Date: Fri, 06 Jun 2003 08:20:58 +0200 From: Uwe Doering <gemini@geminix.org> To: freebsd-security@freebsd.org Subject: Re: Non-Executable Stack Patch Message-ID: <3EE032CA.1060908@geminix.org> In-Reply-To: <003601c32b48$106ec380$0a00000a@eps> References: <003601c32b48$106ec380$0a00000a@eps>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Erik, Erik Paulsen Skaalerud wrote: >>From: owner-freebsd-security@freebsd.org >>[mailto:owner-freebsd-security@freebsd.org] On Behalf Of Tim Baur >>Sent: Thursday, June 05, 2003 6:24 AM >>To: freebsd-security@freebsd.org >>On Wed, 4 Jun 2003, Tony Meman wrote: >> >>>I was wondering if there's any non-executable stack patch for >>>FreeBSD's kernel. >> >>http://www.trl.ibm.com/projects/security/ssp/buildfreebsd.html >> >>-tbaur > > Can anyone here share their experiences with this patch? I've heard very > little talk about it really, I'm looking for others oppinions before I try > to patch gcc with this. Any major slowdowns on the userland? And if its > major, how much? I'm using this patch for years now, privately and at work (see signature), with no adverse effects. There are a small number of software packages that break with the stack-smashing protector. Mozilla is one of them, and I hear that there is an issue with XFree86-4.x. But then, you can always disable the protector with '-fno-stack-protector', and maybe the problem is already fixed in newer versions of the protector patch. Haven't tried that so far. As to its reliability, a number of OSs have adopted it already, including OpenBSD. So IMHO it can be considered mature enough for production use. And the potential slowdowns are neglectable (<= 8%), read: unnoticeable under real-world conditions. The downside of this approach is of course that you have to compile everything on your system with the patched GCC for the protection to take effect. If you already have a considerable amount of software installed this can be a lot of work. And you still lose the protection if you install precompiled packages that, in case of FreeBSD, naturally have been built with an unmodified GCC. However, these caveats aside, this method still gives you the best protection available for FreeBSD today. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3EE032CA.1060908>