From owner-freebsd-arch@FreeBSD.ORG Fri Apr 18 15:03:58 2008 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9C3FD1065671 for ; Fri, 18 Apr 2008 15:03:58 +0000 (UTC) (envelope-from antoine.brodin.freebsd@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.181]) by mx1.freebsd.org (Postfix) with ESMTP id 3C6118FC14 for ; Fri, 18 Apr 2008 15:03:57 +0000 (UTC) (envelope-from antoine.brodin.freebsd@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so803450pyb.10 for ; Fri, 18 Apr 2008 08:03:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; bh=pbB5ZtIP17sSj7rMo0fPsG4rs9FtPrutgLZ6qbCNNt8=; b=sbxyT/3LsRxXwoiqnxW51Ekwz/h2ia2XRl5bh1fu6ch9Rz4GZzdoVUs7Zr7ZQbc6aJQZNfBFhqfU5ifyTXc4i1prV/4tXEY6nni+2Pn0Mwxyqz5bruVq1dHqCHHQpxuXRjxhRYKSXXpMqpRXFDOmuCCWg+t/FGwejB/bicO02h0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=SZ1IiMuA2eBNrco5lX0H2MDk2D5HYjAAixE+rMJ3+WPUSeBuV3CwZ3/8jlUTugV+uUkmHvKdf10OEkXnnXR9c9crwrqKz13HE7Alj33ZxKSt5EPY2/YODr7GCx9QDEE3f8sziNqYYPFrH50iErBW6oxKUU74gZPZooTc6ihS7wY= Received: by 10.35.71.17 with SMTP id y17mr4917310pyk.44.1208529426460; Fri, 18 Apr 2008 07:37:06 -0700 (PDT) Received: by 10.35.38.6 with HTTP; Fri, 18 Apr 2008 07:37:06 -0700 (PDT) Message-ID: Date: Fri, 18 Apr 2008 16:37:06 +0200 From: "Antoine Brodin" Sender: antoine.brodin.freebsd@gmail.com To: "Jeremie Le Hen" In-Reply-To: <20080418132749.GB4840@obiwan.tataz.chchile.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20080418132749.GB4840@obiwan.tataz.chchile.org> X-Google-Sender-Auth: ee68c5a427e3fbef Cc: freebsd-arch@freebsd.org Subject: Re: Integration of ProPolice in FreeBSD X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Apr 2008 15:03:58 -0000 On Fri, Apr 18, 2008 at 3:27 PM, Jeremie Le Hen wrote: > Hi, > > As you may already know I've integrated GCC's ProPolice into FreeBSD. > The build infrastructure overlord, namely ru@, (I'm quoting kan@) has > reviewed the patch and technically it is ready to hit the CVS tree. > > A few things should be discussed beforehand though. > > First, should we build world and/or kernel with SSP by default? I've > scamped a trivial benchmark back in 2006: timing buildworld with and > without SSP. You can found the result on my webpage: > http://tataz.chchile.org/~tataz/FreeSBD/SSP/#section1 > Also, the original ProPolice author achieved a thorough performance > comparison with and without SSP, and the overhead is really small: > http://www.trl.ibm.com/projects/security/ssp/node5.html > I would like to reach a consensus on whether SSP should be opt-in or > opt-out on FreeBSD. > > > Another concern that Robert Watson showed back in 2006 [1] when I brought > forward my patch was the compatibility between pre-SSP and post-SSP > binaries/libraries. > > I'll try to make it simple and short. SSP requires two additional > symbols that are kindly provided by libc. Any binary or library > compiled with SSP will require them. As long as your libc contains the > symbols, you can smoothly run pre-SSP applications with post-SSP libs as > well as the other way around. > > Also Kris explained [2] that once applied, it is painful to try to > revert the change (removing SSP symbols from libc). This is true but > once the patch gets committed, it should hopefully never happen. > > [1] http://lists.freebsd.org/pipermail/freebsd-security/2006-May/003751.html > [2] http://lists.freebsd.org/pipermail/freebsd-security/2006-May/003752.html Last time I looked at your patch, there was a problem when using -fstack-protector-all instead of -fstack-protector: when you compile lib/csu/*, gnu/lib/csu/*, or src/lib/libc/sys/stack_protector.c with this flag, there is a kind of chicken/egg problem and you end up with an unusable world. That said, it would be great to be able to compile world with SSP when an option is set in src.conf. Cheers, Antoine