Re: Stack Smash Protection disabled (was HEADS-UP: Stack Smash Protection enabled by default for amd64 and i386)

[Elad Efrat <elad%NetBSD.org@localhost>]

On Fri, Nov 13, 2009 at 12:01 AM, David Holland
<dholland-current%netbsd.org@localhost> wrote:

>  > However, for pure fun, let's look at the "rationale" here. If your
>  > kernel is built without SSP and a vulnerability that it might have
>  > protected against is being exploited, [...]
>
> Well yes, and here's the thing. You are falling into the standard trap
> of computer security cost/benefit analysis: you're assuming that the
> risk of being attacked is infinite, and therefore the benefit of any
> protection device outweighs its cost regardless of what the cost is.

It seems we have all become economists and marketing experts.

I am not assuming the risk is infinite. I have pointed out that the
impact of a stack overrun is the same in 1988 and in 2009, yet the
speed of hardware on which software runs changed dramatically. This is
a very important point. Next year we'll have faster computers that
might drastically change the 5% figure; they will not change what
happens if a stack overrun is exploited.

(If you are interested in sticking to your economic terms, I suggest
reading up on the impact of "unforeseen, random" events on markets.)

> There isn't exactly a long history of kernel-level stack-smashing
> attacks. In fact, I can't offhand remember hearing about a single one
> (other than in Windows) -- doubtless someone will refresh my memory,
> but nonetheless it doesn't seem like a very high risk. And therefore,
> it doesn't seem to me that there's much benefit, and in particular,
> not enough to outweigh the cost.

You begin by stating that there isn't a history of it, then you
suggest that it is merely your own experience, and then you rule out
the most popular OS in the market. I won't deteriorate this thread to
pasting links from google searches; I am going to suggest, though,
that people think about a possible link between the "popularity index"
of an OS and the number of published vulnerabilities of any type for
that matter.

> It's been noted elsewhere that theoretically the overhead of SSP is
> not supposed to be 5%; it's supposed to be negligible. Where is this
> 5% overhead coming from?

That does not matter. What matters is if it's measurable in normal
use, and how long this figure is going to remain with us.

David, overall it seems you're suggesting that just because we're not
seeing or experiencing something it is not there or will not happen to
us. That behavior characterizes some animals in nature; one would hope
not the kind that use and develop NetBSD.

-e.