Re: thoughts on kernel security issues

[John Richard Moser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Arjan van de Ven wrote:
>>I respect you as a kernel developer as long as you're doing preemption
>>and schedulers; but I honestly think PaX is the better technology, and I
>>think it's important that the best security technology be in place.  
> 
> 
> the difference is not that big and only in tradeoffs. eg pax trades
> virtual address space against protecting a rare occurance (eg where exec
> shield wouldn't work because of a high executable mapping. That really
> doesn't happen in normal programs)
> 

PAGEEXEC uses the same method as Exec Shield, but falls back to kernel
assisted MMU walking when that fails.  This does not split the address
space in half.  Stop pretending SEGMEXEC is the only emulation PaX has.

PaX also allows more finegrained administrative control.

> 
>>On a final note, isn't PaX the only technology trying to apply NX
>>protections to kernel space? 
> 
> 
> Exec Shield does that too but only if your CPU has hardware assist for
> NX (which all current AMD and most current intel cpus do).
> 

Uh, ok.  You've read the code right?  *would rather hear from Ingo*

> 
> 

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB7rkfhDd4aOud5P8RAmvXAKCMADZGBVZx9UVRTfmVCoSBY9ODrgCfVK5s
djLbjG/KmLx8QotWNAqr6Mc=
=Tcjc
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/