|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Non executable mappings and compatibility options bugs
From: Bill Studenmund (wrstuden
netbsd.org)
Date: Tue Jun 22 2004 - 20:17:02 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, Jun 22, 2004 at 05:23:18PM -0700, Erik E. Fair wrote:
> Since software from our own source tree is unaffected (or has been
> cleaned up already), it seems to me that the explicit enforcement of
> execution permissions needs to be a per-emulation flag, and that in
> our kernel configurations, those emulations that require the
> enforcement off should themselves be commented out by default with a
> clear notation of the security threat that they pose. We can change
> each emulation's flag and "commented out" status when they clean up
> their acts (presuming they ever will; emulations of EOL'd operating
> systems will just have to endure whatever state they turn out to be
> in).
I agree, except I think a better default would be to leave the emulation
in and on. We will be leaving the emulation exactly like it was in 1.6. We
then note that non-exec stacks are a feature of NetBSD, not necessarily
the OS we emulate. I do like the idea of a sysctl, so that we can easily
turn this behavior on and off.
Maybe I'm unique, but I've always considered if you're running an emulated
program, you are not necessarily getting all the security and features of
current NetBSD programs.
> This keeps us "default secure" which I presume is still our project
> policy. People will grumble, I'm sure, but better that than to end up
> singing "mea culpa" when systems running NetBSD get compromised in
> the field.
Our project policy, when it comes to emulations, actually has been (to the
extent we have a policy) to do what the emulated OS does. I'm thinking
about ip6.v6only as a specific example. To be honest, now that I
understand Itojun's comments about v6only, I think it's a bigger security
concern than non-exec stacks.
As a total aside, I've been informed that current Linux (Fedora Core 1)
has non-exec stack support. For Linux, the compiler will figure out if it
needs an executable stack or not, and will indicate in the final program
if the stack should be exec'able or not. And there's a knob to turn exec
stacks off for the whole OS.
Take care,
Bill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)
iD8DBQFA2NoOWz+3JHUci9cRAjViAJ4skvBwZKvbUK9kBXW0SByDxmPM6wCff19e
CCXOszyKZzfqLDjBEVlXHN4=
=qitf
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]