1 |
On 21 Nov 2007 at 12:49, Brian Kroth wrote: |
2 |
|
3 |
> Still sifting through the docs, so I apologize if these are answered elsewhere. |
4 |
> |
5 |
> - In the docs for ASLR it notes that a side effect is memory space |
6 |
> fragmentation. How is this dealt with, if at all? Perhaps this isn't as big |
7 |
> a problem as I think it is. |
8 |
|
9 |
uhm, what is there to deal with? ;-) you either want randomization or |
10 |
you don't... the side effect is what the doc says, the unmapped region |
11 |
sizes between the main areas are not fixed but change, i.e., they can |
12 |
be bigger or smaller than what a non-ASLR kernel creates. whether that |
13 |
helps a given app or not depends on the app of course. |
14 |
|
15 |
> - In the pspax output, under MAPS, is w^x meant to indicate that the process has |
16 |
> writable AND executable maps, or that it has writable but NOT executable maps? |
17 |
|
18 |
it means the app doesn't have writable AND executable mappings. |
19 |
|
20 |
> I presume the other output, w|x, (which I don't seem to have any of) is an OR, |
21 |
> meaning the process has maps that have both bits set, correct? |
22 |
|
23 |
correct (you can 'grep rwx /proc/pid/maps' to see them). |
24 |
|
25 |
> and ASLR would use RANDEXEC on ET_EXEC binaries, |
26 |
|
27 |
RANDEXEC (when it existed) was never enabled by default. |
28 |
|
29 |
> rather than RANDMMAP, but everything else should still work - correct? |
30 |
|
31 |
the only difference is that ET_EXEC executables won't be randomized. |
32 |
|
33 |
> Will the other two memory areas still be randomized where applicable? |
34 |
|
35 |
yes, RANDEXEC was an independent feature within ASLR. in fact, not only |
36 |
the stack/mmap regions will continue to be randomized but the brk based |
37 |
heap as well (albeit with less entropy by virtue of lacking the random |
38 |
bits that would come from the main executable base). |
39 |
|
40 |
> Do I need to just add RANDEXEC manually to my .config or is there some |
41 |
> special combo that hides it? |
42 |
|
43 |
no, i removed it from PaX some time ago as it became too hard to maintain |
44 |
in 2.6 for little if any gain. |
45 |
|
46 |
-- |
47 |
gentoo-hardened@g.o mailing list |