From owner-freebsd-security@FreeBSD.ORG Sat Jun 7 17:59:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C8C937B401 for ; Sat, 7 Jun 2003 17:59:32 -0700 (PDT) Received: from HAL9000.homeunix.com (ip114.bella-vista.sfo.interquest.net [66.199.86.114]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B70A43FA3 for ; Sat, 7 Jun 2003 17:59:31 -0700 (PDT) (envelope-from das@FreeBSD.ORG) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.9/8.12.9) with ESMTP id h580xS8W039362; Sat, 7 Jun 2003 17:59:28 -0700 (PDT) (envelope-from das@FreeBSD.ORG) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.9/8.12.9/Submit) id h580xSDE039361; Sat, 7 Jun 2003 17:59:28 -0700 (PDT) (envelope-from das@FreeBSD.ORG) Date: Sat, 7 Jun 2003 17:59:27 -0700 From: David Schultz To: Erik Paulsen Skaalerud Message-ID: <20030608005927.GA39301@HAL9000.homeunix.com> Mail-Followup-To: Erik Paulsen Skaalerud , 'Tim Baur' , freebsd-security@freebsd.org References: <0306042122420.58298@neobe.cnanfb.pbz> <003601c32b48$106ec380$0a00000a@eps> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <003601c32b48$106ec380$0a00000a@eps> cc: freebsd-security@FreeBSD.ORG Subject: Re: Non-Executable Stack Patch X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jun 2003 00:59:32 -0000 On Thu, Jun 05, 2003, Erik Paulsen Skaalerud wrote: > > From: owner-freebsd-security@freebsd.org > > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Tim Baur > > Sent: Thursday, June 05, 2003 6:24 AM > > To: freebsd-security@freebsd.org > > On Wed, 4 Jun 2003, Tony Meman wrote: > > > I was wondering if there's any non-executable stack patch for > > > FreeBSD's kernel. > >http://www.trl.ibm.com/projects/security/ssp/buildfreebsd.html > > > >-tbaur > > Can anyone here share their experiences with this patch? I've heard very > little talk about it really, I'm looking for others oppinions before I try > to patch gcc with this. Any major slowdowns on the userland? And if its > major, how much? The original StackGuard implementation had massive overhead: several orders of magnitude for common programs. It looks like the fellows at IBM have managed to do significantly better: http://www.trl.ibm.com/projects/security/ssp/node5.html I personally am not particularly interested in a fix that makes buffer overflows harder to exploit, given that buffer overflows constitute a problem that can be completely solved without the same performance loss by switching to a safer language. Nevertheless, there's enough useful C code out there that this could be useful. It would be cool to have as an optional part of FreeBSD, assuming we wouldn't have to maintain massive diffs against gcc or something. (gcc uses this by default now, right?)