Bugtraq mailing list archives
Re: Buffer overflow prevention
From: Peter Busser <peter () trusteddebian org>
Date: Tue, 19 Aug 2003 07:48:09 +0200
On Mon, Aug 18, 2003 at 03:31:11PM -0600, Theo de Raadt wrote:
If we had been aware of PAX as you claim, why would we have thought that i386 solutions were impossible?You have thought that i386 solutions were possible, because you have implemented them.Can you please stop spinning this?
How could you implement an i386 solution if you still think it is impossible?
W^X was up and running on some of our architectures before we had heard of PAX. Months later, ways of doing W^X for i386 were discussed, but this was also before we had heard of PAX. Even later, W^X was starting to work on i386, but even this was before we had heard of PAX. W^X does not do what PAX does; rather, W^X attempts to solve many of the same problem AREAS, but using entirely DIFFERENT SOLUTIONS.
Ok, thank you for clarifying that. I didn't know that. All I've seen so far is abusive language from you against the people who contacted you about this matter.
Holy cow, can you guys please stop crowing for me to revise history!
Can you please stop making generalisations?
It is clear that W^X was developed without knowlege of PAX; it is clear that this is a case of two solutions to a similar problem space -- call it convergent evolution; it is clear that begging for credit is just making your efforts look more and more political and less and less techical.
PaX is not my effort.
I urge the PAX authors to get their community's rabid foaming under control.
I can't speak for other people in the community you mention, but it seems to me that the one who is foaming right now is you.
Like, our idea that mprotect should still permit a user to request a page that is PROT_EXEC|PROT_WRITE; by default the PAX people prefer to deny such requests.
Right, PROT_EXEC|PROT_WRITE is W|X and not W^X. Denying it is what you could call secure by default.
We informally (in mail to lists, etc) presented W^X to say we have shipped a system that does this and this and that, to improve resistance against exploitation of bugs, in concert with ProPolice. If you look at the PAX web and other much more formal documentation, you will find that they do not mention W^X.
If you look at the PaX web site, you will notice that it mentions other Linux patches that do memory protection. The Adamantix web site links to the OpenBSD web site and to systrace.
Your continued insistance that we knew of PAX is making you look ridiculous.
My continued insistance? I've written only two messages about the subject, this one being the second.
I will not revise history to make your ego feel less bruised.
There is a saying which goes like: It takes one to know one.
The Adamantix Project Taking trustworthy software out of the labs, and into the real world http://www.adamantix.org/Competing against OpenBSD security efforts, but starting out 6 years later...
Thank you for thinking of Adamantix as competition. I think competition is good and having a choice is also good. Groetjes, Peter Busser -- The Adamantix Project Taking trustworthy software out of the labs, and into the real world http://www.adamantix.org/
Current thread:
- RE: Buffer overflow prevention, (continued)
- RE: Buffer overflow prevention noir (Aug 15)
- Re: Buffer overflow prevention Theo de Raadt (Aug 18)
- Re: Buffer overflow prevention Peter Busser (Aug 18)
- Re: Buffer overflow prevention noir (Aug 18)
- Re: Buffer overflow prevention Theo de Raadt (Aug 18)
- Re: Buffer overflow prevention pageexec (Aug 18)
- Re: Buffer overflow prevention Mariusz Woloszyn (Aug 18)
- Re: Buffer overflow prevention pageexec (Aug 18)
- Re: Buffer overflow prevention pageexec (Aug 18)
- Re: Buffer overflow prevention Theo de Raadt (Aug 18)
- Re: Buffer overflow prevention Darren Reed (Aug 18)
- Re: Buffer overflow prevention Peter Busser (Aug 19)
- Re: Buffer overflow prevention Theo de Raadt (Aug 18)
- Re: Buffer overflow prevention Glynn Clements (Aug 19)
- Re: Buffer overflow prevention Crispin Cowan (Aug 19)
- Re: Buffer overflow prevention Anil Madhavapeddy (Aug 19)
- Re: Buffer overflow prevention Mariusz Woloszyn (Aug 19)
- Re: Buffer overflow prevention Mark Tinberg (Aug 19)
- Re: Buffer overflow prevention pageexec (Aug 19)
- Re: Buffer overflow prevention Theo de Raadt (Aug 19)
- RE: Buffer overflow prevention noir (Aug 15)