From owner-freebsd-security@FreeBSD.ORG Fri May 26 19:45:22 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0168216B6A1; Fri, 26 May 2006 19:45:22 +0000 (UTC) (envelope-from deischen@freebsd.org) Received: from mail.ntplx.net (mail.ntplx.net [204.213.176.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E97A43D7F; Fri, 26 May 2006 19:45:17 +0000 (GMT) (envelope-from deischen@freebsd.org) Received: from sea.ntplx.net (sea.ntplx.net [204.213.176.11]) by mail.ntplx.net (8.13.6/8.13.6/NETPLEX) with ESMTP id k4QJjFJt005994; Fri, 26 May 2006 15:45:15 -0400 (EDT) Date: Fri, 26 May 2006 15:45:15 -0400 (EDT) From: Daniel Eischen X-X-Sender: eischen@sea.ntplx.net To: Kris Kennaway In-Reply-To: <20060526184919.GA69830@xor.obsecurity.org> Message-ID: References: <20060526153422.GB25953@obiwan.tataz.chchile.org> <20060526193048.Y77521@fledge.watson.org> <20060526184919.GA69830@xor.obsecurity.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: by AMaViS and Clam AntiVirus (mail.ntplx.net) X-Mailman-Approved-At: Fri, 26 May 2006 22:22:00 +0000 Cc: Jeremie Le Hen , freebsd-security@freebsd.org, freebsd-current@freebsd.org, Robert Watson Subject: Re: Integrating ProPolice/SSP into FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Eischen List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 19:45:31 -0000 On Fri, 26 May 2006, Kris Kennaway wrote: > On Fri, May 26, 2006 at 07:41:31PM +0100, Robert Watson wrote: >> >> On Fri, 26 May 2006, Jeremie Le Hen wrote: >> >>> first sorry for cross-posting but I thought this patch might interest >>> -CURRENT users as well as people concerned by security. >>> >>> I wrote a patch that integrates ProPolice/SSP into FreeBSD, one step >>> further than it has been realized so far. >> >> This looks very neat. >> >> Could you remind me what, if any, ABI issues might exist? I'm familiar >> with the ideas behind ProPolice, but not the implementation. Can I use >> SSP-compied libraries with pre-SSP applications? Can I use post-SSP >> applications with pre-SSP binaries? > > Last time I tried it (several years ago, when I maintained my own > local patch for world integration), backwards binary compatibility was > an issue, i.e. it was possible to hose your system when trying to > revert the changes (since all rebuilt binaries all depend on symbols > no longer provided in libc). As I understand it, the symbols would be added to libc (and stay there). And with symbol versioning, they would always have to stay there regardless of whether you build your binaries with or without SSP. A comment to the patch itself... You need to put the added symbol(s) in one of libc's Symbol.map files or else they won't be visible when symbol versioning is enabled. -- DE