search for: propolice

Hi, first sorry for cross-posting but I thought this patch might interest -CURRENT users as well as people concerned by security. I wrote a patch that integrates ProPolice/SSP into FreeBSD, one step further than it has been realized so far. It is available here : http://tataz.chchile.org/~tataz/FreeBSD/SSP/ Everything is explained on the web page, but I will repeat some informations here. The patchset is splitted in two parts to ease the review of the patch....

Hi! This is the third and last patch. This patch makes the xen kernel buildable on OpenBSD by adding support for ProPolice. ProPolice has been added to standard GCC in version 4.1.x under the name Stack Smashing Protection (SSP). Cheers Christoph _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel

...running 6.2 on various servers without any tweaks (GENERIC kernel, binary updates via freebsd-update etc.) but lots of ports (apache, postgresql, diablo-jdk etc.) and would like to use stack smashing protection in order to harden my boxes and avoid many potential exploits. I've known about ProPolice/SSP for a while now (from the Gentoo world) and am aware that FreeBSD 7.0 doesn't yet support it though I know of Jeremy Le Hen's patches (http://tataz.chchile.org/~tataz/FreeBSD/SSP/). Some time after 7.0 is released I'd like to upgrade and apply SSP throughout kernel, userland and...

Hi all Does FreeBSD support a non-executable stack on any of the tier 1 and 2 platforms that has this feature? If not, are there any plans of implementing this and is there a patch I can use for 6.0 (when it is released)? Best regards db

1. I noticed the WITHOUT_SSP switch in src.conf(5). Does this mean that Propolice is currently used by default? 2. For debugging purposes, I'd like to rebuild my whole world with debugging symbols. Adding -g to the flags in make.conf seemed to do the trink until right before the installation of the new files. Doing a nm on libc.so.7 yielded all the symbols, as expected. Ho...

Hi All, Sorry to interrupt, but I recently downloaded and installed a pre-compiled package of OpenSSH 3.9p1 for Solaris. After installation everything seems to work well, but I notice that all of the child sshd daemons are running with a flag '-R' i.e. sh-3.00# ps -ef | grep sshd root 475 1 0 13:45:23 ? 0:00 /usr/local/sbin/sshd -4 root 643 475 0 14:10:55 ?

...very function will need it? Could this information also be encoded into a per-function local variable? Could your compiler generate code to maintain a separate stack for such information? Also, out of curiosity: are you working on something like Java security contexts? Or perhaps something like ProPolice canary values? -- Nick Johnson

Hi, R-2.1.1 OS: OpenBSD-current (3.8) on i386 Compiler:gcc version 3.3.5 (propolice) Thread model: single configure \ --with-readline \ --with-tcltk \ --with-tcl-config=/usr/local/lib/tcl8.4/tclConfig.sh \ --with-tk-config=/usr/local/lib/tk8.4/tkConfig.sh \ --with-libpng \ --with-jpeglib \ --with-zlib \ --with-bzlib \ --with-pcre \ --with-libiconv-prefix=/usr/...

Hi everyone, As a front-end developer, I'd like to add a language-specific information at a fixed location of each stack frame. The reason is that I want to retrieve this information when dynamically walking the stack. For example, X86 has the following stack layout for a function with two arguments and two locals: 12(%ebp) - second function parameter 8(%ebp) - first function

Hi, I compiled asterisk and chan_h323 on an Opteron in 64 bit mode. In the h323's Makefile I replaced in line 24 CFLAGS += -march=$(shell uname -m) by CFLAGS += -march=k8 and also tried CFLAGS += -m64 -march=k8 Both solutions do compile, but when starting asterisk, a load error occurs: undefined symbol: _ZN14H323Connection24OnUserInputInlineRFC2833ER15OpalRFC2833Infoi When I grep

Hi there, I was looking for stack smashing protection under freebsd, so i found libparanoia (/usr/ports/security/libparanoia), i had only one question using the normal 'make install' (so no copy-to-libc). If i add in /ert/make.conf: CFLAGS= -O -pipe -lparanoia -L/usr/local/lib COPTFLAGS= -O -pipe -lparanoia -L/usr/local/lib Will EVERYTHING build from that time (including

Hello, Edd > I am a student considering a compiler design based dissertation with > llvm. I am having problems building llvm on OpenBSD-current. I hope to > make a port of llvm for OpenBSD once I have figured out how to build What is the gcc version used there? -- With best regards, Anton Korobeynikov. Faculty of Mathematics & Mechanics, Saint Petersburg State University.

