Re: 3.0 wishlist Was: Overview of 2.2.x goals?

Richard Gooch (rgooch@atnf.CSIRO.AU)
Fri, 23 Jan 1998 14:03:30 +1100 writes:
> On Thu, Jan 22, 1998 at 12:46:38PM +0100, Richard Gooch wrote:
> > Andi Kleen writes:
> > > Dan Hollis <> writes:
> > >
> > > > > * Anti-exec-stack option
> > > >
> > > > We *really* need this. Doesn't solaris already have it?
> > >
> > > This will only stop current cut'n'paste exploits. When Linux has it as
> > > standard exploit writers will quickly adapt to it (as shown numerous times),
> > > and you have the same situation.
> >
> > I keep hearing these kinds of absolutist arguments "it doesn't fix
> > 100% of cases, therefore it's no use", and it's really silly. The
> > point is not whether it is 100% effective, but whether it provides an
> > *improvement* in security. This patch apparently costs nothing in
> > functionality, so it has no side-effects. What's the problem?
> It has side effects. It needs an ugly special case to detect legitimate
> uses of stack code (e.g. gcc trampolines), which may fail with more
> obscure compilers or interpreters that do this. My point actually was
> only that the security improvement of this change is not as high as many
> think.

But from your arguing against it, you appear to oppose the patch
because it isn't 100%. Not because it may not be very useful, but
simply because it isn't perfect and you only want perfect patches.

> > This is an imperfect world, and rejecting something because it isn't
> > perfect doesn't help. It won't *force* applications to be more
> > careful, which is what some may hope for.
> That is irrelevant, because it needs only a slight adaption by the
> exploit writers.

It is of course relevant. The patch provides some level of increase in
security, there's no arguing with that. You to take the position that
because the fix can be worked around, it is better to leave Linux at a
lower level of security so that application writers will fix their
code. Rejecting the patch will not have that effect.
Application writers can say that the problem doesn't exist on xyz-OS,
which does have the anti-exec fix. This tarnishes Linux.

> > "The point of locks on your house is not to stop burglars, but to make
> > it harder for them so that they try the next house down the street".
> "Using antibiotica carelessly harms more in the long run, because the
> bacteria becomes immune, so it won't work when you really need it"
> (OK, not 100% accurate)

Bacteria can become immune to classes of antibiotics when a particular
antibiotic of that class is over-used. Using the anti-stack-exec patch
will not make it any harder to fix applications to avoid
buffer-overflow exploits. You may loose when using antiboitics. You
don't loose when using anti-stack-exec.