Re: Stack Smash Protection disabled (was HEADS-UP: Stack Smash Protection enabled by default for amd64 and i386)

[David Holland <dholland-current%netbsd.org@localhost>]

On Thu, Nov 12, 2009 at 08:45:27PM -0500, Elad Efrat wrote:
 > > I don't see that there's a convincing rationale for turning it on in
 > > the kernel.
 > 
 > Unfortunately for you that does not change the situation one bit.

Well, no. Unfortunately for *you* the rationale you seem to be
offering isn't convincing.

 > However, for pure fun, let's look at the "rationale" here. If your
 > kernel is built without SSP and a vulnerability that it might have
 > protected against is being exploited, [...]

Well yes, and here's the thing. You are falling into the standard trap
of computer security cost/benefit analysis: you're assuming that the
risk of being attacked is infinite, and therefore the benefit of any
protection device outweighs its cost regardless of what the cost is.

There isn't exactly a long history of kernel-level stack-smashing
attacks. In fact, I can't offhand remember hearing about a single one
(other than in Windows) -- doubtless someone will refresh my memory,
but nonetheless it doesn't seem like a very high risk. And therefore,
it doesn't seem to me that there's much benefit, and in particular,
not enough to outweigh the cost.

It's been noted elsewhere that theoretically the overhead of SSP is
not supposed to be 5%; it's supposed to be negligible. Where is this
5% overhead coming from?

-- 
David A. Holland
dholland%netbsd.org@localhost