| 1 |
27.01.2012 21:26, Alex Efros wrote: |
| 2 |
|
| 3 |
> As for me, spending ~1% performance for ~all hardened is good trade off, |
| 4 |
> but spending 4% more for protection against leaking information in freed |
| 5 |
> memory is too much for workstation (and for most servers too), so I |
| 6 |
> recommend to change workstation security level to not enable |
| 7 |
> CONFIG_PAX_MEMORY_SANITIZE by default. |
| 8 |
|
| 9 |
Isn't sacrificing 4% of performance to prevent attackers from circumventing |
| 10 |
all the other measures like KERNEXEC and UDEREF with an arbitrary write and |
| 11 |
a kernel memory leak a fair deal? I think it is, often than not. |
| 12 |
|
| 13 |
If you need some profiles to favour small performance gains over more secure |
| 14 |
defaults, then maybe you should propose additional profiles to accomplish |
| 15 |
exactly that, and clearly state that 4% gain in the config help. |
Archives