Date: 07 Jan 2002 16:13:03 +0000 From: "David S. Geirsson" <andmann@andmann.eu.org> To: Jeff Palmer <scorpio@drkshdw.org> Cc: hawkeyd@visi.com, security@freebsd.org Subject: Re: GCC stack-smashing extension Message-ID: <1010419984.3304.12.camel@shinji> In-Reply-To: <001401c19795$535dc4e0$0286a8c0@jeff> References: <20020107091948.A4096@sheol.localdomain> <001401c19795$535dc4e0$0286a8c0@jeff>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-zsfeFJiRH9y5TiFlgmPe Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable While that applies to code you make yourself, what happens if you compile a daemon that is vulnerable to a buffer overflow attack? I mean, I know I don't have time to proof-read every line of code in every daemon I run. ;) Of course you can't let a compiler drop you off-guard. SSP is not a "magic bullet", it's just an added layer of security. I haven't tried it, but I've heard good things, and I'm going to try it as soon as I fix these buildworld issues I've been having. ;) On Mon, 2002-01-07 at 16:06, Jeff Palmer wrote: > While I have never personally used this patch, my advice would be: >=20 > Don't depend on a compiler based security implementation in your code. > Code with security in mind from the ground up. >=20 > What happens if you get used to your compiler adding in all the checks an= d > balances, and then for some reason you are forced to use a standard > compiler for something? >=20 > Don't let a compiler allow you to lower your standards. Don't let it mak= e > you lazy. And most of all, don't let it teach you bad habits (Microsof= ts > MFC for vc++ comes to mind here on the bad habits example) >=20 > Just my two cents.. I'd rather stick with a default GCC, > and use better/smarter coding practices on my machines :-) >=20 >=20 > ----- Original Message ----- > From: "D J Hawkey Jr" <hawkeyd@visi.com> > To: "security at FreeBSD" <freebsd-security@freebsd.org> > Sent: Monday, January 07, 2002 10:19 AM > Subject: GCC stack-smashing extension >=20 >=20 > > Hey, all, > > > > I recently stumbled across the web page for the GCC stack-smashing > > extension (http://www.trl.ibm.com/projects/security/ssp/): > > > > - Anyone have any experience with it, good, bad, or otherwise? > > - Any reason why I wouldn't want this? > > - Any plans to merge it into the FreeBSD-distributed GCC? > > > > Thanks, > > Dave > > > > -- > > ______________________ ______________________ > > \__________________ \ D. J. HAWKEY JR. / __________________/ > > \________________/\ hawkeyd@visi.com /\________________/ > > http://www.visi.com/~hawkeyd/ > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 --=20 Dav=ED=F0 Steinn Geirsson =20 E-mail: andmann@andmann.eu.org GSM: +354 8696608 =20 =20 --=-zsfeFJiRH9y5TiFlgmPe Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQA8OckPjjHZY8vm9S8RAjHWAJ0cxndQx4TWn3A0hn+pjcLtJmRozwCdFdyz lunxTQtRQy4n7Gmlj4Dzz98= =Q8gl -----END PGP SIGNATURE----- --=-zsfeFJiRH9y5TiFlgmPe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1010419984.3304.12.camel>