Thomas Dullien wrote: > > > It would appearat first glance that RSX uses the same technique as PAX. > > Naturally, the PAX and RSX teams should confer to make a definitive > > statement on similarities and differences. > > Just for the record, the technique bears no similarity. PAX provides > real, non-executable PAGES on x86 -- RSX remaps the heap segments > outside of the code segment limit. To be more precise: RSX does _not_ provide non-exec stack, heap and so on but the 'complement' speak executable code area. The segments which are remapped are _not_ the heap(s), speak data segments, but the code (marked as rx-p) areas. The basic idea while writing RSX was not to provide some heavy artillery but a small, very low penalty kernel module stopping not 100 but maybe 95% of wide spread local & remote attacks towards Linux machines. There cannot be a doubt that installing the module to protect few but endangered applications (like sshd, rshd, rpc) improves the system security. sincerely, Paul Starzetz
This archive was generated by hypermail 2b30 : Thu Jun 07 2001 - 15:04:15 PDT