Date: Sun, 30 Dec 2007 14:00:53 +0100 From: Jeremie Le Hen <jeremie@le-hen.org> To: Gunther Mayer <gunther.mayer@googlemail.com> Cc: freebsd-security@freebsd.org Subject: Re: ProPolice/SSP in 7.0 Message-ID: <20071230130053.GC10467@obiwan.tataz.chchile.org> In-Reply-To: <477115FE.2070705@gmail.com> References: <477115FE.2070705@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Gunther, On Tue, Dec 25, 2007 at 04:38:54PM +0200, Gunther Mayer wrote: > Hi there, > > I'm still running 6.2 on various servers without any tweaks (GENERIC kernel, > binary updates via freebsd-update etc.) but lots of ports (apache, > postgresql, diablo-jdk etc.) and would like to use stack smashing protection > in order to harden my boxes and avoid many potential exploits. > > I've known about ProPolice/SSP for a while now (from the Gentoo world) and > am aware that FreeBSD 7.0 doesn't yet support it though I know of Jeremy Le > Hen's patches (http://tataz.chchile.org/~tataz/FreeBSD/SSP/). Some time > after 7.0 is released I'd like to upgrade and apply SSP throughout kernel, > userland and ports while I'm at it. However, being an unsupported patchset > and all, I have some concerns which I'd like some feedback on well before I > embark on this project: > > 1. Will FreeBSD ever support SSP natively? > 2. How good is the kernel patch and how many people out there are > using it? I can't tell myself about the quality of kernel bits, but at least I can state that I'm sure in case of a stack-based buffer overflow, the kernel will crash instead of being exploited. > 3. Does using the kernel and userland patch mean that I am eternally > stuck to compiling from source if I want to keep SSP on all the > time (gone are the days of freebsd-update luxury)? > 4. What's the story with libssp? Jeremy reckons that it's a lost > cause and causes more trouble than it's worth. Yet libssp seems to > be the only thing that actually fully integrated in 7.0 GNU libssp is provided in FreeBSD 7.0 but it is not used though because libc already provides the required symbols (lib/libc/sys/stack_protector.c). I think GNU libssp is useful only when compiling something without libc support (-nodefaultlibs). Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071230130053.GC10467>