Tuesday, January 26. 2016
Safer use of C code - running Gentoo with Address Sanitizer
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
50-100% sounds very unreasonable even for super sensitive application. Why not go with grsecurity and hardened kernel?
grsecurity and asan aren't really comparable, they target very different issues. grsecurity is an exploit mitigation tool to prevent kernel vulns (and it's amazing in this regard), asan targets userspace applications.
But I'm unsure myself if using this for production makes any sense. What I think is undoubtful is that it's a good testing ground.
If you're looking for something in userspace that's more practical then some of the more interesting efforts are the CFI and Safe Stack options of llvm:
http://clang.llvm.org/docs/ControlFlowIntegrity.html
http://clang.llvm.org/docs/SafeStack.html
But I'm unsure myself if using this for production makes any sense. What I think is undoubtful is that it's a good testing ground.
If you're looking for something in userspace that's more practical then some of the more interesting efforts are the CFI and Safe Stack options of llvm:
http://clang.llvm.org/docs/ControlFlowIntegrity.html
http://clang.llvm.org/docs/SafeStack.html
By grsecurity I meant PaX. It does prevent userspace 0days.
Just run app-admin/paxtest to see all test cases.
IMHO, Address Sanitizer should be used by developers, PaX by end users.
Just run app-admin/paxtest to see all test cases.
IMHO, Address Sanitizer should be used by developers, PaX by end users.
FYI, http://seclists.org/oss-sec/2016/q1/363
It warns about using ASan in production for security protection.
It warns about using ASan in production for security protection.