Evan: Thanks for getting back to us.
I am curious, and I am asking the list; what are the plans for including either PAX or ExecShield in the kernel? Also, what is the status of using the NX bit in a 32 Bit environment. What little I see on Google, I notice that Linux seems to have 64 Bit X86 working with the NX bit, but there are some issues with the 32 Bit X86 processors' use of the NX bit. Where is Ubuntu currently on using the NX bit, if if it is not being used currently, what are the plans? Thanks Mark Allyn -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Evan Klitzke Sent: Monday, July 30, 2007 9:46 AM To: Ng, Cheon-woei Cc: ubuntu-server@lists.ubuntu.com Subject: Re: About Ubuntu security On 7/30/07, Ng, Cheon-woei <[EMAIL PROTECTED]> wrote: > Hello, > > This is the first time I post a question. If it is not the correct > place to place the questions, can you please re-direct me to the correct > place? > > It is my understanding that user space buffer overflow exploits (like > SUID, return-to-libc, etc) are basically impossible under Feisty Fawn or > Gutsy because of implementation of security measures like Address Space > Layout Randomization, Stack Guard, and AppArmor (in Gutsy). > > Questions: > 1. Is my assumption correct? > 2. Are there any other security measures that I did not mention and I > should know of? > 3. Is there a link repository where I could find all details of the > security features included in Feisty Fawn or Gutsy? For example, I am > looking for a dedicated place in Ubuntu.com where I could find answers > for questions like these: > a. Is the Address Space Layout Randomization based on PaX? > b. When was this security measure included in Ubuntu? > c. How many bits are randomized? > d. Is function table randomized? > e. Is Stack Guard part of all applications included in Feisty > Fawn? > > Thanks! > > Sincerely, > Cheon-Woei Ng I'm not in any way affiliated with Ubuntu, so I can't answer your questions for sure, but AFAIK the only protections currently in place along the lines of what you mentioned are using SSP by default. This was implemented for Edgy. You can read more about it at this launchpad page: https://blueprints.launchpad.net/ubuntu/+spec/gcc-ssp . I'm not 100% certain, but I don't think that PaX are related technologies are compiled into the kernel. You can easily check exactly what is compiled into your kernel though by grepping through /boot/config-your-kernel-version. -- Evan Klitzke <[EMAIL PROTECTED]> -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server