Gentoo Hardened - 32 or 64bit arch?

[Crumbz]

Hi. I'm looking to put together a home microserver running Gentoo hardened and there are a few of questions I have before I go ahead and purchase hardware:

1) The first is concerning the PaX implementation of ASLR. Should I be seeking a board with a 64 bit architecture when considering the ASLR implementation on a 32 bit system?:
"For 32-bit systems ASLR provides little benefit since there are only 16 bits available for randomization, and they can be defeated by brute force in a matter of minutes." - http://goo.gl/MWTRf

2) If 64 bit is the way to go - would having only 1 or 2GB physical RAM on a 64 bit system limit the effectiveness of ASLR?

3) PAGEEXEC - this works on Intel's implementation of the NX bit - XN? Even on an Intel 32 bit system? - given that SEGMEXEC's purpose is to emulate an NX bit on ia-32 architectures.

Thanks a lot.

[NeddySeagoon]

Glasscup_uk,

Get 64 bit hardware and run only 64 bit software. Choose the ./no-multilib profile and turn off 32 bit emulation in your kernel.

32 bit software, even on 64 bit hardware behaves as if its on 32 bit hardware as the address space is still 32 bits.

Do not confuse physical address space (the amount of memory you have) with the virtual address space provided by the system. The two are not related but it may appear that way.
On a 32 bit system with 1G of RAM, the virtual address space is still 4G (32 bits) The Memory Management Unit (MMU) takes care of mapping Virtual Addresses to Physical Addresses.
Its OK for the same physical RAM to be mapped to different Virtual Addresses, as only one set virtual address data will be loaded into physical memory at a time.
This is swapping and its slow ... one of the side effects is that it means that theory, you can run a program that is larger than your physical RAM. You can but execution speed is impacted.

On a 64 bit system with only 1G RAM, The physical memory is the same size as before but the virtual address space is much bigger.
ASLR works in the virtual address space, not the physical address space. However 32 bit software cannot use this larger virtual address space as it uses 32 bit addresses.

There is a large speed impact when you emulate NX on a 32 bit system that does not have hardware NX support.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[Crumbz]

Thanks a lot for the quick response - it really helped.

Just that one issue to clear up - is Intel's XN is the essentially the same as an NX bit on other CPUs? I.e. PaX NX will function correctly in this circumstance?

Offtopic: do you know of any < 10watt TDP x86_64 MITX boards? I'm thinking along the lines of Intel Atom / AMD Fusion. I'll create another post in the hardware section.

Cheers.