Thoughts On FBSD-ProPolice - BSD

This is a discussion on Thoughts On FBSD-ProPolice - BSD ; Hi! Anyone using SPP on FBSD? This patch is intended to bring the ProPolice stack-smashing protection (SSP) GCC patch into the FreeBSD 7.0-CURRENT source tree. ProPolice basically prevents exploits that use stack-based buffer overflows by setting a random integer (called ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Thoughts On FBSD-ProPolice

  1. Thoughts On FBSD-ProPolice

    Hi!

    Anyone using SPP on FBSD?

    This patch is intended to bring the ProPolice stack-smashing protection (SSP) GCC patch into the FreeBSD 7.0-CURRENT source tree. ProPolice basically prevents exploits that use stack-based buffer overflows by setting a random integer (called the "canary") in the stack right before the return address. It is set in the function's prologue and verified during the epilogue ; if it has changed, then a buffer overflow has occured and the program commits suicide by killing himself with SIGABRT. Both userland and kernel may be protected.

    Furthermore local automatic variables are reordered so that overflowing an array would not overwrite other automatic scalar variables belonging to the same function scope. Only functions containing arrays are protected. There is an option to activate the protection for every functions (see below), tough there is no obvious reason to do so.

    http://tataz.chchile.org/~tataz/FreeBSD/SSP/

    How common are "Stack Based Overflows?" Do you guys recommend that FBSD
    should use this to secure the O/S?
    I disable all unused service's & use a PF firewall, along with yafic to
    check for any changes that I haven't made.


    I know that SPP is built in OpenBSD,
    but I think the OpenBSD ports tree is too small, I just like FBSD
    better, don't get me wrong, I think OpenBSD is also cool, they just
    need a larger ports tree.




  2. Re: Thoughts On FBSD-ProPolice

    On 28 Oct 2007 11:45:27 -0400
    "Matthew X. Economou" wrote:

    > >>>>> "Timmy" == Timmy writes:

    >
    > Timmy> Hi! Anyone using SPP on FBSD?
    >
    > Wow, this is neat! My understanding was that Linux distributions
    > including Fedora Core and Debian already included features like this
    > to some extent, so it's nice to see stack overflow protections being
    > ported over to FreeBSD.


    I used it on Fedora-7. Not sure if SPP on Fedora or Debian would enable
    spp in binary packages. With FBSD you can add USE_SSP=yes to make.conf
    and it will use spp on every program you build from source..


    > Timmy> How common are "Stack Based Overflows?"
    >
    > Countermeasures like ASLR and stack canaries have reduced their
    > frequency, but they're still around. I am considering whether to
    > apply this patch to my own systems, since I use FreeBSD for almost all
    > of my Internet-facing services.


    I'm using it now, on a fresh install of 6.3-pre-release. Once I applied
    the patches and added USE_SSP=yes, WITH_SSP=yes to make.conf and
    started the buildworld it failed about 15-minutes in complaing about
    unable to get dir access or something like that, I rebooted and logged
    into root, cleaned up obj and run make buildworld and rebuilt the kernel
    from root, then booted into single user and run mergemaster/installworld
    and it all works fine. All of the programs I've installed so far haven't
    failed, Firefox, fluxbox, etem, mplayer, claws-mail, xmms. I have more
    programs to install, so far so good :-)


    > Timmy> I disable all unused service's & use a PF firewall, along
    > Timmy> with yafic to check for any changes that I haven't made.
    >
    > These are all good practices, but they won't protect you from a
    > working exploit on an exposed networked service.


    I'm reading Addison Wesley, Exploiting Software, How to Break Code,
    just started reading it, I think this book will give me some good
    information on overflow/ exploits and how to protect against them.. Who
    knew securing a desktop would be so freaking complicated? :-) Oh, well
    its fun learning this stuff..


    > Regards,
    > Matthew
    >


+ Reply to Thread