| 1 |
On 7/2/15 9:12 AM, Hanno Böck wrote: |
| 2 |
> Hi, |
| 3 |
> |
| 4 |
> |
| 5 |
> Such a system could also be interesting as a high security linux |
| 6 |
> variant not vulnerable to common buffer overflows and other memory |
| 7 |
> errors. It is slower, but that may be acceptable. (However it should be |
| 8 |
> said that right now asan is incompatible with grsecurity - and probably |
| 9 |
> people who want a high secure linux variant want grsecurity.) |
| 10 |
|
| 11 |
Its actually PaX that is incompatible with -fsanitize=address because of |
| 12 |
the shadowing of the address space, so you can still use grsec and the |
| 13 |
other protections it provides like hardneing of chroots or rbac. Just |
| 14 |
turn off PaX when configuring the kernel. (Note: pax should be okay with |
| 15 |
-fsanitize=thread but I haven't tested). I think this is a cool |
| 16 |
project, but I'm more interested in asan's debugging abilities than a |
| 17 |
run time tool to stop memory abuses. I like pax's approach where the |
| 18 |
*kernel* simply doesn't allow certain memory uses, eg, pages are |
| 19 |
allocated either read+write or read+execute but never write+execute. |
| 20 |
|
| 21 |
I'd like to play with an amd64 stage3 and see how it asan gets along |
| 22 |
with the hardened toolchain and hardened kernel. |
| 23 |
|
| 24 |
> |
| 25 |
> For now I just wanted to announce that I'm working on this, so people |
| 26 |
> who care can get in touch with me. I'll probably write a detailed blog |
| 27 |
> post at some point. |
| 28 |
> Depending on how much interest there is this may be something Gentoo |
| 29 |
> wants to consider as an official project and publish official stage |
| 30 |
> tarballs. |
| 31 |
> |
| 32 |
> cu, Hanno |
| 33 |
|
| 34 |
|
| 35 |
-- |
| 36 |
Anthony G. Basile, Ph.D. |
| 37 |
Gentoo Linux Developer [Hardened] |
| 38 |
E-Mail : blueness@g.o |
| 39 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
| 40 |
GnuPG ID : F52D4BBA |
Archives