Stack-Smashing Protection Added To OpenBSD gcc

DieNadel writes "As posted here, support to ProPolice was added to OpenBSD. You can check the announcement. Note that THERE ARE dependencies that should be taken care of before building a new kernel, even on -stable."

Performance?

[Dan+Ost]

Does anyone know how this impacts the performance
of the generated executables?

Re:well isn't this just gosh darn great!

[evilviper]

damn it, why not make the stack grow downwards, like Plan 9 has done? ain't no stack smashing there!

*Ahem*. No matter which way you go, you will hit something eventually. Throw a ton of noops into the stack, followed by the shellcode, and you've exploited an incrementing* stack.

* Terms like up & down don't work very well when talking about virtual space, as people may envision it differently. You seem to think of a higher memory address as "down"; others do not.

Spaf: You can't secure a machine with a privileged user.

That's nice to hear, but I completely disagree. The only problems it has ever caused is the fact that people are lazy and run everything as Root. Run every service as a normal user, remove SUID everywhere possible, and there is no way anyone can break-in, without a very bad kernel bug, or some sort of system misconfiguration.

OpenBSD has lots of new coolness

[RazzleDazzle]

They recently got round robin routing included in pf. They also got altq in pf also. They already merged nat.conf into pf.conf. They did a massive suid audit and a major license audit. Now propolice. I though OpenBSD was cool before a lot of this stuff came about. Some things like no-exec code are not available on all architectures though. There is also a calling for more gigabit equipment for furthur and continued testing, read the want pages and I believe Nate for more precise info, and make sure you contact him to make sure you don't get something already being donated.