Thoughts On FBSD-ProPolice

Hi!

Anyone using SPP on FBSD?

This patch is intended to bring the ProPolice stack-smashing protection (SSP) GCC patch into the FreeBSD 7.0-CURRENT source tree. ProPolice basically prevents exploits that use stack-based buffer overflows by setting a random integer (called the "canary") in the stack right before the return address. It is set in the function's prologue and verified during the epilogue ; if it has changed, then a buffer overflow has occured and the program commits suicide by killing himself with SIGABRT. Both userland and kernel may be protected.

Furthermore local automatic variables are reordered so that overflowing an array would not overwrite other automatic scalar variables belonging to the same function scope. Only functions containing arrays are protected. There is an option to activate the protection for every functions (see below), tough there is no obvious reason to do so.

http://tataz.chchile.org/~tataz/FreeBSD/SSP/

How common are "Stack Based Overflows?" Do you guys recommend that FBSD
should use this to secure the O/S?
I disable all unused service's & use a PF firewall, along with yafic to
check for any changes that I haven't made.

I know that SPP is built in OpenBSD,
but I think the OpenBSD ports tree is too small, I just like FBSD
better, don't get me wrong, I think OpenBSD is also cool, they just
need a larger ports tree.

On 28 Oct 2007 11:45:27 -0400
"Matthew X. Economou" wrote:

> >>>>> "Timmy" == Timmy writes:
>
> Timmy> Hi! Anyone using SPP on FBSD?
>
> Wow, this is neat! My understanding was that Linux distributions
> including Fedora Core and Debian already included features like this
> to some extent, so it's nice to see stack overflow protections being
> ported over to FreeBSD.

I used it on Fedora-7. Not sure if SPP on Fedora or Debian would enable
spp in binary packages. With FBSD you can add USE_SSP=yes to make.conf
and it will use spp on every program you build from source..

> Timmy> How common are "Stack Based Overflows?"
>
> Countermeasures like ASLR and stack canaries have reduced their
> frequency, but they're still around. I am considering whether to
> apply this patch to my own systems, since I use FreeBSD for almost all
> of my Internet-facing services.

I'm using it now, on a fresh install of 6.3-pre-release. Once I applied
the patches and added USE_SSP=yes, WITH_SSP=yes to make.conf and
started the buildworld it failed about 15-minutes in complaing about
unable to get dir access or something like that, I rebooted and logged
into root, cleaned up obj and run make buildworld and rebuilt the kernel
from root, then booted into single user and run mergemaster/installworld
and it all works fine. All of the programs I've installed so far haven't
failed, Firefox, fluxbox, etem, mplayer, claws-mail, xmms. I have more
programs to install, so far so good :-)

> Timmy> I disable all unused service's & use a PF firewall, along
> Timmy> with yafic to check for any changes that I haven't made.
>
> These are all good practices, but they won't protect you from a
> working exploit on an exposed networked service.

I'm reading Addison Wesley, Exploiting Software, How to Break Code,
just started reading it, I think this book will give me some good
information on overflow/ exploits and how to protect against them.. Who
knew securing a desktop would be so freaking complicated? :-) Oh, well
its fun learning this stuff..

> Regards,
> Matthew
>

Thoughts On FBSD-ProPolice - BSD

Thread: Thoughts On FBSD-ProPolice

LinkBack

Tools

Thoughts On FBSD-ProPolice

Re: Thoughts On FBSD-ProPolice