OpenBSD Stomping On Buffer Overflows

A reader writes:"There's a story on ZDNet that describes how Theo de Raadt & co. are hoping to eliminate buffer-overrun exploits for good. On closer inspection, it's a scheme to stop a buffer-overrun leading to executable code. It doesn't stop the buffer-overrun itself."

Includes ProPolice

[dwheeler]

The buffer overflow work is based on StackGuard, which was originally developed as a gcc extension and tried out in Immunix (a Linux distribution). However, instead of StackGuard, they're using IBM's ProPolice. ProPolice implements the same basic idea, but the patch itself works more cleanly across CPU architectures. Also, ProPolice has a simple optimization - it only enables the canary protection if the function has a char (like) array. This is a heuristic, but a reasonable one - most buffer overflow attacks exploit such arrays, and by doing this ProPolice has a lower performance overhead (without losing much in the way of protection).

Libsafe only protects a few built-in functions; it's not a bad idea, but it's FAR less effective than StackGuard or ProPolice. The Openwall kernel patch is actually a collection of nifty capabilities. The "no executable stack" option is probably what you mean, but it turns out that there's a trivial way around it... so that part is only effective BECAUSE few people use it. Openwall has other stuff that's nice, though.

I think the reason these capabilities aren't in use everywhere (yet) is the conservatism of most distributions. Many distributions worry about any performance loss or compatibility loss. OpenBSD's primary focus is on security, so losing performance or backwards compatibility is not as serious an issue for them. I have hopes that these features will become more mainstream.