Re: How GNU/Linux distros deal with offset2lib attack?

[Shawn <citypw () gmail com>]

Hi Greg,

On Mon, Dec 8, 2014 at 3:44 AM, Greg KH <greg () kroah com> wrote:
> On Sun, Dec 07, 2014 at 10:43:17PM +0800, Shawn wrote:
> > Hi Lionel,
> >
> > Thanks for your extraordinary explanation about Grsec/PaX. I'm a big
> > fan of Grsec/PaX. But I think compare the ASLR implementation of
> > vallina kernel with Grsecurity/PaX is not fair. Linux upstream doesn't
> > hold the security-oriented philosophy, while Grsecurity/PaX community
> > are expertise of system-lvl security.
>
> Ok, do you seriously think this?  If so, please provide details as to
> why you feel this way.  The Linux kernel developers take security very
> seriously, otherwise no one would be using Linux for "secure" systems,
> right?
Like Lionel explained in last reply, the term *security* has different
meaning in the different context. Don't give me wrong, I love
GNU/Linux( GCC/GLIBC/KERNEL), which are fundamentals of the FOSS
ecosystem. I've been always telling my customers/friends that
GNU/Linux( with vanilla kernel) is more secure than M$-windows. But
Grsecurity/PaX is the must-need stuff to those who has some digital
assets in a critical scene.

> > Developer/users could take bear of 5%-10% performance penalty caused
> > by new features, but I don't think most developers/users would accept
> > even 1% performance penalty caused by security defensive mitigation.
> > Personally, I hope we could see Grsecurity/PaX being part of mainline
> > linux kernel in the future.
>
> Great, please do the work to split it up and submit it to be merged,
> that would be a wonderful thing for you to do if you think the features
> there are needed.
I wish I could. Debian/Mempo or hardened-Gentoo can satisfy my daily bread.

> > IMOHO, offset2lib is a very critical impact to the GNU/Linux
> > mitigation. What if the bad buys already have some 0day vulns? This
> > will make their work so much easier to write massive exploit. Hope
> > upstream could patch this issue as quickly as possible. Plz don't let
> > this work to the burden of GNU/Linux distro community.
>
> What exactly do you mean here?  The fact that this option isn't enabled
> by lots of distros already means that there isn't much of an issue,
> right?
Do you think the mitigations of NX+ASLR+PIE+STACK CANARY can be
defeated in a few seconds is not a big deal? What do you mean about
"this option isn't enabled"? The most of suid programs has been
shipped with these mitigations: NX/ASLR/PIE/STACK
CANARY/FORTIFY...some are compiled with RELRO. What I mean is this
issue should be fixed by the upstream, not let distro community to
maintain a tiny patch.

> thanks,
>
> greg k-h



-- 
GNU powered it...
GPL protect it...
God blessing it...

regards
Shawn