From owner-freebsd-security@FreeBSD.ORG Thu Jun 5 23:21:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A74637B401 for ; Thu, 5 Jun 2003 23:21:11 -0700 (PDT) Received: from geminix.org (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 459C043F93 for ; Thu, 5 Jun 2003 23:21:10 -0700 (PDT) (envelope-from gemini@geminix.org) Received: from pd9e10a1c.dip.t-dialin.net ([217.225.10.28] helo=geminix.org) by geminix.org with asmtp (TLSv1:RC4-MD5:128) (Exim 3.36 #1) id 19OAb6-000CAG-00; Fri, 06 Jun 2003 08:21:09 +0200 Message-ID: <3EE032CA.1060908@geminix.org> Date: Fri, 06 Jun 2003 08:20:58 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3.1) Gecko/20030510 X-Accept-Language: en-us, en MIME-Version: 1.0 Newsgroups: mlists.freebsd.security To: freebsd-security@freebsd.org References: <003601c32b48$106ec380$0a00000a@eps> In-Reply-To: <003601c32b48$106ec380$0a00000a@eps> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Non-Executable Stack Patch X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jun 2003 06:21:11 -0000 Hi Erik, Erik Paulsen Skaalerud wrote: >>From: owner-freebsd-security@freebsd.org >>[mailto:owner-freebsd-security@freebsd.org] On Behalf Of Tim Baur >>Sent: Thursday, June 05, 2003 6:24 AM >>To: freebsd-security@freebsd.org >>On Wed, 4 Jun 2003, Tony Meman wrote: >> >>>I was wondering if there's any non-executable stack patch for >>>FreeBSD's kernel. >> >>http://www.trl.ibm.com/projects/security/ssp/buildfreebsd.html >> >>-tbaur > > Can anyone here share their experiences with this patch? I've heard very > little talk about it really, I'm looking for others oppinions before I try > to patch gcc with this. Any major slowdowns on the userland? And if its > major, how much? I'm using this patch for years now, privately and at work (see signature), with no adverse effects. There are a small number of software packages that break with the stack-smashing protector. Mozilla is one of them, and I hear that there is an issue with XFree86-4.x. But then, you can always disable the protector with '-fno-stack-protector', and maybe the problem is already fixed in newer versions of the protector patch. Haven't tried that so far. As to its reliability, a number of OSs have adopted it already, including OpenBSD. So IMHO it can be considered mature enough for production use. And the potential slowdowns are neglectable (<= 8%), read: unnoticeable under real-world conditions. The downside of this approach is of course that you have to compile everything on your system with the patched GCC for the protection to take effect. If you already have a considerable amount of software installed this can be a lot of work. And you still lose the protection if you install precompiled packages that, in case of FreeBSD, naturally have been built with an unmodified GCC. However, these caveats aside, this method still gives you the best protection available for FreeBSD today. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net