1 |
On 7/2/15 9:12 AM, Hanno Böck wrote: |
2 |
> Hi, |
3 |
> |
4 |
> |
5 |
> Such a system could also be interesting as a high security linux |
6 |
> variant not vulnerable to common buffer overflows and other memory |
7 |
> errors. It is slower, but that may be acceptable. (However it should be |
8 |
> said that right now asan is incompatible with grsecurity - and probably |
9 |
> people who want a high secure linux variant want grsecurity.) |
10 |
|
11 |
Its actually PaX that is incompatible with -fsanitize=address because of |
12 |
the shadowing of the address space, so you can still use grsec and the |
13 |
other protections it provides like hardneing of chroots or rbac. Just |
14 |
turn off PaX when configuring the kernel. (Note: pax should be okay with |
15 |
-fsanitize=thread but I haven't tested). I think this is a cool |
16 |
project, but I'm more interested in asan's debugging abilities than a |
17 |
run time tool to stop memory abuses. I like pax's approach where the |
18 |
*kernel* simply doesn't allow certain memory uses, eg, pages are |
19 |
allocated either read+write or read+execute but never write+execute. |
20 |
|
21 |
I'd like to play with an amd64 stage3 and see how it asan gets along |
22 |
with the hardened toolchain and hardened kernel. |
23 |
|
24 |
> |
25 |
> For now I just wanted to announce that I'm working on this, so people |
26 |
> who care can get in touch with me. I'll probably write a detailed blog |
27 |
> post at some point. |
28 |
> Depending on how much interest there is this may be something Gentoo |
29 |
> wants to consider as an official project and publish official stage |
30 |
> tarballs. |
31 |
> |
32 |
> cu, Hanno |
33 |
|
34 |
|
35 |
-- |
36 |
Anthony G. Basile, Ph.D. |
37 |
Gentoo Linux Developer [Hardened] |
38 |
E-Mail : blueness@g.o |
39 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
40 |
GnuPG ID : F52D4BBA |