Re: Stack-smashing protection
Sorry, I didn't say it as it really is...
"It shows an 8% overhead on function calls, which should be the upper bound on
the real costs of running programs under this protection system. The overall
overhead of guarded programs varies with how many functions are called that
have character array. Figure 10 shows a program's name, its description, the
number of functions declared, and the number of functions used with character
arrays. In most cases, the usage of a character array is less than 10% of the
functions. It isn't the same as the ratio of the number of functions
executed, but there is a some correlation between them."
Some overhead examples are in the web page
quite a nice URL ;-)
So it isn't really that the hole system runs 8% slower. Sorry for my first
explanation... Now I think it is an overhead which is afordable seeing its
A Friday 06 December 2002 23:13, Thing va escriure:
> 8% is a huge hit, by all means a module or an option, however I question
> its need as "standard". I would not want it there unless Im convinced it
> truely offers protection from a quantifiable risk. I dont want to see the
> kernel go the way of MS's kernel ,one huge bloated mess.
> Lets see some papers/justification for this item, it may not be needed in
> all situations.
> On Sat, 07 Dec 2002 09:29, Albert Cervera Areny wrote:
> > I've read in slashdot
> > (http://bsd.slashdot.org/article.pl?sid=02/12/02/2035207) that openbsd
> > has included stack-smashing protection using the ProPolice
> > (http://www.trl.ibm.com/projects/security/ssp/) patch for GCC 3.2
> > I think it would be a great idea to use this patch with debian too as
> > soon as gcc becomes the compiler by default. Protecting the entire system
> > from this kind of bugs would really be a great security step forward.
> > Would somebody make some kind of statistics of how many of this year's
> > bugs wouldn't have made the system vulnerable with this patch?
> > Though there is about of 8% performane overhead I think it is worth using
> > this. And more now that gcc makes programs about 8% faster ;-)