Integration of ProPolice in FreeBSD

Garance A Drosehn gad at FreeBSD.org
Sat Apr 19 01:23:31 UTC 2008 

At 11:46 AM -0700 4/18/08, Marcel Moolenaar wrote:
>On Apr 18, 2008, at 9:58 AM, Jeremie Le Hen wrote:
>>This should theorically work for all arch as, from what I've read,
>>ProPolice takes place at the intermediate representation level of the
>>compiler.  This should therefore be architecture agnostic.
>
>The question is whether it will actually make a difference on ia64?
>
>The stack does not contain any of the "objects" that ProPolice
>tries to protect from "stack-smashing" attacks, so what good is the
>added overhead?

On ia64 we have a large set of userland programs running C code.  We
run the same C code there which which we run on all other architectures.
ProPolice will take a certain class of *actual* bugs in that C code,
and turn those into fatal bugs on the platforms where ProPolice does
work.  By making those bugs much more visible on our high-volume
platforms, it will also greatly increase the chance that someone
will take the time to find and fix the *actual* bug.  The bug in C.
The bug in C code which we are running on ia64.

Even if Propolice could never be made to work on ia64, the presence
of it on other hardware platforms will benefit users on ia64.

>>Basically, a "canary" is randomly chosen when the program starts (this
>>part lives in libc).  GCC inserts code in prologue and epilogue of all
>>functions that contains a buffer of 8 or more bytes.  In the prologue,
>>the canary is pushed on the stack right after the return valued has been
>>pushed, and this value is then checked in function epilogue.  If the
>>value in the stack has changed, there has been a buffer overflow
>
>The ia64 architecture has been designed to eliminate use of the
>stack as much as possible for performance reasons. ProPolice does
>add significant overhead for no good reason AFAICT.

We can certainly have a different default for propolice/SSD support
on FreeBSD/ia64 than we default to for other architectures.  That
is a very reasonable idea.

I, for one, am very interested in Propolice support in FreeBSD, at
least as an easy-to-set option.  By that I mean: I don't mind what
the default is, just as long as there is an easy and safe way to
specify that you want propolice support at buildworld time.  Right
now we're in a situation where someone can specify it by making a
few updates, but then that person is *really* screwed if they lose
the updates by mistake.

-- 
Garance Alistair Drosehn     =               drosehn at rpi.edu
Senior Systems Programmer               or   gad at FreeBSD.org
Rensselaer Polytechnic Institute;             Troy, NY;  USA

More information about the freebsd-arch mailing list