On Wed, Feb 04, 2004 at 01:26:29PM +0800, Leon Harris wrote:
> Certain apps (notably java virtual machines) manipulate stack return
> addresses. I understood that one of the advantages of Immunix's product
> StackGuard was that you could still run these types of apps by
> statically linking them against a normal libc (and chrooting them or
> otherwise confining them). If the protection is mandatory, and in
> hardware, then surely these types of app wont work.

Leon, the limitations with StackGuard and Java Just in Time compilers
and virtual machines have been removed with newer versions of
StackGuard. StackGuard 2, based on egcs (gcc 2.91.66), had an unfortunate
location in the stack layout for the canary which caused problems for
applications that 'knew' the stack layout well enough to introspect
the stack.

Newer versions of StackGuard have since remedied the location of the
canary (to be more secure, while we're at it) such that applications that
are stack-introspective no longer need to be patched to know a 'new'
stack layout. StackGuard 3 uses a better location that is transparent
to gdb, mozilla, JITs, etc.

Of course, I don't want to say what forms of applications may or may not
run on a SmashGuard system; however, the JVMs and JITs may or may not
function on SmashGuard on their own merits -- it was a limitation of
earlier StackGuard releases that caused problems for JVMs, JITs, gdb,
mozilla, etc.

Further information on StackGuard 3 may be found at:
http://immunix.org/stackguard.html

More information will be posted to this page as StackGuard continues
development, and we will periodically announce new developments to the
low traffic immunix-announce mail list:
http://mail.immunix.com/mailman/listinfo/immunix-announce

Thanks Leon

--
Immunix Secured Linux Distribution: http://immunix.org/

[ reply ]