On Mon, 2002-09-16 at 15:29, Ben Reser wrote: > On Mon, Sep 16, 2002 at 02:17:50PM -0500, Steve Bergman wrote: > > So, am I just not seeing the negative side to this? Immunix apparently > > does not have enough name recognition and influence to make it happen. > > But Mandrake does. After seeing exploit after exploit list RedHat, > > SuSE, Debian. etc. as having a root vulnerability but with Mandrake as > > just a DOS, I'm sure all the other distros would follow suit. > > Performance and it's bound to cause some programs not to build right > causing people problems who want to build programs from tarballs.
I started to write that the performance impact is trivial. However, reviewing the info on the immunix site (which I admittedly haven't done in a while) I find that, depending on the nature of the app, the performance impact can be significant. FormatGuard does require some (small percentage of) programs to be modified to compile. StackGuard does not seem to have this problem, except with (surprise!) the Linux kernel. (And yes, that is a pain.) > > But no there isn't a whole lot of issues with doing this from what I've > seen. > > However it is no guarantee to prevent successful attacks. I seem to > recall that there have been some ways to get around it in the past. > They get fixed but then you have to recompile all the apps to take > advantage of it. I know of one instance of this in (I believe) StackGuard 1.20. > > Think of it as a bandaide. Sooner or later the bandaide won't stick any > more. > Good example. BandAid's are not a miracle cure. However, they are still a very good idea. ;-) -Steve