...self on accepting a new connection. This security measure ensures that all execute-time randomisations are reapplied for each connection rather than once, for the master process' lifetime. This includes mmap and malloc mappings, shared library addressing, shared library mapping order, ProPolice and StackGhost cookies on systems that support such things * Add strict permission and ownership checks to programs reading ~/.ssh/config NB ssh(1) will now exit instead of trying to process a config with poor ownership or permissions * Implemented the ability to pass selected environment va...

...self on accepting a new connection. This security measure ensures that all execute-time randomisations are reapplied for each connection rather than once, for the master process' lifetime. This includes mmap and malloc mappings, shared library addressing, shared library mapping order, ProPolice and StackGhost cookies on systems that support such things * Add strict permission and ownership checks to programs reading ~/.ssh/config NB ssh(1) will now exit instead of trying to process a config with poor ownership or permissions * Implemented the ability to pass selected environment va...

...k. > Could your compiler > generate code to maintain a separate stack for such information? > > Sure, but it's much more expensive than a simple push and pop. > Also, out of curiosity: are you working on something like Java > security contexts? Or perhaps something like ProPolice canary values? > > I'm working on VMKit, which implements a JVM on top of LLVM. And an easy way to walk the stack is to have a methodID stored in each stack frame to locate which method the frame belongs to. Nicolas

...gt; mask[w] = 0xff & (0xff<<(8-b)); > > That sounds like the correct fix to me but I shall leave it to you > guys to finish this off. I've inlined the patch as well as attaching > it in case you have a preference. > > This bug was noticed due to the propolice patches that are in > OpenBSD-current which caused the rsync tests (which I do regularly > for the build farm) to log messages like this: > > Jan 18 14:33:41 pandemonium rsync: stack overflow in function match_address > > I should have noticed this about 10 days ago but as this...

While building an OpenBSD port for LLVM 2.3 I encountered a few issues. The first one is that the system compiler $ gcc -v Reading specs from /usr/lib/gcc-lib/amd64-unknown-openbsd4.3/3.3.5/specs Configured with: Thread model: single gcc version 3.3.5 (propolice) Fails to build TableGen correctly which then crashes while processing the tables for ARM. I fixed this by using gcc 4.2.0 The second one is that there are 8 tests failing, but none of them seems to fail for reason linked to LLVM itself but rather peculiarities like grep not working the same way...

...quot;[linux]" Processing section "[profiles]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions ^C bash-2.05b# cat /proc/version Linux version 2.4.22-2.4.22 (root@oberon) (gcc version 3.2.3 20030422 (Gentoo Linux 1.4 3.2.3-r2, propolice)) #7 SMP Tue Dec 2 08:58:49 MET 2003 Please tell me what kind of diagnostics should I provide to be helpful. Cl< # Samba config file created using SWAT # from 127.0.0.1 (127.0.0.1) # Date: 2003/11/19 15:51:41 # Global parameters [global] security = user wins support = no...

Hi, R-2.1.1, R-patched, and the latest R-beta--all fail with same error OS: OpenBSD-current (3.8) on i386 Compiler:gcc version 3.3.5 (propolice) Thread model: single configure \ --with-readline \ --with-tcltk \ --with-tcl-config=/usr/local/lib/tcl8.4/tclConfig.sh \ --with-tk-config=/usr/local/lib/tk8.4/tkConfig.sh \ --with-libpng \ --with-jpeglib \ --with-zlib \ --with-bzlib \ --with-pcre \ --with-l...

...it skipped some near the end). Now I'm trying to compile xapian-bindings-0.9.2 on OpenBSD 3.7 but have run into a problem. After hours of searching the net I haven't found a solution. For reference gcc -v gives the following output: Configured with: Thread model: single gcc version 3.3.5 (propolice) And I'm using Python 2.3.5. This works fine: ./configure XAPIAN_CONFIG=/usr/local/src/xapian-core-0.9.2/xapian-config But when I run make I get the following (some parts removed because it's quite a long list of similar errors): make all-recursive Making all in python make all-recurs...