Re: Expanding the list of "Hardened Packages"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Am 12.04.2013 13:44, schrieb Josh Bressers:
> On Thu, Apr 11, 2013 at 12:54 PM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote:
>>
>> which is exactly the goal ASLR is desigend for
>>
> 
> It's designed to make certain types of attacks more difficult. It
> doesn't make them impossible, just much harder.
> 
> Here is an example.
> 
> When you write a security exploit, you generally have to do things
> like call into system libraries to do useful things. Generally you
> have a limited amount of room for your exploit's "payload", so the
> idea is to just leverage what the system can already do. Calling
> system() would be an example of this. Now long ago, before things like
> ASLR, if you had access to the binary you wanted to attack, you could
> inspect the binary to see what the address of system() was. It didn't
> change between runs of the binary, so I could hard code that address
> into my exploit. With ASLR, every time you run the binary the address
> of various system calls is now basically random (it's not exactly, but
> that's an exercise for the reader to figure out). If your payload
> needs to call system(), you need a way to figure out what that address
> is before you can use it, the added step should make it more difficult
> to exploit a problem. The technology isn't fool proof of course, but
> that's a topic for another day.

that is nothing new

that is the reason why any application which get input data
from the internet has to use ASLR and anything which makes
ASLR less effective has to be considered a bug

yes there is performance AND security
but in these days security first

there are so many pieces of software written these days with
no care about performance and mostly security is not the reason
for most developers wasting ressources that there is no excuse

fix the really performance bugs in code but not compensate the
overall situation with prelink and lesser security at all

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux