Bugtraq mailing list archives
Re: http://www.smashguard.org
From: Seth Arnold <sarnold () wirex com>
Date: Thu, 5 Feb 2004 10:06:03 -0800
On Wed, Feb 04, 2004 at 01:26:29PM +0800, Leon Harris wrote:
Certain apps (notably java virtual machines) manipulate stack return addresses. I understood that one of the advantages of Immunix's product StackGuard was that you could still run these types of apps by statically linking them against a normal libc (and chrooting them or otherwise confining them). If the protection is mandatory, and in hardware, then surely these types of app wont work.
Leon, the limitations with StackGuard and Java Just in Time compilers and virtual machines have been removed with newer versions of StackGuard. StackGuard 2, based on egcs (gcc 2.91.66), had an unfortunate location in the stack layout for the canary which caused problems for applications that 'knew' the stack layout well enough to introspect the stack. Newer versions of StackGuard have since remedied the location of the canary (to be more secure, while we're at it) such that applications that are stack-introspective no longer need to be patched to know a 'new' stack layout. StackGuard 3 uses a better location that is transparent to gdb, mozilla, JITs, etc. Of course, I don't want to say what forms of applications may or may not run on a SmashGuard system; however, the JVMs and JITs may or may not function on SmashGuard on their own merits -- it was a limitation of earlier StackGuard releases that caused problems for JVMs, JITs, gdb, mozilla, etc. Further information on StackGuard 3 may be found at: http://immunix.org/stackguard.html More information will be posted to this page as StackGuard continues development, and we will periodically announce new developments to the low traffic immunix-announce mail list: http://mail.immunix.com/mailman/listinfo/immunix-announce Thanks Leon -- Immunix Secured Linux Distribution: http://immunix.org/
Attachment:
_bin
Description:
Current thread:
- http://www.smashguard.org Hilmi Ozdoganoglu (Feb 02)
- RE: http://www.smashguard.org Dave Paris (Feb 03)
- Re: http://www.smashguard.org Nicholas Weaver (Feb 03)
- RE: http://www.smashguard.org Hilmi Ozdoganoglu (Feb 07)
- Re: http://www.smashguard.org Theo de Raadt (Feb 07)
- Re[2]: http://www.smashguard.org Andrey Kolishak (Feb 09)
- Re: http://www.smashguard.org Crispin Cowan (Feb 09)
- Re: http://www.smashguard.org Theo de Raadt (Feb 10)
- Re: http://www.smashguard.org Nicholas Weaver (Feb 09)
- RE: http://www.smashguard.org Dave Paris (Feb 03)
- Re: http://www.smashguard.org Seth Arnold (Feb 05)