Subject: Re: Non executable mappings and compatibility options bugs
To: None <tech-kern@netbsd.org, tech-security@netbsd.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-kern
Date: 06/22/2004 07:11:37
On Tue, Jun 22, 2004 at 03:58:57PM +1000, matthew green wrote:
> 
> actually, i'd call the fact that we can no longer run other binaries
> a regression, not the fact that we can only run our own secure ones.
> 
> i'm all for security features, but they can't break other things in
> the process.  why is it a regression to not enable a security feature
> for an emulation until it's verified _not to break it_?

Because right now, no program can execute code on the stack; but we're
about to make it so that some can.  Some is larger than none; that makes
the system rather obviously less secure.

I'm not saying not to fix the emulations.  I *am* saying that the user
needs to be very very obviously warned, at kernel build and run time,
that enabling the emulation options does something unobvious that has a
negative effect on system security: it lets you run binaries that can
potentially be made to run code on their stacks.  Since we trumpet our
new feature of a non-executable stack, if we _don't_ warn users when it's
not true, they'll just expect that things are as simple as they seem...

-- 
 Thor Lancelot Simon	                                      tls@rek.tjls.com
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud