PIE & PAX
cendres at videotron.ca
Fri Feb 27 14:04:58 PST 2004
On February 27, 2004 04:13 pm, BARRE Arnaud wrote:
> if i undestood PIE is in PAX so, why dont use PAX ?
> I'm newbie and i have still proble with securty level.
> But i thinked than PIE is just an element for security level 1
> and PAX is for security level 1,2 and 3
PIE is "position independent executable'. Its a new GCC feature that will be
included in gcc-3.4. This features uses 'ld -pie' with 'gcc -fpie'. The old
method is 'ld -pie' and 'gcc -fpic' which makes a 'relocatable executable'.
The new method makes everything a 'shared object', and lets the main
executable set the load addresses instead of the library. PaX needs one or
the other to work, but it works best with PIE opposed to PIC. Most vendors
are using PIC because PIE is not stabilized yet, but it has been working very
well for me. PIE/PIC is not limited to PaX in any way. You can use
exec-shield, and other kernel patches, to randomize the load addresses,
however PaX has the most features and testing.
> Do you thinck, SSP and PAX is a good choice ?
PaX doesn't stop 'return to libc' attacks, while SSP does. PaX prevents return
to libc attacks by randomizing functions, but it doesn't actually stop it if
it happens. SSP would kill the proccess that is attacked like this. PaX does
stop many attacks that SSP can't, so they're best used together.
> If i use SSP hint with PAX patch on kernel 2.6.3, do you thinck it
> will be stable ?
I've made SSP patches for 2.6 available, and there are 2.6 patches for PaX,
but 2.6 is not stable. I have built lfs with nptl, kernel-2.6, SSP, and PIE,
just to see if it would work, and it looks okay, but if you want to do that
you're on your own. There are many unknown issues with the 2.6 kernel and it
is not intended for use in a stable system.
> I dont know what sort of test is good for test kernel stability or if
> all patches will be good, ... ?
It has to be tested by many people on many different systems with many
different configurations. The bugs are unknown, so people have to try
everything before they can figure out problems.
More information about the hlfs-dev