r172 - trunk/BOOK/chapter02

manuel at linuxfromscratch.org manuel at linuxfromscratch.org
Sat Feb 12 11:47:11 PST 2005


Author: manuel
Date: 2005-02-12 12:47:11 -0700 (Sat, 12 Feb 2005)
New Revision: 172

Modified:
   trunk/BOOK/chapter02/ssp.xml
Log:
Fixed spp.xml.

Modified: trunk/BOOK/chapter02/ssp.xml
===================================================================
--- trunk/BOOK/chapter02/ssp.xml	2005-02-12 19:41:03 UTC (rev 171)
+++ trunk/BOOK/chapter02/ssp.xml	2005-02-12 19:47:11 UTC (rev 172)
@@ -4,10 +4,10 @@
   %general-entities;
 ]>
 <sect1 id="ch-tools-ssp">
-<title>Smashing Stack Protector</title>
+<title>Stack Smashing Protector</title>
 <?dbhtml filename="ssp.html"?>
 
-<para>Based on StackGaurd, Smashing Stack Protector (SSP) was developed by IBM's
+<para>Based on StackGaurd, Stack Smashing Protector (SSP) was developed by IBM's
 Hiroaki Etoh for protecting applications from stack smashing attacks. This is
 the single largest class of attacks. There has been some effort to include SSP
 in the mainstream GCC, but this has yet to surface. Many distributions have
@@ -25,25 +25,9 @@
 class="libraryfile">libc.so</filename> and <filename class="libraryfile">libc.a</filename>. 
 <function> __guard_setup</function> is a function
 used to create a unique and random value for <function>__guard</function> each
-time it is run. The Frandom kernel patch was added to solve an entropy starvation bug 
-caused by SSP needing a random seed for every program at run time. Frandom adds the 
-<filename class="devicefile">erandom</filename> device (economical random) which 
-uses the state of <filename class="devicefile">frandom</filename> as a seed. 
-<filename class="devicefile">frandom</filename> is seeded from the kernel's 
-<filename class="devicefile">random</filename> device. The result is that 
-<filename class="devicefile">erandom</filename> does not consume any
-kernel entropy while producing crypto quality output. In the event of a stack
-overflow the <function>__stack_smash_handler</function> function will use the 
-Libc syslog facility to record the overflow, which typically depends on 
-<filename class="devicefile">/dev/log</filename>, and will abort the
-program. The <filename class="devicefile">erandom</filename> device is available 
-from the sysctl interface so it will work threw chroot. If the Erandom sysctl interface is not 
-working for whatever reason the <function>__guard_setup</function> function will attempt 
-to use <filename class="devicefile">/dev/urandom</filename> or
-<function>gettimeofday</function> to seed the <function>__guard</function>. The use 
-of <filename class="devicefile">urandom</filename> will cause entropy
-starvation, and <function>gettimeofday</function> is not random, so this fallback is not 
-ideal but provided as a safety net.</para>
+run time. In the event of a stack overflow the <function>__stack_smash_handler</function> 
+function will use the Libc syslog facility to record the overflow, which typically depends on 
+<filename class="devicefile">/dev/log</filename>, and will abort the program. </para>
 
 <para><parameter>-fstack-protector</parameter> only protects functions with arrays of 
 length seven of less. <parameter>-fstack-protector-all</parameter> protects all functions 




More information about the hlfs-dev mailing list