Stack Smashing Protection - are we obsolete?

Tomasz Pala gotar at polanet.pl
Sat Sep 19 11:54:50 CEST 2015


OK, I see you've already commited this, so forwarding to pld-devel-pl as
this is important and might have consequences that must be dealt with.

On Fri, Sep 18, 2015 at 21:57:46 +0200, Arkadiusz Miśkiewicz wrote:

> On Friday 18 of September 2015, Tomasz Pala wrote:
>> 
>> %_ssp_cflags	-fstack-protector --param=ssp-buffer-size=4
>> 
>> instead superior -fstack-protector-strong which seems to be taken as
>> default in many distros, even on gcc level?
> 
> Looks like our version was used by distros back then... I have no problems 
> with switching to -fstack-protector-strong.
> 
> http://www.phoronix.com/scan.php?page=news_item&px=MTM5NjQ
> 
> http://outflux.net/blog/archives/2014/01/27/fstack-protector-strong/
> 
> https://wiki.debian.org/Hardening
> "Prior to GCC 4.9, `-fstack-protector --param ssp-buffer-size=4' is used to 
> cover functions that defines a 4 or more byte local character array, which is 
> an okay balance for security and performance. For those who want to protect 
> all the functions then -fstack-protector-all is recommended.
> 
> Since GCC 4.9, -fstack-protector-strong, an improved version of -fstack-
> protector is introduced, which covers all the more paranoid conditions that 
> might lead to a stack overflow but not trade performance like -fstack-
> protector-all, thus it becomes default."

-- 
Tomasz Pala <gotar w pld-linux.org>


More information about the pld-devel-pl mailing list