From owner-freebsd-hackers Fri Feb 18 14:49:58 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from houston.matchlogic.com (houston.matchlogic.com [205.216.147.127]) by hub.freebsd.org (Postfix) with ESMTP id 2332237BAD7 for ; Fri, 18 Feb 2000 14:49:56 -0800 (PST) (envelope-from crandall@matchlogic.com) Received: by houston.matchlogic.com with Internet Mail Service (5.5.2650.21) id ; Fri, 18 Feb 2000 15:49:55 -0700 Message-ID: <5FE9B713CCCDD311A03400508B8B301303D965@bdr-xcln.is.matchlogic.com> From: Charles Randall To: "Ronald F. Guilmette" , freebsd-hackers@freebsd.org Subject: RE: Defending against buffer overflows. Date: Fri, 18 Feb 2000 15:49:58 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG [Only on -hackers] With care and a lot of patience, you can build Immunix StackGuard for FreeBSD. I did this on 3.3-R. If there's interest, I can post build instructions (I probably don't have time to put together a port). Charles -----Original Message----- From: Ronald F. Guilmette [mailto:rfg@monkeys.com] Sent: Friday, February 18, 2000 3:21 PM To: freebsd-hackers@freebsd.org; gnu-gcc@gnu.org Subject: Defending against buffer overflows. My attention has just been called to: http://immunix.org/StackGuard/mechanism.html Given all of the buffer overrun vulnerabilities that have been found in various network daemons over time, this seems like a worthwhile sort of technique to apply when compiling, in particular, network daemons and/or servers. I don't entirely agree with this fellow's approach however. I think that the ``canary'' word should be located at the bottom end of the current stack frame, i.e. in a place where no buffer overrun could possibly clobber it. Seems to me that this would be a nice and useful little enhancement for gcc. I wouldn't mind having something like a -fbuffer-overrun-checks option for gcc, and I would definitely use it when compiling network daemons. Anybody else got an opinion? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message