Date: Tue, 15 Nov 2011 17:57:56 +0100 From: Jeremie Le Hen <jeremie@le-hen.org> To: Oliver Pinter <oliver.pntr@gmail.com> Cc: Kostik Belousov <kostikbel@gmail.com>, Garrett Cooper <yanegomi@gmail.com>, current@freebsd.org, Arnaud Lacombe <lacombar@gmail.com> Subject: Re: [RFC] Enable nxstack by default Message-ID: <20111115165756.GA11894@felucia.tataz.chchile.org> In-Reply-To: <CAPjTQNFiqq9TEzTs812f7nVVY-74bMgvL9ujT-qXkMKnhux%2BtA@mail.gmail.com> References: <CAPjTQNFCT5LBKwVQFf9FHk4aTzrJ243j2uN1nPmMeFp=cTdMUA@mail.gmail.com> <20111018090750.GG50300@deviant.kiev.zoral.com.ua> <CACqU3MWftO=FG4GbnKCFjTcKg1narJWuYnCwv-Mcu=WGriScwA@mail.gmail.com> <alpine.BSF.2.00.1110180838200.38610@toaster.local> <CACqU3MWOXTMfu0LySukcwAz=NGSzyN=ettiY0fQj3Ehp5MONug@mail.gmail.com> <CAPjTQNE5-kGJ%2BD2c3Z2y-e_h95i5VY0Yc=C26BJ_Oq0n2DNz6A@mail.gmail.com> <CACqU3MXm1P1P2FBMCKhYOC%2BeCn_3QyQmd98b%2B_Kiq98usuqiPA@mail.gmail.com> <20111018183219.GN50300@deviant.kiev.zoral.com.ua> <CACqU3MXNpmhwUM-incmeU_vUXZOKaZ=sZmGmUX5WCmdz6kfE7A@mail.gmail.com> <CAPjTQNFiqq9TEzTs812f7nVVY-74bMgvL9ujT-qXkMKnhux%2BtA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Wed, Oct 19, 2011 at 12:37:44AM +0200, Oliver Pinter wrote: > In NetBSD has been some PaX feature [0] implemented. (ASLR, W^X > (~nxstack), mprotect restriction, veriexec, mmap randomization[2]...) > > [0] http://pax.grsecurity.net/docs/index.html > [1] http://www.netbsd.org/~elad/recent/man/security.8.html > [2] http://people.freebsd.org/~ssouhlal/testing/stackgap-20050527.diff Suleiman actually wrought two patches, one randomizing the stack (the one you pointed out) and another one randomizing non-fixed mmap(2) calls: http://people.freebsd.org/~ssouhlal/testing/mmap_random-20050528.diff FYI, they do not apply cleanly on recent source trees (the patches were made in 2005), but they can be applied with little fiddling. I'm running multiple 8.x production machines with them without any problem. I've always wanted them to be committed as opt-in knobs, but I can't remember why they hadn't at the time. Cheers, -- Jeremie Le Hen Men are born free and equal. Later on, they're on their own. Jean Yanne
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111115165756.GA11894>