1 |
On 02/27/2011 08:03 AM, "Tóth Attila" wrote: |
2 |
> 2011.Február 27.(V) 13:54 időpontban Magnus Granberg ezt írta: |
3 |
>> On Sunday 27 February 2011 10.11.58 Ryan Hill wrote: |
4 |
>>> On Sun, 27 Feb 2011 09:20:57 +0100 |
5 |
>>> |
6 |
>>> klondike <franxisco1988@×××××.com> wrote: |
7 |
>>>> 2011/2/27 Ed W <lists@××××××××××.com>: |
8 |
>>>>> On 26/02/2011 18:01, Magnus Granberg wrote: |
9 |
>>>>>> If you have read the last meeting we will be removing the pic use |
10 |
>>> flag |
11 |
>>>>>> as default on in the hardened amd64 profile. We will start with the |
12 |
>>>>>> changes when |
13 |
>>>>>> the new structure to the profiles have settled down. |
14 |
>>>>> |
15 |
>>>>> Hi, any chance of a bit of background on this change? ie the "why" |
16 |
>>> and |
17 |
>>>>> some of the implications? |
18 |
>> |
19 |
>> Most of the asm code is in libs and on amd64 it need to be PIC friendly |
20 |
>> from |
21 |
>> the start. We don't need to disable asm code. We do that most times with |
22 |
>> the |
23 |
>> pic use flag on hardened profile. |
24 |
>> |
25 |
>> /Magnus |
26 |
> |
27 |
> I'm still running Hardened on x86. I'm thinking of the optimal time to |
28 |
> switch to amd64. Is it better from the security point of view? |
29 |
> I assume, that it's easier to make amd64 asm code PIC-aware because of the |
30 |
> higher number of available registers. |
31 |
> |
32 |
> Dw. |
33 |
|
34 |
This is a loaded question. For many exploits it does not make a |
35 |
difference if you are on 64 or 32 bits. For some it does. |
36 |
|
37 |
An example of where it doesn't make a difference is a classic buffer |
38 |
overflow. |
39 |
|
40 |
An example of where it does is an attempt to defeat address space |
41 |
randomization by brute force. 32-bit address space is only 4G which is |
42 |
not impossibly large for success by brute force while 64-bits is about |
43 |
10^19. A lot harder. |
44 |
|
45 |
And then, to complicate matters, 64-bit with 32-bit compat opens up yet |
46 |
another family of exploits, like the one Dan Rosenberg found a few |
47 |
months back which abused the way 32-bit syscalls were treated by 64-bit |
48 |
kernels with 32-bit compat. |
49 |
|
50 |
|
51 |
-- |
52 |
Anthony G. Basile, Ph.D. |
53 |
Gentoo Developer |