ProPolice/SSP in 7.0
Jeremie Le Hen
jeremie at le-hen.org
Sun Dec 30 05:33:04 PST 2007
Hi Gunther,
On Tue, Dec 25, 2007 at 04:38:54PM +0200, Gunther Mayer wrote:
> Hi there,
>
> I'm still running 6.2 on various servers without any tweaks (GENERIC kernel,
> binary updates via freebsd-update etc.) but lots of ports (apache,
> postgresql, diablo-jdk etc.) and would like to use stack smashing protection
> in order to harden my boxes and avoid many potential exploits.
>
> I've known about ProPolice/SSP for a while now (from the Gentoo world) and
> am aware that FreeBSD 7.0 doesn't yet support it though I know of Jeremy Le
> Hen's patches (http://tataz.chchile.org/~tataz/FreeBSD/SSP/). Some time
> after 7.0 is released I'd like to upgrade and apply SSP throughout kernel,
> userland and ports while I'm at it. However, being an unsupported patchset
> and all, I have some concerns which I'd like some feedback on well before I
> embark on this project:
>
> 1. Will FreeBSD ever support SSP natively?
> 2. How good is the kernel patch and how many people out there are
> using it?
I can't tell myself about the quality of kernel bits, but at least I can
state that I'm sure in case of a stack-based buffer overflow, the kernel
will crash instead of being exploited.
> 3. Does using the kernel and userland patch mean that I am eternally
> stuck to compiling from source if I want to keep SSP on all the
> time (gone are the days of freebsd-update luxury)?
> 4. What's the story with libssp? Jeremy reckons that it's a lost
> cause and causes more trouble than it's worth. Yet libssp seems to
> be the only thing that actually fully integrated in 7.0
GNU libssp is provided in FreeBSD 7.0 but it is not used though because
libc already provides the required symbols
(lib/libc/sys/stack_protector.c). I think GNU libssp is useful only
when compiling something without libc support (-nodefaultlibs).
Regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
More information about the freebsd-security
mailing list