Linked by Amjith Ramanujam on Mon 11th Aug 2008 16:13 UTC, submitted by gonzo
Privacy, Security, Encryption Ars Technica has analyzed recently publicized Vista's security flaws. "Unfortunate, yes, but not as was reported in the immediate aftermath of the presentation evidence that Vista's security is useless, nor does this work constitute a major security issue. And it's not game over, either. Sensationalism sells, and there's no news like bad news, but sometimes particularly when covering security issues, it would be nice to see accuracy and level-headedness instead. ... Furthermore, these attacks are specifically on the buffer overflow protections; they do not circumvent the IE Protected Mode sandbox, nor Vista's (in)famous UAC restrictions."
Permalink for comment 326587
To read all comments associated with this story, please click here.
RE[3]: Comment by Soulbender
by kerframil on Tue 12th Aug 2008 13:20 UTC in reply to "RE[2]: Comment by Soulbender"
kerframil
Member since:
2005-07-13

This is not a particularly well informed comment.

Firstly, building something with gcc does not guarantee a non-executable stack [1].

Secondly, heap and address space randomization was only introduced mainline as of 2.6.25 (released 17th April 2008) [2] and, in order to leverage fully, it requires a complete PIE userland - which almost all distros fail to provide (Hardened Gentoo being a noteworthy exception) [3].

Thirdly, the Linux kernel has supported the NX bit on x86 processors since 2004 (around the same time that XP SP2 was released which introduced its DEP implementation). Even then, it requires PAE OR HIGHMEM64 to be enabled - one wonders exactly how many stock distro kernels do this.

Further, based on the implementation in the kernel alone, if you do not have a hardware NX bit then you are out of luck. Besides which, the protection is really quite limited; the mainline kernel only provides a subset of the functionality provided by the Exec Shield project and, arguably, the protections offered by Exec Shield are arguably inferior to PaX (which is never going to go mainline) [4].

Fourthly, Win32 has defined a formal memory protection sheme and supported various memory protection attributes upon allocation of pages from the very beginning [5]. The only thing that has changed now is that the resultant policy is actually capable of being enforced on x86. The point is that the framework for allocating memory in the right way has always been there for application developers to use.

[1] http://www.gentoo.org/proj/en/hardened/gnu-stack.xml#doc_chap2
[2] http://kernelnewbies.org/Linux_2_6_25#head-fc71477174376b69ac7c3cd1...
[3] http://www.gentoo.org/proj/en/hardened/hardened-toolchain.xml
[4] http://en.wikipedia.org/wiki/PaX
[5] http://msdn.microsoft.com/en-us/library/aa366786(VS.85).aspx

Reply Parent Score: 5