3b."
(Your patch was refused? Was it a patch for binaries location?)
This was a very simple patch I tried to get in for the Binary randomization. Unfortunately it cannot be done that easily.
A czech developer is currently trying to get in a better one, and it already lives in the -mm tree.
All AMD64 systems, all x86 systems with the "bigsmp" kernel if the hardware supports it, not sure about the other architectures (PPC, S390, IA64...).
Do Intel EM64T processors running 64 bit openSUSE fall into this category?
Yes.
http://en.opensuse.org/Security_Features has a summary.
I've read that but I was hoping for some fundamental security enhancements in openSUSE 10.3 which are undocumented yet.
So far not, but until release there is still some time. We have however nothing planned.
Ciao, Marcus
To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Fri, May 25, 2007 at 01:43:21PM +0200, Németh Tamás wrote:
I spent this day by reading some documentations and examining openSUSE 10.2, and there is something, I don't understand:
Why are there PIE compileg packages in openSUSE, if the kernel doesn't do ASLR on the program codes? Or does it do? (Am I correct if I say that PIE programs are the ones recognized as "ET_DYN" by scanelf?)
Correct. We prepared it for 10.1 and had the hope that the kernel would gain the support soon. The latter however did not happen, but we are leaving it in to be ready (or for people upgrading their kernels later on). Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (2)
-
Marcus Meissner -
Németh Tamás