Propolice patch updated for use with GCC 3.2.2

Dagmar d'Surreal dagmar.wants at nospam.com
Fri Feb 28 00:09:29 PST 2003


For those who have been unaware of it, one of the more useful tools for
slapping together semi-hardened systems with for some time has been
various incarnations of patches to gcc that prevent, obfuscate, or
severely hamper the utility of the classic buffer-overflow exploit.

Since IBM is very big on security (even if they are slow with AIX) they
semi-recently picked up the ball and decided to run with it a bit and
have been maintaining one of the nicer patches for this particular
stunt, and it's now been updated for use with gcc 3.2.2.

http://www.trl.ibm.com/projects/security/ssp/

Check it out.

In laymans' terms:

  * Previously working buffer overflow exploits (probably the majority
of bug exploitations fall into this category) will not work against
binaries compiled using this patch without serious modification.

  * This patch is dead easy to apply and use...  Just pass
-fstack-protector to gcc as you build whatever it is you're building,
same as any other -f flag.  If you don't, afaik the default is to
pretend you passed it -fno-stack-protector, which is the explicit way to
get unprotected binaries.  These binaries should, in-theory, come out
the exact same way binaries created by an unmodified gcc would.

  * With a patches like this (among other things), I've narrowly escaped
having some of my machines compromised for many years.  It's good
stuff.  At least use it against BIND so you'll sleep better at night.

  * Don't let the slight Engrish accent fool you.


-- 
The email address above is just as phony as it looks, and for obvious reasons.
Instant messaging contact nfo: AIM: evilDagmar  Jabber: evilDagmar at jabber.org

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list