[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Stack-smashing protection

On Fri, 2002-12-06 at 18:29, Albert Cervera Areny wrote:
> I've read in slashdot 
> (http://bsd.slashdot.org/article.pl?sid=02/12/02/2035207) that openbsd has 
> included stack-smashing protection using the ProPolice 
> (http://www.trl.ibm.com/projects/security/ssp/) patch for GCC 3.2
> I think it would be a great idea to use this patch with debian too as soon as 
> gcc becomes the compiler by default. Protecting the entire system from this 
> kind of bugs would really be a great security step forward. Would somebody 
> make some kind of statistics of how many of this year's bugs wouldn't have 
> made the system vulnerable with this patch?
> Though there is about of 8% performane overhead I think it is worth using 
> this. And more now that gcc makes programs about 8% faster ;-)

We are running more architectures than OpenBSD project with more and
more packages.The overhead cost(8%) sounds good for me, but about the
cost to rebuild the entire archive? 

And if i need one package without the protection? We will keep two
archives? Debian can't, it's obviously a bad idea.But if anyone can
rebuild the entire Woody for i386 with propolice, stackguard or anything
like, good too!

I guess that Debian can support one more kernel flavor, it's so easy.You
can see the previous commented patch called grsecurity, it has PaX and
more interesting features to enhance security without rebuild the entire
system.Comments here?

Gustavo Franco -- <stratus@acm.org>

Reply to: