0

Debian (stable) is a well respected server Linux distro. I was surprised to see that in their hardening walkthrough (https://wiki.debian.org/HardeningWalkthrough) they do not support position independent executables (and ASLR and a few other useful security flags) in the latest stable build (Wheezy), while most other distro's do support these things.

Since Debian stable has stood the test of time, I am thinking I must have assumed these security features are a lot more important than they actually are in practice.

Can someone explain why Debian is able to get away without having these security features and yet not be hacked to the stone age every day?

Anthony Kraft
  • 1,139
  • 1
  • 8
  • 18
  • https://wiki.debian.org/Hardening#Address_Space_Layout_Randomization – Lucas Kauffman Mar 04 '14 at 08:49
  • @LucasKauffman There is no information about whether ASLR is used by Debian, or why it isn't used, or if there are plans to use it in the near future. Not really helpful. – scai Mar 04 '14 at 14:00
  • How can you be so sure that Debian is not hacked ? most of infected server are use silently to send DDOS attack, spam and be used as proxy server without nobody noticing. – Kiwy Mar 05 '14 at 08:25

2 Answers2

0

I'd say Debian gets away with it for several reasons.

  • People don't know this security features exist and therefore don't demand them.
  • People expect Debian to be secure and don't check if it really is.
  • If your packages are up-to-date and patched for vulnerabilities, PIE and ASLR help very little, except against 0-day exploits.
  • Most people don't care about high security.

I've been using Debian on my servers for more than 10 years now and because of this lack of security on their part (among other reasons) I'm migrating to CentOS 7 when it's released in a few months.

Matrix
  • 3,988
  • 14
  • 25
0

There's some interesting commentary on implementation of mitigations against attacks using such things as ASLR across operating systems from Windows, OSX, GNU/Linux, and the BSDs from Theo De Raadt of the OpenBSD project, which you can find here:

http://tech.yandex.ru/events/yagosti/ruBSD/talks/1487/

To answer why Debian hasn't implemented them yet, though -- It's challenging to drop these kinds of things into systems which haven't been built for the mitigations in the first place, and not have things break all over the place without some serious work put into code fixes across the board, from what I gather. My only guess is that the Debian team has their priorities scattered elsewhere. There's a few more details in the talk/slides, might take the time to edit them in later if I remember to when I'm not supposed to be off the computer and on my way to work.

Dmitri DB
  • 1,181
  • 2
  • 9
  • 12