From owner-freebsd-security Thu Nov 16 18: 0: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 80A6837B479 for ; Thu, 16 Nov 2000 17:59:57 -0800 (PST) Received: (qmail 63373 invoked by uid 1000); 17 Nov 2000 01:59:56 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 17 Nov 2000 01:59:56 -0000 Date: Thu, 16 Nov 2000 19:59:56 -0600 (CST) From: Mike Silbersack To: Warner Losh Cc: Kris Kennaway , KOJIMA Hajime , security@FreeBSD.ORG Subject: Re: FYI: Propolice for gcc-2.95.2 In-Reply-To: <200011170108.SAA70664@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 16 Nov 2000, Warner Losh wrote: > In message <20001116170042.A58481@citusc17.usc.edu> Kris Kennaway writes: > : > I'd worry about putting this into the base system. First, I'd worry > : > about the performance impact of all this extra code in the base > : > system. Second, I'd worry about bitrot when we move to new versions > : > of the source. > : > : Performance shouldn't be an issue unless you enable the extra bounds > : checking at compile time. > > Right. I guess I'd worry about this being enabled by default as a way > of "solving" all stack smashing problems. If it is just a knob to > enable for those that want to enable it, I'd be cool with that. On the contrary, if the support is imported, it should be enabled by default. The simple fact is that those most likely to install badly written software are also probably unaware of how to change the options and rebuild world / ports. Additionally, a default on configuration would allow the distinction of being able to say that FreeBSD is not vulnerable when a certain normally vulnerable port is installed, where other OSes are vulnerable. Of course, that's assuming two things: 1. Propolice actually stops some attacks. While it looks great in theory, it doesn't sound like any commonly exploited apps have been tested for resiliance with propolice compilation. 2. Propolice doesn't break anything. With the number of ports, this sounds like it could be extremely hard to figure out. However, if they've successfully recompiled redhat with it, it can't break that many programs. Obviously the kernel wouldn't be compiled with Propolice ever. A compilation of world with it would be nice in theory, but would certainly raise claims of slowdown. Perhaps apps could be selectively added|removed from the list of protected apps in the base system based on their suid status and auditness? Ports are really where the security's going to be an issue, as will the speed... I'd think propolice should be on there by default. Experienced users concerned with apache running as fast as possible can use flags to cause its protections not to be used when compiling. I guess the argument is analagous to disabling telnet by default. (Note that after saying that, I haven't tried the patches whatsoever, I don't want to break gcc. Could some compiler expert tell us if it works cleanly on FreeBSD?) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message