Date: Mon, 7 Jan 2002 13:03:40 -0600 From: D J Hawkey Jr <hawkeyd@visi.com> To: Jeff Palmer <scorpio@drkshdw.org> Cc: security@freebsd.org Subject: Re: GCC stack-smashing extension Message-ID: <20020107130340.A4891@sheol.localdomain> In-Reply-To: <001401c19795$535dc4e0$0286a8c0@jeff>; from scorpio@drkshdw.org on Mon, Jan 07, 2002 at 11:06:54AM -0500 References: <20020107091948.A4096@sheol.localdomain> <001401c19795$535dc4e0$0286a8c0@jeff>
next in thread | previous in thread | raw e-mail | index | archive | help
While I agree with you 100%, I also echo the thoughts of David Geirsson. I am as careful and diligent as I know how to be with software I write, patch, or hack. However, I use a lot of OSS software, and not all of it is written by those with the experience of a Darren Reed or Matt Dillon. I'm modest enough to accept that my own code isn't always as bullet-proof as it might be, too. I figure another layer to the security onion can't hurt, and am looking for insights as to the patch's usefulness and integrity, rather than a conversation on whether it's necessary! Dave On Jan 07, at 11:06 AM, Jeff Palmer wrote: > > While I have never personally used this patch, my advice would be: > > Don't depend on a compiler based security implementation in your code. > Code with security in mind from the ground up. > > What happens if you get used to your compiler adding in all the checks and > balances, and then for some reason you are forced to use a standard > compiler for something? > > Don't let a compiler allow you to lower your standards. Don't let it make > you lazy. And most of all, don't let it teach you bad habits (Microsofts > MFC for vc++ comes to mind here on the bad habits example) > > Just my two cents.. I'd rather stick with a default GCC, > and use better/smarter coding practices on my machines :-) > > > ----- Original Message ----- > From: "D J Hawkey Jr" <hawkeyd@visi.com> > To: "security at FreeBSD" <freebsd-security@freebsd.org> > Sent: Monday, January 07, 2002 10:19 AM > Subject: GCC stack-smashing extension > > > > Hey, all, > > > > I recently stumbled across the web page for the GCC stack-smashing > > extension (http://www.trl.ibm.com/projects/security/ssp/): > > > > - Anyone have any experience with it, good, bad, or otherwise? > > - Any reason why I wouldn't want this? > > - Any plans to merge it into the FreeBSD-distributed GCC? > > > > Thanks, > > Dave > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020107130340.A4891>