On Thu, Sep 09, 2010 at 10:30:57AM -0400, Gregory Maxwell wrote: > On Thu, Sep 9, 2010 at 9:45 AM, Neal Becker <ndbecker2@xxxxxxxxx> wrote: > > This article: > > > > http://labs.mwrinfosecurity.com/notices/security_mechanisms_in_linux_environment__part_1___userspace_memory_protection/ > > > > seems to say that fedora is ranking poorly in deployment of various > > userspace memory protection mechanisms. Is this information accurate? > > I asked about one point of this on LWN: > Library randomization / prelink > Posted Sep 8, 2010 18:26 UTC (Wed) by gmaxwell (subscriber, #30048) [Link] > Anyone know how the library randomization is being counted? 3 bits for > fedora doesn't sound right. Is the 3 bits the value for a system vs > itself or for this system vs all other systems? > > "a note here: fedora uses exec-shield which maps libraries in two different > regions: ascii-armor (lower 16MB) and the rest. i think what paxtest > measured there is the former where the usable entropy is necessarily > less than elsewhere and may not be representative of real life apps > and their address spaces (not saying the whole ascii-armor region is > worth anything for security though ;)" This article was brought up on fedora-kernel-list last week. In my tests, I've not been able to reproduce the '3 bits' result. On current kernels, I see 12 bits for 32-bit, and 'no randomisation' for 64-bit. I'm not entirely sure yet why we're showing different results on some of the other tests to other distros too. I'll poke at it some more tomorrow. Dave -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
