Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 27 May 2006 19:31:32 -0700
From:      "Josh Carroll" <josh.carroll@psualum.com>
To:        "Jeremie Le Hen" <jeremie@le-hen.org>
Cc:        freebsd-security@freebsd.org, freebsd-current@freebsd.org, Alexander Kabaev <kabaev@gmail.com>
Subject:   Re: [fbsd] Re: Integrating ProPolice/SSP into FreeBSD
Message-ID:  <8cb6106e0605271931p55971b2bwdb311275ce21819@mail.gmail.com>
In-Reply-To: <20060527172358.GC25953@obiwan.tataz.chchile.org>
References:  <20060526153422.GB25953@obiwan.tataz.chchile.org> <20060526183554.25d5cc0d@kan.dnsalias.net> <20060527172358.GC25953@obiwan.tataz.chchile.org>

next in thread | previous in thread | raw e-mail | index | archive | help
I agree that having the necessary hooks to enable/disable SSP would be
nice. It would also be nice if this can be done for ports in addition
to base.

Josh

On 5/27/06, Jeremie Le Hen <jeremie@le-hen.org> wrote:
> On Fri, May 26, 2006 at 06:35:54PM -0400, Alexander Kabaev wrote:
> > On Fri, 26 May 2006 17:34:22 +0200
> > Jeremie Le Hen <jeremie@le-hen.org> wrote:
> >
> > > Hi,
> > >
> > > first sorry for cross-posting but I thought this patch might interest
> > > -CURRENT users as well as people concerned by security.
> > >
> > > I wrote a patch that integrates ProPolice/SSP into FreeBSD, one step
> > > further than it has been realized so far.
> > >
> > > It is available here :
> > >     http://tataz.chchile.org/~tataz/FreeBSD/SSP/
> > >
> > > Everything is explained on the web page, but I will repeat some
> > > informations here.  The patchset is splitted in two parts to ease the
> > > review of the patch.  The -propolice patch is only the original
> > > ProPolice patch for GCC 3.4.4 applied on FreeBSD source tree.  The
> > > -freebsd patch contains the glue I have written to make things neat.
> > >
> > > The patch exists in both for CURRENT and RELENG_6.  Both introduce a
> > > new make.conf(5) (and src.conf(5)) knob to enable stack protection
> > > on a per Makefile basis.  It if of course possible to compile your
> > > world with it.  Please refer to the web page for more informations.
> > >
> > > The patch has been tested and works pretty well.  My laptop and my
> > > workstation at work are compiled with SSP : world, kernel and ports,
> > > including X.org.
> > >
> > > I hope you will enjoy it.
> > > Regards,
> > > --
> > > Jeremie Le Hen
> > > < jeremie at le-hen dot org >< ttz at chchile dot org >
> > > _______________________________________________
> > > freebsd-security@freebsd.org mailing list
> > > http://lists.freebsd.org/mailman/listinfo/freebsd-security
> > > To unsubscribe, send any mail to
> > > "freebsd-security-unsubscribe@freebsd.org"
> >
> > How does this compare to GCC 4.x mudflap feature? I do not plan to
> > include Propolice patch into base system any time soon and will object
> > anyone trying to do so due to future maintenance headaches this will
> > inevitably create. GCC 4.1.1 import is in the works though and should b=
e
> > available shortly.
>
> I wasn't aware of the mudflap feature.  I had a quick look at it
> through [1], and it appears mudflap focuses on pointer dereferencement.
> ProPolice focuses on stack-based buffer overflows, this is mostly the
> same as StackGuard, which is presented in the paper.  According to
> Wikipedia [2], StackGuard isn't maintained any longuer, while
> ProPolice has been merged into GCC 4.1.
>
> I understand you are working on GCC 4.1.1 import and that modifying
> contributed sources will be a problem for you, though I must admit I
> am not sure to understand the whole pain this creates.  I will try to
> maintain the patch on my own until GCC 4.1.1 import, so that users
> will be able to make the best of ProPolice.
>
> BTW, given that GCC 4.1.1 will contain ProPolice bits, I think I will
> be worth having some knobs to turn SSP on or off for the base system.
> I have become pretty confident with the build system and problems
> that libssp triggers.  I would be glad to provide you some of the
> glue I have written so far in my patch (the -freebsd part).
> Please, let me know if you are interested in this.  If your current
> work is publicly accessible, I'd be glad if you gave me the URL.
>
> [1] http://gcc.fyxm.net/summit/2003/mudflap.pdf
> [2] http://en.wikipedia.org/wiki/ProPolice
>
> Thank you.
> Best regards,
> --
> Jeremie Le Hen
> < jeremie at le-hen dot org >< ttz at chchile dot org >
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org=
"
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8cb6106e0605271931p55971b2bwdb311275ce21819>