Improving security
Steve G
linux_4ever at yahoo.com
Thu Oct 14 11:11:45 UTC 2004
>Stack Smash Protection sounds like a cool feature to me. I don't know
>what the performance impact is, but as a developer even if it is to slow
>to use by default I would love to have it intergrated into the gcc
>shipped by Fedora to make debugging easier.
I use a specially doctored version of gcc with propolice compiled in. I have
helped code review & submit corrections to propolice. I can say that its pretty
good, but not bulletproof. Its worth adding for the fact that it is one more
layer should there be holes in the other protection mechanisms. Performance is
pretty good. 5-10% performance hit. However, there is one small issue. It needs
to read from /dev/random and write to /dev/syslog. This is not in all policies
and has to be manually added. I see the avc messages all the time.
I also use libsafe which seems to catch more stack smashing attempts than
propolice. I have corrected a number of bugs in it and shared them with the
developers. I also extended libsafe to cover more vectors of attack. You can find
the updated copy here: www.web-insights.net/libsafe. There is a perfomance hit,
but its small. I'd rather a 2 Ghz machine with cycles to burn run with libsafe +
propolice than spend 2 days setting up the machine after its hacked. libsafe does
use an LDPRELOAD variable to intercept calls. This means that it offers no
protection to setuid/setgid programs. selinux may also object to it.
>But if I undertand it correctly PAX does more for example also make data
>pages non executable, this might be something worth looking into.
Some of the things it does makes software debug impossible. valgrind sometimes
has problems with it. I think there are some bits of it that are good, as well as
the openwall linux patch set. It would be better if these were adopted into the
kernel rather than maintained as a patch to it.
But something that neither of these address, is plain logic errors. Every week I
find a pretty good problem that scanners (flawfinder/lint/valgrind), stack
protectors (propolice/libsafe), and se linux cannot catch. Part of the solution
has to be peer review.
-Steve Grubb
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
More information about the devel
mailing list