Re: ProPolice/SSP in 7.0
- From: Jeremie Le Hen <jeremie@xxxxxxxxxx>
- Date: Sun, 30 Dec 2007 14:00:53 +0100
On Tue, Dec 25, 2007 at 04:38:54PM +0200, Gunther Mayer wrote:
I'm still running 6.2 on various servers without any tweaks (GENERIC kernel,
binary updates via freebsd-update etc.) but lots of ports (apache,
postgresql, diablo-jdk etc.) and would like to use stack smashing protection
in order to harden my boxes and avoid many potential exploits.
I've known about ProPolice/SSP for a while now (from the Gentoo world) and
am aware that FreeBSD 7.0 doesn't yet support it though I know of Jeremy Le
Hen's patches (http://tataz.chchile.org/~tataz/FreeBSD/SSP/). Some time
after 7.0 is released I'd like to upgrade and apply SSP throughout kernel,
userland and ports while I'm at it. However, being an unsupported patchset
and all, I have some concerns which I'd like some feedback on well before I
embark on this project:
1. Will FreeBSD ever support SSP natively?
2. How good is the kernel patch and how many people out there are
I can't tell myself about the quality of kernel bits, but at least I can
state that I'm sure in case of a stack-based buffer overflow, the kernel
will crash instead of being exploited.
3. Does using the kernel and userland patch mean that I am eternally
stuck to compiling from source if I want to keep SSP on all the
time (gone are the days of freebsd-update luxury)?
4. What's the story with libssp? Jeremy reckons that it's a lost
cause and causes more trouble than it's worth. Yet libssp seems to
be the only thing that actually fully integrated in 7.0
GNU libssp is provided in FreeBSD 7.0 but it is not used though because
libc already provides the required symbols
(lib/libc/sys/stack_protector.c). I think GNU libssp is useful only
when compiling something without libc support (-nodefaultlibs).
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- ProPolice/SSP in 7.0
- From: Gunther Mayer
- ProPolice/SSP in 7.0
- Prev by Date: Re: ProPolice/SSP in 7.0
- Next by Date: Re: ProPolice/SSP in 7.0
- Previous by thread: ProPolice/SSP in 7.0
- Next by thread: ProPolice/SSP in 7.0