Re: ProPolice/SSP in 7.0



Hi Gunther,

On Tue, Dec 25, 2007 at 04:38:54PM +0200, Gunther Mayer wrote:
Hi there,

I'm still running 6.2 on various servers without any tweaks (GENERIC kernel,
binary updates via freebsd-update etc.) but lots of ports (apache,
postgresql, diablo-jdk etc.) and would like to use stack smashing protection
in order to harden my boxes and avoid many potential exploits.

I've known about ProPolice/SSP for a while now (from the Gentoo world) and
am aware that FreeBSD 7.0 doesn't yet support it though I know of Jeremy Le
Hen's patches (http://tataz.chchile.org/~tataz/FreeBSD/SSP/). Some time
after 7.0 is released I'd like to upgrade and apply SSP throughout kernel,
userland and ports while I'm at it. However, being an unsupported patchset
and all, I have some concerns which I'd like some feedback on well before I
embark on this project:

1. Will FreeBSD ever support SSP natively?
2. How good is the kernel patch and how many people out there are
using it?

I can't tell myself about the quality of kernel bits, but at least I can
state that I'm sure in case of a stack-based buffer overflow, the kernel
will crash instead of being exploited.

3. Does using the kernel and userland patch mean that I am eternally
stuck to compiling from source if I want to keep SSP on all the
time (gone are the days of freebsd-update luxury)?
4. What's the story with libssp? Jeremy reckons that it's a lost
cause and causes more trouble than it's worth. Yet libssp seems to
be the only thing that actually fully integrated in 7.0

GNU libssp is provided in FreeBSD 7.0 but it is not used though because
libc already provides the required symbols
(lib/libc/sys/stack_protector.c). I think GNU libssp is useful only
when compiling something without libc support (-nodefaultlibs).

Regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • FreeBSD Status report for Oct-Dec 2003
    ... Bluetooth stack for FreeBSD ... Not much to report. ... Bluetooth kernel modules appear to be stable. ... concerns and some src committers are willing to commit the patches. ...
    (freebsd-current)
  • FreeBSD Status Report for Oct-Dec 2003
    ... Bluetooth stack for FreeBSD ... Not much to report. ... Bluetooth kernel modules appear to be stable. ... concerns and some src committers are willing to commit the patches. ...
    (freebsd-hackers)
  • FreeBSD Status Report for Oct-Dec 2003
    ... Bluetooth stack for FreeBSD ... Not much to report. ... Bluetooth kernel modules appear to be stable. ... concerns and some src committers are willing to commit the patches. ...
    (freebsd-stable)
  • FreeBSD 7.3, reboot after panic: double fault
    ... I've upgraded freebsd from 7.0 to 7.3 and all was good until I tryed to ... configure gre interface and use ipfw fwd. ... server got kernel panic at that moment. ... # kgdb kernel.debug /var/crash/vmcore.2 ...
    (freebsd-stable)
  • [FreeBSD-Announce] FreeBSD Status Report July-December 2004
    ... The FreeBSD status report is back again after another small break. ... Write documentation. ... assess the use of CPU cache prefetch instructions in the kernel. ... Over 325 security issues in the Ports Collection have been documented ...
    (freebsd-announce)