From owner-freebsd-security Mon Jan 7 11: 4:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100]) by hub.freebsd.org (Postfix) with ESMTP id 79BEE37B445 for ; Mon, 7 Jan 2002 11:03:45 -0800 (PST) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by brea.mc.mpls.visi.com (Postfix) with ESMTP id 63AE62DDD4C; Mon, 7 Jan 2002 13:03:44 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id g07J3em05068; Mon, 7 Jan 2002 13:03:40 -0600 (CST) (envelope-from hawkeyd) Date: Mon, 7 Jan 2002 13:03:40 -0600 From: D J Hawkey Jr To: Jeff Palmer Cc: security@freebsd.org Subject: Re: GCC stack-smashing extension Message-ID: <20020107130340.A4891@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <20020107091948.A4096@sheol.localdomain> <001401c19795$535dc4e0$0286a8c0@jeff> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001401c19795$535dc4e0$0286a8c0@jeff>; from scorpio@drkshdw.org on Mon, Jan 07, 2002 at 11:06:54AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org While I agree with you 100%, I also echo the thoughts of David Geirsson. I am as careful and diligent as I know how to be with software I write, patch, or hack. However, I use a lot of OSS software, and not all of it is written by those with the experience of a Darren Reed or Matt Dillon. I'm modest enough to accept that my own code isn't always as bullet-proof as it might be, too. I figure another layer to the security onion can't hurt, and am looking for insights as to the patch's usefulness and integrity, rather than a conversation on whether it's necessary! Dave On Jan 07, at 11:06 AM, Jeff Palmer wrote: > > While I have never personally used this patch, my advice would be: > > Don't depend on a compiler based security implementation in your code. > Code with security in mind from the ground up. > > What happens if you get used to your compiler adding in all the checks and > balances, and then for some reason you are forced to use a standard > compiler for something? > > Don't let a compiler allow you to lower your standards. Don't let it make > you lazy. And most of all, don't let it teach you bad habits (Microsofts > MFC for vc++ comes to mind here on the bad habits example) > > Just my two cents.. I'd rather stick with a default GCC, > and use better/smarter coding practices on my machines :-) > > > ----- Original Message ----- > From: "D J Hawkey Jr" > To: "security at FreeBSD" > Sent: Monday, January 07, 2002 10:19 AM > Subject: GCC stack-smashing extension > > > > Hey, all, > > > > I recently stumbled across the web page for the GCC stack-smashing > > extension (http://www.trl.ibm.com/projects/security/ssp/): > > > > - Anyone have any experience with it, good, bad, or otherwise? > > - Any reason why I wouldn't want this? > > - Any plans to merge it into the FreeBSD-distributed GCC? > > > > Thanks, > > Dave > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message