From owner-freebsd-security@FreeBSD.ORG Sun Dec 30 13:33:04 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0434216A41B for ; Sun, 30 Dec 2007 13:33:04 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from postfix1-g20.free.fr (postfix1-g20.free.fr [212.27.60.42]) by mx1.freebsd.org (Postfix) with ESMTP id 7E3CB13C458 for ; Sun, 30 Dec 2007 13:33:03 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp5-g19.free.fr (smtp5-g19.free.fr [212.27.42.35]) by postfix1-g20.free.fr (Postfix) with ESMTP id 3C40F20BE8FB for ; Sun, 30 Dec 2007 14:03:59 +0100 (CET) Received: from smtp5-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp5-g19.free.fr (Postfix) with ESMTP id 0EA133F6198; Sun, 30 Dec 2007 14:03:57 +0100 (CET) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp5-g19.free.fr (Postfix) with ESMTP id D9C0E3F619F; Sun, 30 Dec 2007 14:03:56 +0100 (CET) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id B6B979B497; Sun, 30 Dec 2007 13:00:53 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id AEF27405B; Sun, 30 Dec 2007 14:00:53 +0100 (CET) Date: Sun, 30 Dec 2007 14:00:53 +0100 From: Jeremie Le Hen To: Gunther Mayer Message-ID: <20071230130053.GC10467@obiwan.tataz.chchile.org> References: <477115FE.2070705@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <477115FE.2070705@gmail.com> User-Agent: Mutt/1.5.15 (2007-04-06) Cc: freebsd-security@freebsd.org Subject: Re: ProPolice/SSP in 7.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Dec 2007 13:33:04 -0000 Hi Gunther, On Tue, Dec 25, 2007 at 04:38:54PM +0200, Gunther Mayer wrote: > Hi there, > > I'm still running 6.2 on various servers without any tweaks (GENERIC kernel, > binary updates via freebsd-update etc.) but lots of ports (apache, > postgresql, diablo-jdk etc.) and would like to use stack smashing protection > in order to harden my boxes and avoid many potential exploits. > > I've known about ProPolice/SSP for a while now (from the Gentoo world) and > am aware that FreeBSD 7.0 doesn't yet support it though I know of Jeremy Le > Hen's patches (http://tataz.chchile.org/~tataz/FreeBSD/SSP/). Some time > after 7.0 is released I'd like to upgrade and apply SSP throughout kernel, > userland and ports while I'm at it. However, being an unsupported patchset > and all, I have some concerns which I'd like some feedback on well before I > embark on this project: > > 1. Will FreeBSD ever support SSP natively? > 2. How good is the kernel patch and how many people out there are > using it? I can't tell myself about the quality of kernel bits, but at least I can state that I'm sure in case of a stack-based buffer overflow, the kernel will crash instead of being exploited. > 3. Does using the kernel and userland patch mean that I am eternally > stuck to compiling from source if I want to keep SSP on all the > time (gone are the days of freebsd-update luxury)? > 4. What's the story with libssp? Jeremy reckons that it's a lost > cause and causes more trouble than it's worth. Yet libssp seems to > be the only thing that actually fully integrated in 7.0 GNU libssp is provided in FreeBSD 7.0 but it is not used though because libc already provides the required symbols (lib/libc/sys/stack_protector.c). I think GNU libssp is useful only when compiling something without libc support (-nodefaultlibs). Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >