Propolice and Pax

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Propolice and Pax

Postby siti » Sat Sep 13, 2003 1:44 am

I was wondering if there is any point in having IBMs Propolice stack protector enabled as well as having ETDYN and Pax enabled?

Because I would rather turn off Propolice because it does give another preformance problem.

BTW: I know there was a thread about this a while ago but it did not come to a conclusion.
siti
 
Posts: 18
Joined: Fri Aug 08, 2003 6:30 pm

Re: Propolice and Pax

Postby PaX Team » Sat Sep 13, 2003 12:19 pm

siti wrote:I was wondering if there is any point in having IBMs Propolice stack protector enabled as well as having ETDYN and Pax enabled?
there is of course a point in having multiple layers of defense (which is what this case is about), the more important question to answer is what combination you need/can afford.

Propolice protects against linear stack overflow exploit methods that want to change data (typically pointers) beyond the random canary on the stack. PaX protects against a (much) more generic category of exploit methods but it does so at a later phase in the attack (PaX allows the use of attacker modified pointers while Propolice does not, also Propolice prevents the modification of certain local variables/function arguments that would otherwise be exposed) therefore in the particular case where Propolice prevents the exploit PaX alone may be defeated. so if you're concerned about this exploit method (as in you want more guarantees than what PaX gives you for this case) then you're better off by using Propolice as well.

personally my preferred compiler based approach will be the stack frame reorganization of Propolice coupled with my planned return-to-libc prevention technique (return location checking as described in http://pageexec.virtualave.net/docs/pax-future.txt).
Because I would rather turn off Propolice because it does give another preformance problem.
what kind of performance problems do you see? maybe you should also talk to the propolice author.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby siti » Sat Sep 13, 2003 4:56 pm

Thanks for the reply:)

heres the performance impact:
http://www.trl.ibm.com/projects/security/ssp/node5.html
siti
 
Posts: 18
Joined: Fri Aug 08, 2003 6:30 pm

Postby PaX Team » Sat Sep 13, 2003 6:40 pm

siti wrote:heres the performance impact:
http://www.trl.ibm.com/projects/security/ssp/node5.html
ok, i thought it was something particularly bad in your own experience. as for the above report, it's quite outdated info, it would be interesting to see what the current version of propolice produces (also comparing the different propolice gcc versions to each other).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm


Return to grsecurity support