lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030819054809.GA13233@trusteddebian.org>
Date: Tue, 19 Aug 2003 07:48:09 +0200
From: Peter Busser <peter@...steddebian.org>
To: bugtraq@...urityfocus.com
Subject: Re: Buffer overflow prevention


On Mon, Aug 18, 2003 at 03:31:11PM -0600, Theo de Raadt wrote:
> >> If we had been aware of PAX as you claim, why would we have thought
> >> that i386 solutions were impossible?
> >
> >You have thought that i386 solutions were possible, because you have
> >implemented them.
> 
> Can you please stop spinning this?

How could you implement an i386 solution if you still think it is impossible?

> W^X was up and running on some of our architectures before we had
> heard of PAX.
> 
> Months later, ways of doing W^X for i386 were discussed, but this was
> also before we had heard of PAX.
> 
> Even later, W^X was starting to work on i386, but even this was before
> we had heard of PAX.
>
> W^X does not do what PAX does; rather, W^X attempts to solve many of
> the same problem AREAS, but using entirely DIFFERENT SOLUTIONS.

Ok, thank you for clarifying that. I didn't know that. All I've seen so far is
abusive language from you against the people who contacted you about this
matter.

> Holy cow, can you guys please stop crowing for me to revise history!

Can you please stop making generalisations?

> It is clear that W^X was developed without knowlege of PAX; it is clear
> that this is a case of two solutions to a similar problem space -- call it
> convergent evolution; it is clear that begging for credit is just making
> your efforts look more and more political and less and less techical.

PaX is not my effort.

> I urge the PAX authors to get their community's rabid foaming under control.

I can't speak for other people in the community you mention, but it seems to
me that the one who is foaming right now is you.

> Like, our idea that mprotect should
> still permit a user to request a page that is PROT_EXEC|PROT_WRITE; by default
> the PAX people prefer to deny such requests.

Right, PROT_EXEC|PROT_WRITE is W|X and not W^X. Denying it is what you could
call secure by default.

> We informally (in mail to lists, etc) presented W^X to say we have
> shipped a system that does this and this and that, to improve
> resistance against exploitation of bugs, in concert with ProPolice.
> If you look at the PAX web and other much more formal documentation,
> you will find that they do not mention W^X.

If you look at the PaX web site, you will notice that it mentions other Linux
patches that do memory protection. The Adamantix web site links to the OpenBSD
web site and to systrace.

> Your continued insistance that we knew of PAX is making you look ridiculous.

My continued insistance? I've written only two messages about the subject, this
one being the second.

> I will not revise history to make your ego feel less bruised.

There is a saying which goes like: It takes one to know one.

> >The Adamantix Project
> >Taking trustworthy software out of the labs, and into the real world
> >http://www.adamantix.org/
> 
> Competing against OpenBSD security efforts, but starting out 6 years later...

Thank you for thinking of Adamantix as competition. I think competition is
good and having a choice is also good.

Groetjes,
Peter Busser
-- 
The Adamantix Project
Taking trustworthy software out of the labs, and into the real world
http://www.adamantix.org/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