|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Mike Silbersack (silby
silby.com)
Date: Fri Dec 28 2007 - 20:20:20 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, 28 Dec 2007, Gunther Mayer wrote:
> Btw, I second the motion of having SSP enabled by default in FreeBSD, other
> OS's have been doing this for years at a negligible performance overhead.
>
> Gunther
It's too late to make that sort of change for FreeBSD 7.0, but I think
that's a good goal for FreeBSD 8.0.
Here's what I think you could do:
1. Verify that enabling SSP works properly.
2. Convince Kris Kennaway to run his mysql benchmarks on a FreeBSD 8
system both with and without SSP to verify that there is no significant
slowdown.
3. Get it enabled on FreeBSD 8 by default.
4. Request that the change be made to FreeBSD 7.1 or 7.2 after it has
proven to not cause problems on FreeBSD 8.
Since the subject came up, I just tried using it, and it's not giving me
the results I expected. Take the following program:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void overrun(void);
int main(void)
{
overrun();
}
void overrun(void)
{
int x;
char a[4];
int y;
strcpy(a, "ABCDE");
printf("hi");
}
If I compile it like so:
> cc -g -fstack-protector-all overrun.c
The overrun is detected and the program is aborted.
> ./a.out
Abort (core dumped)
But if I compile it like so:
> cc -g -fstack-protector overrun.c
The overrun is not caught.
> ./a.out
hi>
Either I'm doing something wrong, or we have gcc misconfigured and it's
not detecting that strcpy is a function which needs to be watched
closedly.
Mike "Silby" Silbersack
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]