From owner-freebsd-security@freebsd.org Fri Sep 25 14:49:54 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 08B4FA082C4 for ; Fri, 25 Sep 2015 14:49:54 +0000 (UTC) (envelope-from pfg@FreeBSD.org) Received: from nm38-vm9.bullet.mail.bf1.yahoo.com (nm38-vm9.bullet.mail.bf1.yahoo.com [72.30.239.25]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BF1F117DB for ; Fri, 25 Sep 2015 14:49:52 +0000 (UTC) (envelope-from pfg@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1443192447; bh=gRA2rC0r75Du7YlByxOyacMb35SQyO3HXCx3QyjKc7s=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From:Subject; b=BqMF8xudMNI1aIdTgsV7HXA/1WC9cbXPG9+6d5pATshk89ZIbgiL3JYfY0ywjM1bUkR/96Mq+YLSs6xO/cwanjisV5jZWyh03yW6BvYWO3CVqL9l72FIoQF1vBn46Vtb9FGViaJM7MXLPK38z5msf7sXb0cUIjyuWnROA9pp/ca6J0sakpLLiGZLK+W1+aa3wx6VVqP4H9XOIQfLTVnLo1ajYqWOXaWnp1j4Z6S3WZRSILntvLNIZd1BCHmfFB7u66zGihpbaKTTEoy/XU1ae11nuA2PkSBQozZF1uZMkYZgQBZJG7gx2MAK32d4kMokCtug360BFAg4gP6fba2fNg== Received: from [66.196.81.170] by nm38.bullet.mail.bf1.yahoo.com with NNFMP; 25 Sep 2015 14:47:27 -0000 Received: from [98.139.211.161] by tm16.bullet.mail.bf1.yahoo.com with NNFMP; 25 Sep 2015 14:47:26 -0000 Received: from [127.0.0.1] by smtp218.mail.bf1.yahoo.com with NNFMP; 25 Sep 2015 14:47:26 -0000 X-Yahoo-Newman-Id: 978490.41782.bm@smtp218.mail.bf1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: 2FpQCzUVM1m9N63hXdTxOCLh.ZTSCEIlcMSB6Brxq9bbu3u BAC_0SWm2rRd6EDrj_RCto8h7qHGSRVn1pYFIH8QEgO1KI7a32O4fa_6KAbU hhIwr_.cDs1uJribRgGII1VlJ7PSuoL2uFK1P6WP9UGxBJqVsrvqn9Gm3Psi XUOLlmkUEOMygm0ihjdo.ExSDpA69mZFIFK2puGbcd.kba2SV5OdN0_VadQ_ Tr_cS4dKgd2T7yynYfT3WNfsNXBkHlOhO6FojshI_IiaBpr.I2J1c9Ff9Wfo G_PEQQD29v1zaTixjmMkXU8GftfZgsJp.mD2W.dc38ZRivOyVElMpNwk_6eh U07wceMETyMrIVpW.r_P3PkS_ZR_wXdQafZ.NpROYtt0b56WnYfh9uPgWgHy 5xosWejf_HCWt_ITCJXoup3qkVF1_frq3AnyhGq7JWnUeGdJZnZNI117HkOm AZWUaDovehZ_zuH6CRLstDgNxbgZa.j061o7LFmdhM8nTfF7Cs6j6LaQSR99 QXJ2U4m_402zoS0fA9Q1P5EsAuTp1KYpB X-Yahoo-SMTP: xcjD0guswBAZaPPIbxpWwLcp9Unf Subject: Re: RFC Stack protector strong To: "Chad J. Milios" References: <56043FEF.7040307@FreeBSD.org> <89B05640-7733-4FAA-8E2C-3209EC546837@ccsys.com> Cc: freeBSD-security@FreeBSD.org From: Pedro Giffuni Message-ID: <56055E86.3090505@FreeBSD.org> Date: Fri, 25 Sep 2015 09:47:34 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <89B05640-7733-4FAA-8E2C-3209EC546837@ccsys.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Sep 2015 14:49:54 -0000 On 09/25/15 04:21, Chad J. Milios wrote: >> On Sep 24, 2015, at 2:24 PM, Pedro Giffuni wrote: >> >> (excuse me if you get this message repeated .. I hit the wrong list previously) >> >> Hello; >> >> Our current stack protection is very weak (about 1-2 % coverage). >> Google engineers have developed a new level of protection >> (about 20% coverage) that according to Google and Redhat has >> a negligible impact on performance. >> >> I have opened a code review with a simple update to the default >> setting for our stack protector: >> >> https://reviews.freebsd.org/D3463/ >> >> Sadly I haven't received much feedback. >> >> I have no hurry to commit this but as stated in the review I think it >> is worthwhile. I don’t expect any issue, but it would be better to apply >> this change soonish rather than later so any collateral issues are >> detected and worked out with ample time before 11-Release. >> >> Any objection? If there is no feedback I will just play with other >> things. >> >> Pedro. > > That URL did not work for me (404). I found what you are directing us toward instead at https://reviews.freebsd.org/D3463 > > I like what I'm reading so far, alas I am a nobody. > Well, I am a mechanical engineer, I am not supposed to know about this things either ;). > Could you clarify/elaborate what is meant when you say "coverage" and using these approximate percentages as a metric? Compare and contrast the safestack approach for us, if you would, as well. Please bear with me, I am a C novice and what I know about the magic of compilers could fit on a Post-it Note, the really small kind. While I acknowledge I have no place in this conversation, I think it would draw more people into the discussion if you'd be willing to educate us laypeople a little as attempting to teach often exposes the overlooked gaps in ones own knowledge. > Well, adding the so-called canaries within the executables is something that that involves performance issues. Both GCC and clang implement stack-protector-all but nobody uses it except for very special cases (sshd, perhaps), The default is to only use canaries in a restricted set of functions that are likely to be more vulnerable. A Redhat developer made a nice summary of this and other security measures here: https://youtu.be/T4NadnbfYjY He also includes the metrics for the stack protection. > I understand the difference between a heap and a stack, the process model, the idea of a virtualized memory address space, kernel and user modes of execution and that is about where my expertise ends. I have a vague understanding of how function calls happen, what a system call interface is, an ABI, an ISA, buffer overflows and such as concepts but little experience with the mechanics of any of the aforementioned. I know that things like W^X and MMUs and some mythical "rings" exist to make our lives safer and more productive but as for how they work or if we can trust them, I generally must defer to greater minds whom I then judge by superficial traits such as the size and messiness of their beards and the variety and age of their shirts, both t- and Hawaiian. > > Without simply referring me to a full bookshelf of thousand-page books is there a way people such as myself could become more helpful at assessing such a change? If I enable this on a couple of systems what sorts of breakage or impact should I be looking for? > I wouldn't expect any breakage: the stack protector attempts to prevent buffer overflows from happening. Buffer overflows are errors: nothing good comes from them. I won't make any hard claims but it should be the case that FreeBSD has no buffer overflows and the stack protector will never kick in (famous last words ;)). We haven't ever, and likely will never ever, enable stack-protector-all due to performance issues and if the stronger protector had a serious performance impact it would be disabled. I won't really talk about safestack, I understand it is meant to be much better but I am unaware about how complete it is or the support status on stock FreeBSD. > This is an invitation for anyone to enlighten me, not only the original poster. I'm sure there are a hundred more lurkers afraid to ask. > > Thank you for contributing. > Welcome, Pedro.