From: Jakub Jelinek <jakub@redhat.com>
To: John Richard Moser <nigelenki@comcast.net>
Cc: Rik van Riel <riel@redhat.com>,
Arjan van de Ven <arjan@infradead.org>,
linux-kernel@vger.kernel.org, akpm@osdl.org
Subject: Re: Patch 4/6 randomize the stack pointer
Date: Sat, 29 Jan 2005 12:37:04 -0500 [thread overview]
Message-ID: <20050129173704.GM11199@devserv.devel.redhat.com> (raw)
In-Reply-To: <41FB2DD2.1070405@comcast.net>
On Sat, Jan 29, 2005 at 01:31:46AM -0500, John Richard Moser wrote:
> Finally, although an NX stack is nice, you should probably take into
> account IBM's stack smash protector, ProPolice. Any attack that can
> evade SSP reliably can evade an NX stack; but ProPolice protects from
> other overflows. Now I'm sure RH is over there inventing something that
> detects buffer overflows at compile time and misses or warns about the
> ones it can't identify:
>
> if (strlen(a) > 4)
> a[5] = '\0';
> foo(a);
>
> void foo(char *a) {
> char b[5];
> strcpy(b,a);
> }
>
> This code is safe, but you can't tell from looking at foo(). You don't
> get a look at every other object being compiled against this one that
> may call foo() either. So compile time buffer overflow detection is a
> best-effort at best.
If strlen(a) > 4 above, then -D_FORTIFY_SOURCE={1,2} compiled program
will be terminated in the strcpy call. At compile time it computes
that the strcpy call can fill in at most 5 bytes and if it copies more,
then it terminates.
> ProPolice protects local variables with 0 overhead; passed arguments
> with a few instructions; and the return pointer and stack frame pointer
> with a couple instructions. At runtime. Want to impress me? Actually
> deploy ProPolice instead of showing up 3 years from now waving around
> your own patch that you wrote that half-impliments half of it. If you
> want "something better," it's GPL, so grab it and start hacking.
__builtin_object_size () checking/-D_FORTIFY_SOURCE=n changes are (partly)
orthogonal to ProPolice. There are exploits prevented by
-D_FORTIFY_SOURCE={1,2} checking and not ProPolice and vice versa.
Things that the former protects and the latter does not are e.g.
some non-automatic buffer overflows or heap overflows, some format string
vulnerabilities and for automatic variables e.g. those that don't
overflow into another function's frame, but just overwrite other local
variables in the same function. ProPolice on the other side will detect
stack overflows that overflow into another function's frame, even if they
aren't done through string operations (<string.h>, s*printf, gets, etc.)
or if the compiler can't figure out what certain arguments to these
functions points to (and where) at compile time.
The ideas in IBM's ProPolice changes are good and worth
implementing, but the current implementation is bad.
FYI, you can find some details about -D_FORTIFY_SOURCE=n in
http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
Jakub
next prev parent reply other threads:[~2005-01-29 17:37 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-27 10:11 Patch 0/6 virtual address space randomisation Arjan van de Ven
2005-01-27 10:12 ` Patch 1/6 introduce sysctl Arjan van de Ven
2005-01-27 10:36 ` Andi Kleen
2005-01-27 11:13 ` Arjan van de Ven
2005-01-27 18:16 ` Pavel Machek
2005-01-27 19:11 ` Ingo Molnar
2005-01-27 19:46 ` Dave Jones
2005-01-27 19:53 ` Ingo Molnar
2005-01-27 19:53 ` Arjan van de Ven
2005-02-04 21:27 ` Benoit Boissinot
2005-01-27 10:12 ` Patch 2/6 introduce helper infrastructure Arjan van de Ven
