Re: GCC stack-smashing extension

From: D J Hawkey Jr (hawkeyd@visi.com)
Date: 01/07/02


Date: Mon, 7 Jan 2002 13:03:40 -0600
From: D J Hawkey Jr <hawkeyd@visi.com>
To: Jeff Palmer <scorpio@drkshdw.org>

While I agree with you 100%, I also echo the thoughts of David Geirsson.

I am as careful and diligent as I know how to be with software I write,
patch, or hack. However, I use a lot of OSS software, and not all of it
is written by those with the experience of a Darren Reed or Matt Dillon.
I'm modest enough to accept that my own code isn't always as bullet-proof
as it might be, too.

I figure another layer to the security onion can't hurt, and am looking
for insights as to the patch's usefulness and integrity, rather than a
conversation on whether it's necessary!

Dave

On Jan 07, at 11:06 AM, Jeff Palmer wrote:
>
> While I have never personally used this patch, my advice would be:
>
> Don't depend on a compiler based security implementation in your code.
> Code with security in mind from the ground up.
>
> What happens if you get used to your compiler adding in all the checks and
> balances, and then for some reason you are forced to use a standard
> compiler for something?
>
> Don't let a compiler allow you to lower your standards. Don't let it make
> you lazy. And most of all, don't let it teach you bad habits (Microsofts
> MFC for vc++ comes to mind here on the bad habits example)
>
> Just my two cents.. I'd rather stick with a default GCC,
> and use better/smarter coding practices on my machines :-)
>
>
> ----- Original Message -----
> From: "D J Hawkey Jr" <hawkeyd@visi.com>
> To: "security at FreeBSD" <freebsd-security@freebsd.org>
> Sent: Monday, January 07, 2002 10:19 AM
> Subject: GCC stack-smashing extension
>
>
> > Hey, all,
> >
> > I recently stumbled across the web page for the GCC stack-smashing
> > extension (http://www.trl.ibm.com/projects/security/ssp/):
> >
> > - Anyone have any experience with it, good, bad, or otherwise?
> > - Any reason why I wouldn't want this?
> > - Any plans to merge it into the FreeBSD-distributed GCC?
> >
> > Thanks,
> > Dave
> >
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message