PIE & PAX

Robert Connolly cendres at videotron.ca
Fri Feb 27 14:04:58 PST 2004


On February 27, 2004 04:13 pm, BARRE Arnaud wrote:
> if i undestood PIE is in PAX so, why dont use PAX ?
>
> I'm newbie and i have still proble with securty level.
> But i thinked than PIE is just an element for security level 1
> and PAX is for security level 1,2 and 3

PIE is "position independent executable'. Its a new GCC feature that will be 
included in gcc-3.4. This features uses 'ld -pie' with 'gcc -fpie'. The old 
method is 'ld -pie' and 'gcc -fpic' which makes a 'relocatable executable'. 
The new method makes everything a 'shared object', and lets the main 
executable set the load addresses instead of the library. PaX needs one or 
the other to work, but it works best with PIE opposed to PIC. Most vendors 
are using PIC because PIE is not stabilized yet, but it has been working very 
well for me. PIE/PIC is not limited to PaX in any way. You can use 
exec-shield, and other kernel patches, to randomize the load addresses, 
however PaX has the most features and testing.

> Do you thinck, SSP and PAX is a good choice ?

PaX doesn't stop 'return to libc' attacks, while SSP does. PaX prevents return 
to libc attacks by randomizing functions, but it doesn't actually stop it if 
it happens. SSP would kill the proccess that is attacked like this. PaX does 
stop many attacks that SSP can't, so they're best used together.

> If i use SSP hint with PAX patch on kernel 2.6.3, do you thinck it
> will be stable ?

I've made SSP patches for 2.6 available, and there are 2.6 patches for PaX, 
but 2.6 is not stable. I have built lfs with nptl, kernel-2.6, SSP, and PIE, 
just to see if it would work, and it looks okay, but if you want to do that 
you're on your own. There are many unknown issues with the 2.6 kernel and it 
is not intended for use in a stable system.

> I dont know what sort of test is good for test kernel stability or if
> all patches will be good, ... ?

It has to be tested by many people on many different systems with many 
different configurations. The bugs are unknown, so people have to try 
everything before they can figure out problems.





More information about the hlfs-dev mailing list