From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OUR1w-00019i-AI for garchives@archives.gentoo.org; Thu, 01 Jul 2010 21:10:44 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 49031E0823; Thu, 1 Jul 2010 21:08:04 +0000 (UTC) Received: from mail-iw0-f181.google.com (mail-iw0-f181.google.com [209.85.214.181]) by pigeon.gentoo.org (Postfix) with ESMTP id 297A4E0823 for ; Thu, 1 Jul 2010 21:08:04 +0000 (UTC) Received: by iwn3 with SMTP id 3so2510032iwn.40 for ; Thu, 01 Jul 2010 14:08:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=A+7f5MgJMaNVNWwAXlG5bWWv5yKMn5SqqPW+V0ZUVv8=; b=jorKKq0iiw7NSXoLsOS1YSf2V9B8ax0mQODRs9xI9QR82VvYgwLBq12/G31OrilDQu EHCKczESCmEIgikazrZ8XQKrDdRzGGjKJjJut7MvK3X6B/o8iJ5U0y9/02z6N71W4eEN vy0an9+zjwEY9eVm7fi/alGc0duPRy6vrwTGw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=H3nNt8o0oCb8+du2BUTSk7AAPyOmQLD3cjkhvz8aIG13aN/U9emQBBqYHEj811zBoB 2vf4gMn+n5OqXAmCka5wugeVEYCPA483NQHpIYkburJFdlZ4wlRk4hvFuZKPrO8XThPt M8bcLdaTT4ANkrjVrt2t1SgiJWn35CxLzkWbI= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Received: by 10.231.31.202 with SMTP id z10mr58917ibc.85.1278018483652; Thu, 01 Jul 2010 14:08:03 -0700 (PDT) Received: by 10.231.15.203 with HTTP; Thu, 1 Jul 2010 14:08:03 -0700 (PDT) In-Reply-To: <201007012205.22967.radegand@o2.pl> References: <201007010846.11482.radegand@o2.pl> <201007012205.22967.radegand@o2.pl> Date: Thu, 1 Jul 2010 14:08:03 -0700 Message-ID: Subject: Re: [gentoo-hardened] binary protection mechanisms in different Linux distros From: Kyle Bader To: gentoo-hardened@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: e6ba30fd-d8c7-424e-a08b-3d50e630979c X-Archives-Hash: c23378dd458a80aea403f072ed3cfb71 > Javier: good point, I haven't really considered the differences between t= he > use of =C2=A0fstack-protector and fstack-protector-all - maybe something = to do in > the future. Would there be a way to find out which option was used on a g= iven > binary 'post mortem'? (read: after compilation? ;)) While it doesn't differentiate between fstack-protector and fstack-protector-all this script [1] can detect RELRO, canary, NX/PAX & PIE: [509] kyle@blah:~/security-bin$ ./checksec-new.sh --file buggy RELRO STACK CANARY NX/PaX PIE FIL= E No RELRO Canary found NX enabled No PIE bug= gy [1] http://tk-blog.blogspot.com/2009/02/checksec.html --=20 Kyle