Safer use of C code - running Gentoo with Address Sanitizer

Hanno's Blog

Tuesday, January 26. 2016

Safer use of C code - running Gentoo with Address Sanitizer


Trackbacks

No Trackbacks

Comments
Display comments as (Linear | Threaded)

50-100% sounds very unreasonable even for super sensitive application. Why not go with grsecurity and hardened kernel?
#1 Anton on 2016-01-28 08:22 (Reply)
grsecurity and asan aren't really comparable, they target very different issues. grsecurity is an exploit mitigation tool to prevent kernel vulns (and it's amazing in this regard), asan targets userspace applications.

But I'm unsure myself if using this for production makes any sense. What I think is undoubtful is that it's a good testing ground.

If you're looking for something in userspace that's more practical then some of the more interesting efforts are the CFI and Safe Stack options of llvm:
http://clang.llvm.org/docs/ControlFlowIntegrity.html
http://clang.llvm.org/docs/SafeStack.html
#1.1 Hanno (Homepage) on 2016-01-28 13:40 (Reply)
By grsecurity I meant PaX. It does prevent userspace 0days.
Just run app-admin/paxtest to see all test cases.

IMHO, Address Sanitizer should be used by developers, PaX by end users.
#2 Anton on 2016-01-29 12:05 (Reply)
FYI, http://seclists.org/oss-sec/2016/q1/363
It warns about using ASan in production for security protection.
#3 kcwu on 2016-02-18 08:38 (Reply)
I've seen it. I will add a note to the text.
#3.1 Hanno (Homepage) on 2016-02-18 11:08 (Reply)

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

 
 

About

This blog is written by Hanno Böck. Unless noted otherwise, its content is licensed as CC0.

You can find my web page with links to my work as a journalist here.

I am also publishing a newsletter about climate change and decarbonization technologies.

The blog uses the free software Serendipity and is hosted at schokokeks.org.

Hanno on Mastodon | Contact / Imprint | Privacy / Datenschutz