Re: Expanding the list of "Hardened Packages"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Richard W.M. Jones wrote:
> (1) -fstack-protector{,-all} doesn't implement full bounds checking
> for every C object.

But it prevents (with probability (256^n-1)/256^n, where n is the size of 
the canary in bytes, which for n=4 is approximately .99999999976717) 
exploiting the overflows to change the return address of any C function.

> (2) SELinux controls what labelled resources a process can access.
> This covers far more than buffer overflows in C programs.  It covers
> other programming languages, design flaws and implementation 'thinko's
> of all sorts.  I would argue (separate from this) that it's good to
> define precisely what resources a program can access, rather than the
> default "access just about everything".

And I would argue that this amounts to second-guessing/duplicating what the 
program tries to do in an unmaintainable morass of rules, which even for the 
targeted policy (which is not even close to covering all programs in Fedora 
other than as "unconfined") keeps having bugs which need to be fixed every 
day, even after YEARS of debugging. SELinux just does not scale, it's a 
centralized database which needs to essentially contain a variant of every 
program's source code, rewritten in a rule language only few people actually 
comprehend.

Instead of duplicating the information already contained in the program's 
source code, the right approach is to ensure the program does not do 
anything that is NOT part of its source code, which means blocking arbitrary 
code execution exploits!

        Kevin Kofler

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux