zabzabbo.net

• Next message: Rory Hunter: "Distributed Services"
• Previous message: Horst von Brand: "Re: Buffer Overflows and DoS"
• Maybe reply: Zach Brown: "Re: Buffer Overflows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Crispin, I don't mean offense by this but I don't consider
> StackGuard a "solution." It is a workaround to a fundamental
> design flaw in the common UNIX kernel and toolchain implementations.
> I regret that the workaround is necessary and note that it costs
> a significant amount of performance.

you mean like firewalls? It sure is a shame that all our net protocols
don't have strong confidentiality, authentication, and authorization.

> I'm not sure but it might be better to re-implement most of the
> software that you've tested under StackGuard in Pike. It might
> offer roughly the same performance and benefits (and the
> process of porting it might actually dust some cruft off the
> involved code.

You must be kidding. There is no way that porting sendmail or apache
(or, haha, procmail) to Pike has the same benefits as recompiling it
under stackguard. The effort/reward ratios aren't even in the same
dimension, let alone of the same order :)

Yes, it sure would be neat if we had infinite time to reinvent the
universe, but in the mean time we have servers to run and having another
feather in our "take that, you stupid haxor" cap is a-ok in my book.
Especially when its a recompile with basically immeasurable impact on
real life loads.

> (Have you looked at Pike? Have you done any performance comparisons
> of a Pike program vs the closest equivent C program with and w/o
> Stackguard?).

Has anyone done extensive audits of the Pike toolchain?

-- 
 zach

• Next message: Rory Hunter: "Distributed Services"
• Previous message: Horst von Brand: "Re: Buffer Overflows and DoS"
• Maybe reply: Zach Brown: "Re: Buffer Overflows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]