Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide
Tomorrow's an illusion and yesterday's a dream, today is a solution...
Oh I see, now that I've read this I feel a little safer now...
http://askubuntu.com/questions/12020...-no-passphrase
Hence why I said that execshield isn't a big deal as Ubuntu ships with all NX enabled binaries by default. Where execshield is nice is for forcing binaries that don't use it. This is rarer these days.
As for PIE, all services are vulnerable. There's really no excuse for not at least having a test build for it - there shouldn't be any performance hit on 64bit and tons of services (pulseaudio for example, other root services like rsyslogd) aren't running PIE. While they have it enabled in really critical services like dhclient it's still important for it to be used in others.
Last edited by Hungry Man; September 11th, 2012 at 10:44 PM.
sig
According to checksec, every running process on my system has NX enabled, so I think we're good there.
It's a lot of work for some services. Pulseaudio is a monster blob of complicated code. According to checksec, PA has everything enabled but PIE (it has Full RELRO, NX and a canary).As for PIE, all services are vulnerable. There's really no excuse for not at least having a test build for it - there shouldn't be any performance hit on 64bit and tons of services (pulseaudio for example, other root services like rsyslogd) aren't running PIE. While they have it enabled in really critical services like dhclient it's still important for it to be used in others.
I am sure the Ubuntu security team would like to have everything compiled with full PIE at some point (I think this is their goal), but it will take a little time.
IIRC, some of the PaX code is going to be merged to the mainlaine kernel one of these days (or at least it has been talked about). That should help strengthen the ASLR of the vanilla kernel a bit. Right now, the default ASLR built into the vanilla kernel is already a bit stronger than what Windows offers.
It's been talked about for a long long time. Pretty much everything starts off in PaX though and ends up mainline under another name (and often a faulty implementation...).IIRC, some of the PaX code is going to be merged to the mainlaine kernel one of these days (or at least it has been talked about). That should help strengthen the ASLR of the vanilla kernel a bit. Right now, the default ASLR built into the vanilla kernel is already a bit stronger than what Windows offers.
Windows ASLR has a big weakness in that VirtualAllocEx() is not randomized whereas all mmap() is randomized on Linux. In terms of entropy Windows would probably be ahead but if you use PaX/Grsecurity you can up the entropy and also enable some other features that prevent ASLR bruteforcing.
But only the randomized mmap is there by default.
Pretty sure other distros like Fedora have it enabled. Can't be sure/ haven't checked but after Spender showed that fun exploit a while back there was some buzz for a bit that probably spurred it.It's a lot of work for some services. Pulseaudio is a monster blob of complicated code. According to checksec, PA has everything enabled but PIE (it has Full RELRO, NX and a canary).
It's been "talked about" for a long time. It would be nice if they actually had test builds out. I haven't been tracking the progress, for all I know they're working on it, but what I do know is that it's not mainline yet.
sig
Bookmarks