Re: Improving security for pkgsrc

[Pierre Pronchery <khorben%defora.org@localhost>]

			Hi,

On 07/19/15 17:12, Joerg Sonnenberger wrote:
> On Sun, Jul 19, 2015 at 01:50:36AM +0200, Pierre Pronchery wrote:
>>> Now I am not arguing that it doesn't make a certain class of attacks
>>> more harder. But the main point is that it is at most security in depth.
>>> It does not prevent exploits, it just makes them harder.
>>
>> It *mitigates* them.
> 
> Privilege separation, when done correctly, mitigates an exploit.
> Stack protector as mentioned above doesn't for many deployment
> scenarios. Once the canary has been guessed, the exploit is as
> devastating as originally.

Mitigate:
1. (transitive) To reduce, lessen, or decrease.

Privilege separation is one technique to achieve this, which can be
combined with a number of other techniques to further reduce the attack
surface. A lot of bugs that would be exploitable fall short of actual
code execution *because* one or more mitigation techniques help
preventing it.

Guessing the canary as you say typically requires another bug again,
like an information leak. It makes the whole thing harder, more
expensive for the attacker. Attackers do have a budget too. We are
wasting ours here.

The day we get a bullet-proof compilation flag that totally prevents
exploits, I will be glad to switch it on. In the meantime, we should
really stop running naked in the street, or at least have the option to
put some underwear on.

Cheers,
-- 
khorben