Re: Hacks



On 28 Feb 2007, Tim S. stated:

Nix wrote:

On 28 Feb 2007, Tim said:
John Phillips wrote:

Most probably from an unpatched
flaw.

In the past I have tried using kernel hardening (grsecurity patches) to
mitigate against this. Basically, tricks like stack, so-lib and malloc
address randomisation and no-execute heap and stack - but such tricks ar
eprone to breaking applications.

Why is your firewall running such incredibly fragile apps anyway?
(`I only have one machine' is no excuse in this age of virtualization:
I've been running my firewall in UML for many years now...)

Who said my firewall was running such fragile apps?

You said that the tricks are `prone to breaking applications'. There
aren't very many they break; some Lisp interpreters need patching, it
breaks some old Java interpreters, and that's about all I can recall.

Incidently, the "fragile apps" were XFree86 and java, neither of which are
on my current firewall,

Ah, good! :)

(and yes, XFree86 and X.org before the pci-rework branch will require
access to /dev/mem, which grsecurity understandably wants you to turn
off...)

--
`In the future, company names will be a 32-character hex string.'
--- Bruce Schneier on the shortage of company names
.