Re: Non-Executable Stack Patch

• Previous message: Lupe Christoph: "Impossible to IPfilter this?"
• In reply to: Erik Paulsen Skaalerud: "RE: Non-Executable Stack Patch"
• Next in thread: Kris Kennaway: "Re: Non-Executable Stack Patch"
• Reply: Kris Kennaway: "Re: Non-Executable Stack Patch"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 7 Jun 2003 17:59:27 -0700
To: Erik Paulsen Skaalerud <erik@pentadon.com>

On Thu, Jun 05, 2003, Erik Paulsen Skaalerud wrote:
> > From: owner-freebsd-security@freebsd.org
> > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Tim Baur
> > Sent: Thursday, June 05, 2003 6:24 AM
> > To: freebsd-security@freebsd.org
> > On Wed, 4 Jun 2003, Tony Meman wrote:
> > > I was wondering if there's any non-executable stack patch for
> > > FreeBSD's kernel.
> >http://www.trl.ibm.com/projects/security/ssp/buildfreebsd.html
> >
> >-tbaur
>
> Can anyone here share their experiences with this patch? I've heard very
> little talk about it really, I'm looking for others oppinions before I try
> to patch gcc with this. Any major slowdowns on the userland? And if its
> major, how much?

The original StackGuard implementation had massive overhead:
several orders of magnitude for common programs. It looks like
the fellows at IBM have managed to do significantly better:

        http://www.trl.ibm.com/projects/security/ssp/node5.html

I personally am not particularly interested in a fix that makes
buffer overflows harder to exploit, given that buffer overflows
constitute a problem that can be completely solved without the
same performance loss by switching to a safer language.
Nevertheless, there's enough useful C code out there that this
could be useful. It would be cool to have as an optional part of
FreeBSD, assuming we wouldn't have to maintain massive diffs
against gcc or something. (gcc uses this by default now, right?)
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Lupe Christoph: "Impossible to IPfilter this?"
• In reply to: Erik Paulsen Skaalerud: "RE: Non-Executable Stack Patch"
• Next in thread: Kris Kennaway: "Re: Non-Executable Stack Patch"
• Reply: Kris Kennaway: "Re: Non-Executable Stack Patch"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Time to patch OpenVMS - DCE-RPC buffer overflow ... seems that OVMS is NOT immune to buffer overflows. ... > the used area of the stack is not executable. ... as for the "EVERYONE PATCH OVMS" idea, I am not trying to give that idea ... (comp.os.vms) Re: [CFT] updated gcc-3.4.0 fixes patch for 2.4.27-pre1 ... I propose fixing problems that will appear with gcc 3.5, ... Here is a patch for the few places I got hit at. ... pci_set_drvdata(pci_dev, dev); ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: ProPolice and pthreads (was: ProPolice and FreeBSD) ... > initially used the patch against FreeBSD 5.1 to know which file I ... > newest patch against gcc 3.4.1 for gcc specific stuffs. ... > GDB is free software, covered by the GNU General Public License, and you are ... (freebsd-hackers) Re: sshd broken with UsePrivilegeSeparation=yes on sparc64 ... So, obviously a gcc bug. ... Subject: HEADS-UP: gcc-4.2 import appears to miscompile libm. ... Ths patch fixes the problem. ... it is a code bug. ... (freebsd-current) Help! - Constructor related with a static instance of a C++ class will be ignored during run on HPUX ... when test program was built by *gcc* and shared ... My customer insists on installing the specific patch instead of the ... minilib.cpp/h just simulate act as a sl lib which is built by *aCC* ... void exportlibFun() ... (comp.sys.hp.hpux)