On Mon, Aug 18, 2003 at 11:38:46PM -0700, Crispin Cowan wrote:
>
> ProPolice does not protect functions containing arrays of length 7 or
> less. We don't know what other cases exist in which ProPolice fails to
> protect. This kind of risk exists precisely because of the design choice
> that gives ProPolice its multi-architecture capability: putting the
> protection way up high in the compiler. This creates the potential for
> later stages of GCC to optimize away the security checks, or move them
> so far away from relevant code that they are no longer effective. When
> you choose ProPolice, you choose CPU portability over security.
You're correct that OpenBSD/ProPolice does not protect buffers of length 7
or less, but your analysis appears to be completely wrong.
It's just a simple #define SUSPICIOUS_BUF_SIZE, and looks to be there for
performance reasons. If you run with -Wstack-protector, PP will warn
explicitly when it skips a too-small buffer. If you are feeling particularly
paranoid and don't mind the performance hit, just crank the define down
and recompile GCC.
It certainly isn't gcc optimising away the checks, or anything to do with
architecture.
--
Anil Madhavapeddy http://anil.recoil.org
University of Cambridge http://www.cl.cam.ac.uk
>
> ProPolice does not protect functions containing arrays of length 7 or
> less. We don't know what other cases exist in which ProPolice fails to
> protect. This kind of risk exists precisely because of the design choice
> that gives ProPolice its multi-architecture capability: putting the
> protection way up high in the compiler. This creates the potential for
> later stages of GCC to optimize away the security checks, or move them
> so far away from relevant code that they are no longer effective. When
> you choose ProPolice, you choose CPU portability over security.
You're correct that OpenBSD/ProPolice does not protect buffers of length 7
or less, but your analysis appears to be completely wrong.
It's just a simple #define SUSPICIOUS_BUF_SIZE, and looks to be there for
performance reasons. If you run with -Wstack-protector, PP will warn
explicitly when it skips a too-small buffer. If you are feeling particularly
paranoid and don't mind the performance hit, just crank the define down
and recompile GCC.
It certainly isn't gcc optimising away the checks, or anything to do with
architecture.
--
Anil Madhavapeddy http://anil.recoil.org
University of Cambridge http://www.cl.cam.ac.uk
[ reply ]