>> If we had been aware of PAX as you claim, why would we have thought >> that i386 solutions were impossible? > >You have thought that i386 solutions were possible, because you have >implemented them. Can you please stop spinning this? W^X was up and running on some of our architectures before we had heard of PAX. Months later, ways of doing W^X for i386 were discussed, but this was also before we had heard of PAX. Even later, W^X was starting to work on i386, but even this was before we had heard of PAX. And finally, as you guys keep saying: W^X does not do what PAX does! In essence, PAX attempts a best-effort of mapping existing and unchanged Linux binaries (except for marking) so that they are mapped best for security. They do this by changing almost only kernel code. In essence, the OpenBSD method attempts to make changes through the entire system so that userland binaries are better organized and so that kernel changes can be reduced or simplified. For instance, the most complicated component of the W^X changes is not the kernel modifications, but the changes to binutils and ld.so to map binaries more carefully! OpenBSD/i386 3.3 binaries will not easily run on an OpenBSD/i386 3.4 system, and if they do run, they will NOT HAVE PROTECTION! This is something the PAX people knew the Linux community would not accept; having entirely different constraints caused us to take an ENTIRELY different approach to these problems. W^X does not do what PAX does; rather, W^X attempts to solve many of the same problem AREAS, but using entirely DIFFERENT SOLUTIONS. Yet, persistantly we have been flooded by PAX supporters demanding that we should give credit to the PAX people for the ideas in W^X. When we had NOT known about PAX, and when W^X does NOT technically do what PAX does. How is it that out of one side of the mouth PAX people say that things which I say are not possible on i386 using W^X (full per-page X bit) are possible using PAX, and then the other side of the mouth says that W^X is just derived from PAX ideas? Holy cow, can you guys please stop crowing for me to revise history! >> There is only one thing I have found the various PAX people to have in >> common; they are very persistant at calling other people liars. Can >> you people please grow up? > >I'd say that the one thing that ``the various PaX people'' have in common is >that they use PaX. I believe I am one of them and I don't call you a liar. I >also know others who probably fit your definition who do not call you a liar. > >You get rewarded for working on OpenBSD by donations and by selling CDs. For >other people the only reward is often public acknowledgement. Oh? So to get their reward, they send out their drones to assault other projects, and get credit that is not theirs? It is clear that W^X was developed without knowlege of PAX; it is clear that this is a case of two solutions to a similar problem space -- call it convergent evolution; it is clear that begging for credit is just making your efforts look more and more political and less and less techical. I urge the PAX authors to get their community's rabid foaming under control. In attack after attack posted to our mailing lists, we were not being asked to say that the ideas from the PAX people predated the ideas in W^X. No, no! We were being told to say that W^X ideas were *COPIED* from PAX, when we had no idea that such a thing as PAX even existed! Furthermore, there are difference in approach between W^X and PAX which are so fundamental that it is clear we did not copy from PAX! Like, our idea that mprotect should still permit a user to request a page that is PROT_EXEC|PROT_WRITE; by default the PAX people prefer to deny such requests. >The way you have >presented W^R to the world, i.e. as if there was nothing like it on this planet >does not acknowledge the hard work of others. We informally (in mail to lists, etc) presented W^X to say we have shipped a system that does this and this and that, to improve resistance against exploitation of bugs, in concert with ProPolice. If you look at the PAX web and other much more formal documentation, you will find that they do not mention W^X. If you look at Crispin's StackGuard papers, you will not find a mention of ProPolice -- which is clearly a better StackGuard. Why should we mention PAX? It does not influence what OpenBSD users encounter. Are Linux people being specifically told "This is PAX, like W^X in OpenBSD"? >Hard work that implemented what >you thought was impossible before you even started thinking about it. So? If our efforts were parallel, without any communication, how can I give them credit? You want me to say that W^X is based on PAX, right? You want me to lie. Get stuffed! I will not make that lie which you want me to make. W^X was invented because we saw the need for it. We had no idea that anyone else was working in the same area. Your continued insistance that we knew of PAX is making you look ridiculous. >I would >say that is impressive, don't you think so? When people contacted you about it, >you treated them in a manner that was not exactly what one might expect from >a grown-up person. I have seen about 50 mails from PAX developers or PAX-associated developers or users insisting that we say that W^X is a PAX derivative. I continue to tell them that I will not agree to such revisionism. I will not revise history to make your ego feel less bruised. >Groetjes, >Peter Busser >-- >The Adamantix Project >Taking trustworthy software out of the labs, and into the real world >http://www.adamantix.org/ Competing against OpenBSD security efforts, but starting out 6 years later...
This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 15:18:12 PDT