I agree that having the necessary hooks to enable/disable SSP would be nice. It would also be nice if this can be done for ports in addition to base. Josh On 5/27/06, Jeremie Le Hen <jeremie_at_le-hen.org> wrote: > On Fri, May 26, 2006 at 06:35:54PM -0400, Alexander Kabaev wrote: > > On Fri, 26 May 2006 17:34:22 +0200 > > Jeremie Le Hen <jeremie_at_le-hen.org> wrote: > > > > > Hi, > > > > > > first sorry for cross-posting but I thought this patch might interest > > > -CURRENT users as well as people concerned by security. > > > > > > I wrote a patch that integrates ProPolice/SSP into FreeBSD, one step > > > further than it has been realized so far. > > > > > > It is available here : > > > http://tataz.chchile.org/~tataz/FreeBSD/SSP/ > > > > > > Everything is explained on the web page, but I will repeat some > > > informations here. The patchset is splitted in two parts to ease the > > > review of the patch. The -propolice patch is only the original > > > ProPolice patch for GCC 3.4.4 applied on FreeBSD source tree. The > > > -freebsd patch contains the glue I have written to make things neat. > > > > > > The patch exists in both for CURRENT and RELENG_6. Both introduce a > > > new make.conf(5) (and src.conf(5)) knob to enable stack protection > > > on a per Makefile basis. It if of course possible to compile your > > > world with it. Please refer to the web page for more informations. > > > > > > The patch has been tested and works pretty well. My laptop and my > > > workstation at work are compiled with SSP : world, kernel and ports, > > > including X.org. > > > > > > I hope you will enjoy it. > > > Regards, > > > -- > > > Jeremie Le Hen > > > < jeremie at le-hen dot org >< ttz at chchile dot org > > > > _______________________________________________ > > > freebsd-security_at_freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > > To unsubscribe, send any mail to > > > "freebsd-security-unsubscribe_at_freebsd.org" > > > > How does this compare to GCC 4.x mudflap feature? I do not plan to > > include Propolice patch into base system any time soon and will object > > anyone trying to do so due to future maintenance headaches this will > > inevitably create. GCC 4.1.1 import is in the works though and should be > > available shortly. > > I wasn't aware of the mudflap feature. I had a quick look at it > through [1], and it appears mudflap focuses on pointer dereferencement. > ProPolice focuses on stack-based buffer overflows, this is mostly the > same as StackGuard, which is presented in the paper. According to > Wikipedia [2], StackGuard isn't maintained any longuer, while > ProPolice has been merged into GCC 4.1. > > I understand you are working on GCC 4.1.1 import and that modifying > contributed sources will be a problem for you, though I must admit I > am not sure to understand the whole pain this creates. I will try to > maintain the patch on my own until GCC 4.1.1 import, so that users > will be able to make the best of ProPolice. > > BTW, given that GCC 4.1.1 will contain ProPolice bits, I think I will > be worth having some knobs to turn SSP on or off for the base system. > I have become pretty confident with the build system and problems > that libssp triggers. I would be glad to provide you some of the > glue I have written so far in my patch (the -freebsd part). > Please, let me know if you are interested in this. If your current > work is publicly accessible, I'd be glad if you gave me the URL. > > [1] http://gcc.fyxm.net/summit/2003/mudflap.pdf > [2] http://en.wikipedia.org/wiki/ProPolice > > Thank you. > Best regards, > -- > Jeremie Le Hen > < jeremie at le-hen dot org >< ttz at chchile dot org > > _______________________________________________ > freebsd-current_at_freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org" >Received on Sun May 28 2006 - 00:37:29 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:56 UTC