On Mon Aug 18, 2003 at 10:13:20PM +0200, J.A. Magallon wrote: > > How about adding ProPolice stack protection to stock Mandrake GCC? > > I hope not. > I don't see the point of slowing down all the system (you have to > rebuild glibc, the kernel at least) just to protect against > buffer overflows. > > Buffer overflows are porpular in windows because it is damned open, > outlook executes automagically even a pig if it comes in an e-mail, > administrators tend to give admin permissions to everybody > because of badly designed apps (I have seen Photoshop not working > because it wanted to write at C:\, and us, poor Unix admins, had > made it read-only), and so on. > > In linux, you can do 2 things: > - shoot yourself on the feet, so you just break your own account. > - try to get root first, to make something useful with a buffer > overflow. > > And how about things written in other languages ? > For example, in C++ you are not allowed to reorder the stack. > Even more, you do not know the size the stack will grow to when > you enter a function. > > I see no gain here. Some pointer to more info ?
Not exactly true. A lot of vulns use buffer overflows to obtain root priv... you don't start off with root and overflow buffers for kicks. I'd like to see something like this, but not for a desktop OS. This is more suited to a hardened version of Corporate Server or something. Something like StackGuard+FormatGuard (from Immunix although I think they're quite out-dated) would be good (cover buffer overflows and format string vulns all at the same time). -- MandrakeSoft Security; http://www.mandrakesecure.net/ Online Security Resource Book; http://linsec.ca/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
pgp00000.pgp
Description: PGP signature
