On Sun, 11 Mar 2012 23:01:49 -0700 Jonas Sicking wrote: > A natural way that > > this occurs is that you have separate "read" and "write" permissions, and > > then you create a new action that involves both read and write actions. > > So far I don't think we've run into this need. I'd be curious to know > where Android did.
This is a widely used and quite effective security mechanism that web technologies are trouncing on. Quite rediculous as web tech should have a requirement to be more secure. OpenBSD have been using W^X for years, now intel have NX bit cpus speeding grsecurity's equivelent up in hardware requiring a PAE kernel on linux reducing your potential available memory to 2GB I think, so not used much, I do. Android is basically a JAVA machine. Incidentally JAVA is touted as some secure cross platform service. In fact, it is seen as completely insecure in security circles. I'm sure the Google devs know this but it brings a legacy of code and apps that helps make Android a success. Firefox won't even run without Just In Time executions (readable and writeable memory locations) on a gresecurity enabled kernel which kills this behaviour. Most browsing sessions don't require this either. It's quite silly really as it said to be easily worked around by app developers if coders understood the problem (like PIE). JIT code (like flash) may be killed by a Grsec kernel on Opera but atleast the browser still runs. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security