Date: Fri, 18 Apr 2008 20:22:13 -0400 From: Garance A Drosehn <gad@FreeBSD.org> To: Marcel Moolenaar <xcllnt@mac.com>, Jeremie Le Hen <jeremie@le-hen.org> Cc: freebsd-arch@FreeBSD.org Subject: Re: Integration of ProPolice in FreeBSD Message-ID: <p0624080ac42ee847bf3b@[128.113.24.47]> In-Reply-To: <EF8CB674-A3AF-4B76-9DB0-366D3A9ED274@mac.com> References: <20080418132749.GB4840@obiwan.tataz.chchile.org> <A9207463-477A-458C-A706-A55AA90DEE7A@mac.com> <20080418165859.GD4840@obiwan.tataz.chchile.org> <EF8CB674-A3AF-4B76-9DB0-366D3A9ED274@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 11:46 AM -0700 4/18/08, Marcel Moolenaar wrote: >On Apr 18, 2008, at 9:58 AM, Jeremie Le Hen wrote: >>This should theorically work for all arch as, from what I've read, >>ProPolice takes place at the intermediate representation level of the >>compiler. This should therefore be architecture agnostic. > >The question is whether it will actually make a difference on ia64? > >The stack does not contain any of the "objects" that ProPolice >tries to protect from "stack-smashing" attacks, so what good is the >added overhead? On ia64 we have a large set of userland programs running C code. We run the same C code there which which we run on all other architectures. ProPolice will take a certain class of *actual* bugs in that C code, and turn those into fatal bugs on the platforms where ProPolice does work. By making those bugs much more visible on our high-volume platforms, it will also greatly increase the chance that someone will take the time to find and fix the *actual* bug. The bug in C. The bug in C code which we are running on ia64. Even if Propolice could never be made to work on ia64, the presence of it on other hardware platforms will benefit users on ia64. >>Basically, a "canary" is randomly chosen when the program starts (this >>part lives in libc). GCC inserts code in prologue and epilogue of all >>functions that contains a buffer of 8 or more bytes. In the prologue, >>the canary is pushed on the stack right after the return valued has been >>pushed, and this value is then checked in function epilogue. If the >>value in the stack has changed, there has been a buffer overflow > >The ia64 architecture has been designed to eliminate use of the >stack as much as possible for performance reasons. ProPolice does >add significant overhead for no good reason AFAICT. We can certainly have a different default for propolice/SSD support on FreeBSD/ia64 than we default to for other architectures. That is a very reasonable idea. I, for one, am very interested in Propolice support in FreeBSD, at least as an easy-to-set option. By that I mean: I don't mind what the default is, just as long as there is an easy and safe way to specify that you want propolice support at buildworld time. Right now we're in a situation where someone can specify it by making a few updates, but then that person is *really* screwed if they lose the updates by mistake. -- Garance Alistair Drosehn = drosehn@rpi.edu Senior Systems Programmer or gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USA
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p0624080ac42ee847bf3b>