|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Windows security
|
On 08/19/2010 03:08 PM, JP Vossen wrote:
Finally using safer libraries, randomizing where things go in RAM, and
using the NX bit where possible, which modern kernels may already do,
would also eliminate many if not most buffer overflow problems. (Windows
may be doing some of that now too.)
If you're running Gentoo there is also compile-time optimizations that
can be built-in, like -fstack-protector (puts a canary on the stack to
detect overflows).
I'd really like to see things like SELinux and POSIX capabilities take
off. Right now it is just way to hard to use these on most distros. It
would be really nice if they were just on by default, and that nothing
got installed without putting in an appropriate rule.
Then, if somebody exploits your browser they don't get access to
anything but the cache and settings files for the browser, and maybe
write-only access to the downloads folder. If they exploit flash (and
flash runs in a separate process), then all they get access to is any
cache that flash implements and the little window the flash app has
access to draw on.
Otherwise, simply not having access to root doesn't buy you much. Ok,
so the exploit can't drop in a rootkit, but they can put anything they
want in my bashrc or xsession, access or modify any of my personal info,
log my keystrokes, and make arbitrary TCP/IP connections as long as they
don't involve privileged ports. Of course, other users on my
single-user desktop are safe. It is definitely a step up from Windows,
but not as big a step as some think.
Rich
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|