Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
When will ASLR be made default on all profiles?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 446

PostPosted: Mon Feb 27, 2017 3:57 pm    Post subject: When will ASLR be made default on all profiles? Reply with quote

It can -NOT- be a matter of if it happens, it -MUST- be a matter of when it happens. It must happen.

This is -the- solution to a number of very serious vulnerabilities that linux desktops are suffering from publicly right now in this time frame. Desktop users, not servers and workstations, but users of their own personal computer are at risk of a few serious exploits that ASLR will completely resolve. It's way past time to implement this functionality for everyone. It needs to happen asap.
_________________
MB: Biostar TForce 6100 AM2 @ 250x10
CPU: AMD Athlon 64 3800+ X2 @ 2500mhz
MEM: G. Skill DDR2-800 2GB @ DDR2-1000
GPU: nVidia GeForce 7600 GT
OS: Gentoo Linux 2006.1
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1047

PostPosted: Mon Feb 27, 2017 5:18 pm    Post subject: Reply with quote

What's stopping you from using it, you don't need to wait for it. Even outside that, you can always use grsecurity or SELinux if you are soo worried about this threat.
Back to top
View user's profile Send private message
R0b0t1
n00b
n00b


Joined: 05 Jun 2008
Posts: 47

PostPosted: Mon Feb 27, 2017 5:26 pm    Post subject: Reply with quote

Most people aren't technically savvy enough to enable it themselves. Mainstream distributions support ASLR by default; if it's not in the gentoo-sources configuration by default the developers are doing their users a disservice.

Decent benchmark: https://wiki.ubuntu.com/Security/Features. Also, the Windows kernel uses ASLR if I remember correctly.
Back to top
View user's profile Send private message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 446

PostPosted: Mon Feb 27, 2017 5:51 pm    Post subject: Reply with quote

R0b0t1 wrote:
Most people aren't technically savvy enough to enable it themselves. Mainstream distributions support ASLR by default; if it's not in the gentoo-sources configuration by default the developers are doing their users a disservice.

Decent benchmark: https://wiki.ubuntu.com/Security/Features. Also, the Windows kernel uses ASLR if I remember correctly.


I failed at it every time I've tried. It's because in order for ASLR to work it needs kernel configuration set correctly and compiler cflags set correctly. It's because it needs userspace configuration that effects all packages is the reason why it must be incorporated into the portage profiles. In todays modern world ASLR is not optional. It is an absolute requirement for -all- linux installations.

EDIT: there is a dot . at the end of your link that causes clicking on it to open a page does not exist yet error page.
_________________
MB: Biostar TForce 6100 AM2 @ 250x10
CPU: AMD Athlon 64 3800+ X2 @ 2500mhz
MEM: G. Skill DDR2-800 2GB @ DDR2-1000
GPU: nVidia GeForce 7600 GT
OS: Gentoo Linux 2006.1
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3139

PostPosted: Mon Feb 27, 2017 6:25 pm    Post subject: Reply with quote

Maybe after they've figured out how to harden it against the new javascript exploit? Until then it appears to have become worth less, if not worthless.

https://arstechnica.com/security/2017/02/new-aslr-busting-javascript-is-about-to-make-drive-by-exploits-much-nastier/
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
duby2291
Guru
Guru


Joined: 17 Oct 2004
Posts: 446

PostPosted: Mon Feb 27, 2017 6:36 pm    Post subject: Reply with quote

depontius wrote:
Maybe after they've figured out how to harden it against the new javascript exploit? Until then it appears to have become worth less, if not worthless.

https://arstechnica.com/security/2017/02/new-aslr-busting-javascript-is-about-to-make-drive-by-exploits-much-nastier/


I do fully understand the pervasiveness of javascript, but the real solution there is to disable javascript. I already did that years ago. I don't miss it at all. Websites that want to use JS simply don't want -me- to visit. That's all. It does suck, there is plenty of web content that won't work, but as long as those same web sites choose to rely on -the- most exploitable software -ever- written I will continue to absolutely refuse.

In my opinion the very best way to eliminate exploits is to eliminate the exploitable item. You can't say that's a flaw in ASLR only that javascript was exploited -again-.
_________________
MB: Biostar TForce 6100 AM2 @ 250x10
CPU: AMD Athlon 64 3800+ X2 @ 2500mhz
MEM: G. Skill DDR2-800 2GB @ DDR2-1000
GPU: nVidia GeForce 7600 GT
OS: Gentoo Linux 2006.1
Back to top
View user's profile Send private message
Ant P.
Advocate
Advocate


Joined: 18 Apr 2009
Posts: 3920
Location: UK

PostPosted: Mon Feb 27, 2017 11:16 pm    Post subject: Reply with quote

What's your threat model here? It's been demonstrated that ASLR is a wet paper bag so what do you think it's going to protect against in reality?
_________________
Quantity is not quality.
overlay | runit-scripts
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum