Thanks for the comments! The bug tracker isn't really the right place for this, so I'm marking the bug as "Invalid". These kinds of discussions could be better done on the ubuntu-devel or ubuntu-hardened mailing lists. For details on what's planned, what's done, and how things are progressing, I recommend reading: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase https://wiki.ubuntu.com/SecurityTeam/Roadmap
If you have specific issues or patches for applications, please open new bug reports for each of those packages, and mark the bug as a security bug (though please mark it public as well unless it's actually a private issue). Speaking to your specific points, though: > in the mean time the more risky binaries should be PIE Absolutely, this is already being done. See: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/BuiltPIE > The only attack vectors left as far as I am aware are: > * Information leakage (Reasonably well fixed via protecting maps in /proc) /proc/$pid/maps has been protected since Gutsy (7.10). > * JITs (Java, mono etc, firefox 3.1, Not much we can do here) Hardening the applications themselves is a good first step. Hardening the memory allocation routines (glibc) too. Confining the applications is another angle (via AppArmor, SELinux, etc), and is already under way with firefox. > * Using code in the executable out of order (Solvable by compiling with PIE). Right, hence the desire to use PIE by default on 64bit. > * VSyscall not being randomized. If you mean the VDSO, it has been randomized since Hardy. As for PIE targets, I think the list is good. Like you mentioned, MySQL, does not run with PIE; there are upstream bugs to be fixed there. Postgres is fine, and already PIE. We're enabling PIE via the hardening wrapper, which is much easier than plumbing the build systems for each package: http://wiki.debian.org/Hardening ** Changed in: ubuntu Status: New => Invalid ** This bug has been flagged as a security vulnerability -- PIE Randomization on more risky binaries https://bugs.launchpad.net/bugs/356291 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
