1 |
27.01.2012 21:26, Alex Efros wrote: |
2 |
|
3 |
> As for me, spending ~1% performance for ~all hardened is good trade off, |
4 |
> but spending 4% more for protection against leaking information in freed |
5 |
> memory is too much for workstation (and for most servers too), so I |
6 |
> recommend to change workstation security level to not enable |
7 |
> CONFIG_PAX_MEMORY_SANITIZE by default. |
8 |
|
9 |
Isn't sacrificing 4% of performance to prevent attackers from circumventing |
10 |
all the other measures like KERNEXEC and UDEREF with an arbitrary write and |
11 |
a kernel memory leak a fair deal? I think it is, often than not. |
12 |
|
13 |
If you need some profiles to favour small performance gains over more secure |
14 |
defaults, then maybe you should propose additional profiles to accomplish |
15 |
exactly that, and clearly state that 4% gain in the config help. |