FreeBSD with propolice protection
Matthew Seaman
m.seaman at infracaninophile.co.uk
Tue Aug 26 11:55:51 PDT 2003
On Tue, Aug 26, 2003 at 02:01:48PM -0300, Alex wrote:
> Hello,
>
> Does anybody recommend using this?
>
> How to build FreeBSD with propolice protection
> http://www.trl.ibm.com/projects/security/ssp/buildfreebsd.html
If you have a server carrying particularly valuable or sensitive data,
then, yes the propolice patches can add an extra layer of security.
However, there are certain otherwise harmless software constructs that
involve writing to the stack that this software will cause to fail.
Certain applications simply will not work.
For an ordinary desktop or home machine it's probably overkill, and
paying attention to security announcements and keeping your machine
properly up to date and not running extraneous daemons and following
all of the other standard good security advice should be sufficient.
> After implementing it, how to make sure it's working correctly?
Write a small C program that will let you overflow an array and
trample on the stack. By convention, the usage is to overflow the
array with a long string of A characters. Analyse the core dump thus
obtained. If the EIP has been overwritten with the value 0x41414141
then the patches definitely aren't working.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20030826/bf036511/attachment.bin
More information about the freebsd-questions
mailing list