Non-Executable Stack Patch
Uwe Doering
gemini at geminix.org
Thu Jun 5 23:21:11 PDT 2003
Hi Erik,
Erik Paulsen Skaalerud wrote:
>>From: owner-freebsd-security at freebsd.org
>>[mailto:owner-freebsd-security at freebsd.org] On Behalf Of Tim Baur
>>Sent: Thursday, June 05, 2003 6:24 AM
>>To: freebsd-security at freebsd.org
>>On Wed, 4 Jun 2003, Tony Meman wrote:
>>
>>>I was wondering if there's any non-executable stack patch for
>>>FreeBSD's kernel.
>>
>>http://www.trl.ibm.com/projects/security/ssp/buildfreebsd.html
>>
>>-tbaur
>
> Can anyone here share their experiences with this patch? I've heard very
> little talk about it really, I'm looking for others oppinions before I try
> to patch gcc with this. Any major slowdowns on the userland? And if its
> major, how much?
I'm using this patch for years now, privately and at work (see
signature), with no adverse effects. There are a small number of
software packages that break with the stack-smashing protector. Mozilla
is one of them, and I hear that there is an issue with XFree86-4.x. But
then, you can always disable the protector with '-fno-stack-protector',
and maybe the problem is already fixed in newer versions of the
protector patch. Haven't tried that so far.
As to its reliability, a number of OSs have adopted it already,
including OpenBSD. So IMHO it can be considered mature enough for
production use. And the potential slowdowns are neglectable (<= 8%),
read: unnoticeable under real-world conditions.
The downside of this approach is of course that you have to compile
everything on your system with the patched GCC for the protection to
take effect. If you already have a considerable amount of software
installed this can be a lot of work. And you still lose the protection
if you install precompiled packages that, in case of FreeBSD, naturally
have been built with an unmodified GCC. However, these caveats aside,
this method still gives you the best protection available for FreeBSD today.
Uwe
--
Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers
gemini at geminix.org | http://www.escapebox.net
More information about the freebsd-security
mailing list