Mark, Currently, the plan is to include AppArmor in the Gutsy release. No decision has been made as to any other security architecture.
NX support for 32 bit requires the HIGHMEM64 option to be enabled in the kernel. Unfortunately, this makes some 32 bit processors fail to boot. I think it is worth discussing enabling it, as most of the processors that fail are either very old or laptop centric. This list is an excellent place to give an opinion, though. I personally like PaX, especially its ability to simulate NX, on unsupported hardware. This would allow us to get around the 32 bit problem. Rick On Mon, 2007-07-30 at 13:40 -0700, Allyn, Mark A wrote: > Evan: > > Thanks for getting back to us. > > I am curious, and I am asking the list; what are the plans for including > either PAX or ExecShield in the kernel? Also, what is the status of > using the NX bit in a 32 Bit environment. > > What little I see on Google, I notice that Linux seems to have 64 Bit > X86 working with the NX bit, but there are some issues with the 32 Bit > X86 processors' use of the NX bit. > > Where is Ubuntu currently on using the NX bit, if if it is not being > used currently, what are the plans? > > Thanks > > Mark Allyn > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Evan > Klitzke > Sent: Monday, July 30, 2007 9:46 AM > To: Ng, Cheon-woei > Cc: ubuntu-server@lists.ubuntu.com > Subject: Re: About Ubuntu security > > On 7/30/07, Ng, Cheon-woei <[EMAIL PROTECTED]> wrote: > > Hello, > > > > This is the first time I post a question. If it is not the correct > > place to place the questions, can you please re-direct me to the > correct > > place? > > > > It is my understanding that user space buffer overflow exploits (like > > SUID, return-to-libc, etc) are basically impossible under Feisty Fawn > or > > Gutsy because of implementation of security measures like Address > Space > > Layout Randomization, Stack Guard, and AppArmor (in Gutsy). > > > > Questions: > > 1. Is my assumption correct? > > 2. Are there any other security measures that I did not mention and I > > should know of? > > 3. Is there a link repository where I could find all details of the > > security features included in Feisty Fawn or Gutsy? For example, I am > > looking for a dedicated place in Ubuntu.com where I could find answers > > for questions like these: > > a. Is the Address Space Layout Randomization based on PaX? > > b. When was this security measure included in Ubuntu? > > c. How many bits are randomized? > > d. Is function table randomized? > > e. Is Stack Guard part of all applications included in Feisty > > Fawn? > > > > Thanks! > > > > Sincerely, > > Cheon-Woei Ng > > I'm not in any way affiliated with Ubuntu, so I can't answer your > questions for sure, but AFAIK the only protections currently in place > along the lines of what you mentioned are using SSP by default. This > was implemented for Edgy. You can read more about it at this launchpad > page: https://blueprints.launchpad.net/ubuntu/+spec/gcc-ssp . I'm not > 100% certain, but I don't think that PaX are related technologies are > compiled into the kernel. You can easily check exactly what is > compiled into your kernel though by grepping through > /boot/config-your-kernel-version. > > -- > Evan Klitzke <[EMAIL PROTECTED]> > > -- > ubuntu-server mailing list > ubuntu-server@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/ubuntu-server > -- Rick Clark Technical Lead, Ubuntu Server Team email: [EMAIL PROTECTED] irc: dendrobates on freenode http://www.ubuntu.com -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
