>Stack Smash Protection sounds like a cool feature to me. I don't know >what the performance impact is, but as a developer even if it is to slow >to use by default I would love to have it intergrated into the gcc >shipped by Fedora to make debugging easier. I use a specially doctored version of gcc with propolice compiled in. I have helped code review & submit corrections to propolice. I can say that its pretty good, but not bulletproof. Its worth adding for the fact that it is one more layer should there be holes in the other protection mechanisms. Performance is pretty good. 5-10% performance hit. However, there is one small issue. It needs to read from /dev/random and write to /dev/syslog. This is not in all policies and has to be manually added. I see the avc messages all the time. I also use libsafe which seems to catch more stack smashing attempts than propolice. I have corrected a number of bugs in it and shared them with the developers. I also extended libsafe to cover more vectors of attack. You can find the updated copy here: www.web-insights.net/libsafe. There is a perfomance hit, but its small. I'd rather a 2 Ghz machine with cycles to burn run with libsafe + propolice than spend 2 days setting up the machine after its hacked. libsafe does use an LDPRELOAD variable to intercept calls. This means that it offers no protection to setuid/setgid programs. selinux may also object to it. >But if I undertand it correctly PAX does more for example also make data >pages non executable, this might be something worth looking into. Some of the things it does makes software debug impossible. valgrind sometimes has problems with it. I think there are some bits of it that are good, as well as the openwall linux patch set. It would be better if these were adopted into the kernel rather than maintained as a patch to it. But something that neither of these address, is plain logic errors. Every week I find a pretty good problem that scanners (flawfinder/lint/valgrind), stack protectors (propolice/libsafe), and se linux cannot catch. Part of the solution has to be peer review. -Steve Grubb _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com