How to protect buggy programs from security vulnerabilities under Linux

craigevil · 01-04-2007, 02:45 AM

Has anyone tried this?
How to protect buggy programs from security vulnerabilities under Linux and UNIX | nixCraft
http://www.cyberciti.biz/tips/howto-...abilities.html

And is it really worth using 50-75% more ram usage when runnng Iceweasel/Iceape?

Quote:

DieHard eliminates — or greatly reduces the likelihood of — a class of bugs and security vulnerabilities called memory errors. DieHard prevents certain kinds of errors from happening at all. It also reduces the probability that a bug will have any effect at all. DieHard works by randomly locating program objects far apart from each other in memory. This scattering of memory objects all over memory not only makes some errors unlikely to happen, it also makes it virtually impossible for a hacker to know where vulnerable parts of the program's data are. This thwarts a wide class of exploits.

DieHard works in two modes: standalone and replicated. The standalone version replaces the memory manager with the DieHard randomized memory manager. This randomization increases the odds that buffer overflows will have no effect, and reduces the risk of dangling pointers. The replicated version provides greater protection against errors by running several instances of the application simultaneously and voting on their output. Because each replica is randomized differently, each replica will likely have a different output if it has an error, and some replicas are likely to run correctly despite the error.

unSpawn · 01-04-2007, 06:48 AM

Haven't tried it (and that's not based on the fact we already got malloc stuff, PAX, Systrace or Exec Shield floating around nor the fact it's funded by Microsoft and Intel). The title "How to protect buggy programs from security vulnerabilities under Linux and UNIX" is wrong IMHO since it emphasises mitigating symptoms instead of fixing the cause (which it obviously can't ofcourse): instead the *code* should be made safe to use.

And is it really worth using 50-75% more ram usage when runnng Iceweasel/Iceape?
Basically you're asking if it's a good choice to trade off using more RAM for better coverage (less risk)?
If a test of established products vs this one should show they don't provide enough coverage then the answer would be simple. (That is if the Slashdot article didn't mention several people having problems running apps after installing this.) (And next to that RAM is there to be used and the Linux VM knows best how to take care of it.)