2005-01-27 10:41 ` Andi Kleen
2005-01-27 11:58 ` Arjan van de Ven
2005-01-27 12:27 ` Andi Kleen
2005-01-27 12:43 ` Arjan van de Ven
2005-02-01 21:14 ` Matt Mackall
2005-01-27 10:12 ` Patch 3/6 per process flag Arjan van de Ven
2005-01-27 10:13 ` Patch 4/6 randomize the stack pointer Arjan van de Ven
2005-01-27 10:21 ` Christoph Hellwig
2005-01-27 17:38 ` John Richard Moser
2005-01-27 17:47 ` Arjan van de Ven
2005-01-27 18:04 ` John Richard Moser
2005-01-27 18:09 ` Arjan van de Ven
2005-01-27 18:12 ` Christoph Hellwig
2005-01-27 18:16 ` Linus Torvalds
2005-01-27 18:28 ` Linus Torvalds
2005-01-27 18:55 ` John Richard Moser
2005-01-27 18:49 ` John Richard Moser
2005-01-27 19:30 ` Linus Torvalds
2005-01-27 19:48 ` Arjan van de Ven
2005-01-27 19:59 ` Linus Torvalds
2005-01-27 20:04 ` Arjan van de Ven
2005-01-27 20:08 ` John Richard Moser
2005-01-27 19:19 ` linux-os
2005-01-27 19:52 ` Julien TINNES
2005-01-27 20:02 ` Arjan van de Ven
2005-01-27 20:13 ` John Richard Moser
2005-01-27 21:33 ` jnf
2005-01-28 17:22 ` Paulo Marques
2005-01-28 17:51 ` John Richard Moser
2005-01-28 18:42 ` Ingo Molnar
2005-01-29 6:04 ` John Richard Moser
2005-01-27 20:37 ` linux-os
2005-01-27 20:45 ` John Richard Moser
2005-01-27 21:39 ` John Richard Moser
2005-01-27 21:53 ` Arjan van de Ven
2005-01-27 22:34 ` John Richard Moser
2005-01-29 2:50 ` Rik van Riel
2005-01-29 6:31 ` John Richard Moser
2005-01-29 8:10 ` Arjan van de Ven
[not found] ` <41FBB821.3000403@comcast.net>
2005-01-29 16:42 ` Arjan van de Ven
2005-01-29 16:59 ` John Richard Moser
2005-01-29 16:46 ` Arjan van de Ven
2005-01-29 17:04 ` John Richard Moser
2005-01-29 17:37 ` Jakub Jelinek [this message]
2005-01-29 17:49 ` John Richard Moser
2005-01-29 17:55 ` Christoph Hellwig
2005-01-29 18:10 ` John Richard Moser
2005-01-29 18:12 ` Rik van Riel
2005-01-29 18:16 ` Christoph Hellwig
2005-01-29 7:46 ` John Richard Moser
2005-01-27 18:40 ` Felipe Alfaro Solana
2005-01-27 22:31 ` Jirka Kosina
2005-01-28 5:58 ` Ingo Molnar
2005-01-28 19:02 ` David Lang
2005-01-28 7:33 ` Arjan van de Ven
2005-01-27 19:43 ` Julien TINNES
2005-01-28 0:10 ` H. Peter Anvin
2005-01-28 0:23 ` Roland Dreier
2005-01-28 1:06 ` H. Peter Anvin
2005-01-28 2:03 ` Horst von Brand
2005-01-28 8:45 ` Julien TINNES
2005-01-27 20:23 ` Christoph Hellwig
2005-01-27 20:27 ` Arjan van de Ven
2005-01-27 20:32 ` Christoph Hellwig
2005-01-27 20:35 ` Arjan van de Ven
2005-01-27 20:40 ` Rik van Riel
2005-01-27 20:42 ` Christoph Hellwig
2005-01-27 20:56 ` Arjan van de Ven
2005-01-27 21:13 ` Linus Torvalds
2005-01-27 10:13 ` Patch 5/6 randomize mmap addresses Arjan van de Ven
2005-01-27 10:14 ` Patch 6/6 default enable randomisation for -mm Arjan van de Ven
2005-01-27 11:45 ` Patch 0/6 virtual address space randomisation Julien TINNES
2005-01-27 11:57 ` Arjan van de Ven
2005-01-27 17:42 ` John Richard Moser
2005-01-27 19:34 ` Julien TINNES
2005-01-27 19:57 ` John Richard Moser
2005-01-27 20:13 ` Arjan van de Ven
2005-01-28 8:45 ` David Weinehall
-- strict thread matches above, loose matches on Subject: below --
2005-01-31 10:55 Patch 4/6 randomize the stack pointer linux
2005-01-31 17:28 ` John Richard Moser
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050129173704.GM11199@devserv.devel.redhat.com \
--to=jakub@redhat.com \
--cc=akpm@osdl.org \
--cc=arjan@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nigelenki@comcast.net \
--cc=riel@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox