Integration of ProPolice in FreeBSD
Marcel Moolenaar
xcllnt at mac.com
Fri Apr 18 19:21:02 UTC 2008
On Apr 18, 2008, at 10:45 AM, Max Laier wrote:
> On Friday 18 April 2008 15:27:49 Jeremie Le Hen wrote:
>> Hi,
>>
>> As you may already know I've integrated GCC's ProPolice into FreeBSD.
>> The build infrastructure overlord, namely ru@, (I'm quoting kan@) has
>> reviewed the patch and technically it is ready to hit the CVS tree.
>>
>> A few things should be discussed beforehand though.
>>
>> First, should we build world and/or kernel with SSP by default? I've
>> scamped a trivial benchmark back in 2006: timing buildworld with and
>> without SSP. You can found the result on my webpage:
>> http://tataz.chchile.org/~tataz/FreeSBD/SSP/#section1
>
> 404 :-\
>
>> Also, the original ProPolice author achieved a thorough performance
>> comparison with and without SSP, and the overhead is really small:
>> http://www.trl.ibm.com/projects/security/ssp/node5.html
>> I would like to reach a consensus on whether SSP should be opt-in or
>> opt-out on FreeBSD.
>>
>>
>> Another concern that Robert Watson showed back in 2006 [1] when I
>> brought
>> forward my patch was the compatibility between pre-SSP and post-SSP
>> binaries/libraries.
>>
>> I'll try to make it simple and short. SSP requires two additional
>> symbols that are kindly provided by libc. Any binary or library
>> compiled with SSP will require them. As long as your libc contains
>> the
>> symbols, you can smoothly run pre-SSP applications with post-SSP
>> libs as
>> well as the other way around.
>>
>> Also Kris explained [2] that once applied, it is painful to try to
>> revert the change (removing SSP symbols from libc). This is true but
>> once the patch gets committed, it should hopefully never happen.
>
> So I'd suggest something along the lines of:
>
> 1) Add the needed support symbols to libc (they don't hurt anyone,
> right?)
autoconf?
With tools like autoconf, I'm much less inclined to say that some
unused symbol, library, header or whatever is harmless. I've turned
into a "if we don't use it, don't add/keep it" person :-)
--
Marcel Moolenaar
xcllnt at mac.com
More information about the freebsd-arch
mailing list