> I have never heard of Propolice SSP. What is it ? Any relation to the
> honey
> 'Propolys'. just kidding.
>
> Max
The name says little although I like it.
http://www.gentoo.org/proj/en/hardened/
I was out of date -- Propolice has been renamed PaX.
The hardened project has many parts, you should read the help on
grsecurity, but PaX is very interesting :
-------------------------------------------------------------------
from http://www.gentoo.org/proj/en/hardened/docs/pax-howto.xml :
What is PaX?
PaX is a patch to the Linux kernel that provides hardening in two ways.
The first, ASLR (Address Space Layout Randomization) provides a means to
randomize the addressing scheme of all data loaded into memory. When an
application is built as a PIE (Position Independent Executable), PaX is
able to also randomize the addresses of the application base in addition.
The second protection provided by PaX is non-executable memory. This
prevents a common form of attack where executable code is inserted into
memory by an attacker. More information on PaX can be found throughout
this guide, but the homepage can be found at http://pax.grsecurity.net.
At run time, when a buffer is created, SSP adds a secret random value, the
canary, to the end of the buffer. When the function returns, SSP makes
sure that the canary is still intact. If an attacker were to perform a
buffer overflow, he would overwrite this value and trigger that stack
smashing handler.
-------------------------------------------------------------------
For instance, imagine you have a version of Samba with the latest
unpatched hole. An attacker can enter. Now if you have PaX all he can do
is crash the process, and his intrusion attempt is detected and logged.
It's not the final cure for everything, but it covers unpatched holes.
