1 |
On April 19, 2004 09:16 pm, Ned Ludd wrote: |
2 |
> On Mon, 2004-04-19 at 17:55, Robert Connolly wrote: |
3 |
>>... |
4 |
> Could you test the following attachment (guard-test) a few times and |
5 |
> post the results? Mainly I'd like to verify that your __guard is infact |
6 |
> working as expected. (It should SEGFAULT or SIGABRT) |
7 |
|
8 |
./guard-test |
9 |
main = 0x800009d4; |
10 |
__guard = 0x4012aba0; |
11 |
__stack_smash_handler = 0x4002de50; |
12 |
__guard = 0x4012aba0; |
13 |
__stack_smash_handler = 0x4002de50; |
14 |
guard-test: stack smashing attack in function mainAborted |
15 |
|
16 |
> I took a quick look at the (glibc) code and it appears as if you drooped |
17 |
> support completely for /dec/urandom I'm not sure if that's a good idea |
18 |
> because if a user decides not to use frandom then she will end up with |
19 |
> the default canary only which would weaken the entire model.. |
20 |
|
21 |
That doable. But sysctl random_uuid could also be used as a second fallback. / |
22 |
dev/{e,f}random third, urandom fourth... I just used sysctl erandom so not to |
23 |
make it too complicated for now. |
24 |
|
25 |
> Also can this be enabled in the kernel as non LKM? |
26 |
> As handy as modules are they are a security risk and should be avoided |
27 |
> at all costs. |
28 |
|
29 |
As in built in? yes. The sysctl support will not work as a module. |
30 |
|
31 |
|
32 |
-- |
33 |
gentoo-hardened@g.o mailing list |