At 2:10 PM -0600 2/4/03, Brandon D. Valentine wrote:
On Tue, Feb 04, 2003 at 11:51:14AM -0800, Justin Lundy wrote: > Has similar work been done in FreeBSD been done? This would be > a nice feature in 5.0-CURRENT. We had SecureBSD, and the IBM > port of propolice, but both projects appear to be defunct at > present.
It would be much smarter to follow what OpenBSD is doing with propolice, and revive a freebsd project of *that*.
> ----- Forwarded message from Eugene Tsyrklevich <[EMAIL PROTECTED]> -----
> "Add a possibility to add a random offset to the stack on exec.
> This makes it slightly harder to write generic buffer overflows.
> This doesn't really give any real security, but it raises the
> bar for script-kiddies and it's really cheap.
AFAIK, no. No similiar work has been done in FreeBSD.
Personally I think if one is going to expend effort in making the
stack more secure the proper way to do this is to follow NetBSD's
example and switch to a signal trampoline provided by libc so that
stack pages can be marked non-executable in the first place.
Adding random offsets to the stack is never going to be more than
a hack.
I agree that random offsets will not buy much in the way of security, but it might make some kinds of initialization errors more obvious. I'm thinking of the kind of errors where a routine forgets to initialize a key variable, but everything "seems to work" because the routine happens to always pick up the same value off the stack. By adding random offsets, the routine *might* at least behave differently each time it's run. Okay, I'll admit that even that is a bit of a long-shot... -- Garance Alistair Drosehn = [EMAIL PROTECTED] Senior Systems Programmer or [EMAIL PROTECTED] Rensselaer Polytechnic Institute or [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
