Re: BUFFER OVERFLOW EXPLOITS

From: Mike Silbersack (silby@silby.com)
Date: 10/29/01 

Date: Mon, 29 Oct 2001 12:48:30 -0600 (CST)
From: Mike Silbersack <silby@silby.com>
To: Matt Piechota <piechota@argolis.org>

On Mon, 29 Oct 2001, Matt Piechota wrote:

> On Mon, 29 Oct 2001, Luc wrote:
>
> > Can one confirm we may prevent FreeBSD buffer overflow
> > using this document:
> >
> > "GCC extension for protecting applications from stack-smashing attacks"
> > http://www.trl.ibm.com/projects/security/ssp/
> >
> > Why isn't FreeBSD built with such extension (by default) ?
>
> MY first though would be that it "add applictation code at compile time"
> which would slow the system down to a certian degree, and it seems to be
> somewhat beta, so you may run into bugs. Be interesting to try though
> (they have instructions to build FreeBSD using it).
>
> On the other hand, stack overflows are generally due to sloppy
> programming, so adding code and overhead to facilitate being lazy seems to
> be the wrong way to attack a problem.
>
> --
> Matt Piechota

Maintaining the patch as gcc is upgraded is the core issue; the efficiency
vs safety issue could be addressed by a flag during buildworld.

I started work on taking the existing gcc port and adding in the patch
listed above; it seemed to work well, but I'm not sure how well I'd be
able to keep it up to date.

Mike "Silby" Silbersack

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message