On Sun, 25 Jun 2006, Declan Moriarty wrote:
> Yes, actually you are right.
Well, "paul" and "right" are two words often used in the same
> But unless you know the system intimately at a code level, you
> won't have a great idea of what those bits of the system are, will
> you? Hence the all or nothing approach is best. Or, you could grok
> all the code...
Well, no. Again:
- most stack overflows are of local variables in /application/ code
(not library code), even where the actual overflow occurs via some
There is a technical reason why this /tends/ to be true: Library
code tends to either take storage as a parameter (e.g. a local
variable in a caller) from the caller or allocate required storage
from the heap (local storage in a library function tends not to
last long enough ;) ). So SSP tends to have greater impact in
application code itself.
- Stack overflows greatest security impact is in network-enabled
- you don't need to be a code wizard to figure out what
applications those are, use "nmap"
- hence you can recompile just those applications and realise a
significant security benefit
- SSP has a performance impact, so there is value in not applying
it to code where it won't have any security benefits
IIRC: at least one distro only /selectively/ compiled network-enabled
applications with SSP, precisely due to the above reasoning ;).
> And the biggest word in there was the "IF". I think it extremely
> unlikely that a vanilla gcc-4.1 will compile on any sort of an old
I havn't dug around gcc sources, but I have to say that would
surprise me given that:
a) gcc (regardless of fact that it is a compiler) is meant to be
b) I would /suspect/ that compilers would tend to be quite
free-standing bodies of code, with the most minimal of external
dependencies of any code you could find.. (just a suspicion..)
> They seem to be using very recent kernel headers and binutils
> versions to get it going.
Binutils maybe. Kernel headers??? You thinking of glibc maybe?
Paul Jakma paul at clubi.iepaul at jakma.org Key ID: 64A2FF6A
Judging from the behavior of some people...not all jackasses have tails.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!