NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NetBSD> 2004-q2

Re: Non executable mappings and compatibility options bugs

From: Andrew Brown (atatatatatdot.net)
Date: Wed Jun 23 2004 - 10:18:22 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jun 23, 2004 at 11:45:43AM +0200, Manuel Bouyer wrote:
>On Tue, Jun 22, 2004 at 05:23:18PM -0700, Erik E. Fair wrote:
>> Sometimes it's not even a matter of security - I remember all the
>> screaming when deferencing address zero stopped working on newer UNIX
>> systems of the day, and that broke a whole lot of (badly written)
>> software. Incremental improvements in practice are still a good thing.
>>
>> Since software from our own source tree is unaffected (or has been
>> cleaned up already), it seems to me that the explicit enforcement of
>> execution permissions needs to be a per-emulation flag, and that in
>> our kernel configurations, those emulations that require the
>> enforcement off should themselves be commented out by default with a
>> clear notation of the security threat that they pose. We can change
>> each emulation's flag and "commented out" status when they clean up
>> their acts (presuming they ever will; emulations of EOL'd operating
>> systems will just have to endure whatever state they turn out to be
>> in).
>
>I don't think having the emulations commented out by default is a big deal,
>as we also provide LKMs, and there is LKM support in the GENERIC kernels.
>We'd just have to add to the release notes that emulation support now is not
>enabled by default, and you have to uncomment them in /etc/lkm.conf to use
>them (along with the security warnings about non-exec stack).

oh, and don't forget to add something that tells the user they need to
rebuild all the lkms if they build their own kernel with any of:

        DIAGNOSTIC
        DEBUG
        LOCKDEBUG
        MULTIPROCESSOR
        MALLOCLOG

--
|-----< "CODE WARRIOR" >-----|
codewarriordaemon.org * "ah! i see you have the internet
twofsonetgraffiti.com (Andrew Brown) that goes *ping*!"
werdnasquooshy.com * "information is power -- share the wealth."

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]