production usage of 'randomizkernel/user stack base' options

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

production usage of 'randomizkernel/user stack base' options

Postby radek » Sun Jul 04, 2004 12:38 pm

any comments about subject?

is it safe to enable it on production systems ?

TIA for any info.
radek
 
Posts: 4
Joined: Sun Jul 04, 2004 11:41 am

Postby Sleight of Mind » Sun Jul 04, 2004 1:18 pm

i've used it on my servers for over a year now, and never saw any problem, but i guess it depends on the applications you run. You should just test it, you can always boot a kernel without these options of problems occur.
Sleight of Mind
 
Posts: 92
Joined: Tue Apr 08, 2003 10:41 am

Re: production usage of 'randomizkernel/user stack base' opt

Postby PaX Team » Tue Jul 06, 2004 10:38 am

radek wrote:is it safe to enable it on production systems ?
i think randustack is safe to use except maybe for java which doesn't like randomization (i don't know if it's the stack or the other randomizations though, but since you have to disable all of PaX on it, it probably doesn't matter anyway). randkstack is a harder one, it depends on your kernel stack utilization (how close tasks get to a kernel stack overflow due to interrupts and whatnot). the default randomization of randkstack can result in an extra 128 bytes used on the kernel stack, whether that will trigger an overflow or not is hard to tell, you're best off by trying it out for some period of time. i'd also add that if these 128 bytes can cause a stack overflow then you're already extremely close to running into one anyway, considering that the usable kernel stack is some 7 kbytes on i386. also randkstack is probably meaningful mostly when you have untrusted local users, against remote attacks it matters little if anything.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby radek » Tue Jul 06, 2004 12:49 pm

what about randkstack while enabling usage of 4k kernel stack ? /from 2.6.6+/ ?

as so far (three production systems, quite heavy loaded), no bigger problems :) but i didnt check it thourougly. the hosts are configured heavily to auto "repair" all problems (restarts, reloads, retries, delegations in case of problems) so this can not be treaten as a 'everything works perfect' sign.
radek
 
Posts: 4
Joined: Sun Jul 04, 2004 11:41 am


Return to grsecurity support