[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Stack Smash Protection disabled (was HEADS-UP: Stack Smash Protection enabled by default for amd64 and i386)
- To: Thor Lancelot Simon <tls%panix.com@localhost>
- Subject: Re: Stack Smash Protection disabled (was HEADS-UP: Stack Smash Protection enabled by default for amd64 and i386)
- From: Ty Sarna <ty%sarna.org@localhost>
- Date: Fri, 13 Nov 2009 11:48:32 -0500
On Nov 13, 2009, at 11:36 AM, Thor Lancelot Simon wrote:
On Fri, Nov 13, 2009 at 05:01:34AM +0000, David Holland wrote:
It's been noted elsewhere that theoretically the overhead of SSP is
not supposed to be 5%; it's supposed to be negligible. Where is this
5% overhead coming from?
One possibility is our non-default settings for the stack
tell GCC to protect access to all objects -- not just objects large
to contain an address, which is the default.
So, perhaps we can enable full-on protection for some things, as
before, but use default settings for everything else and get most of
the benefit with a smaller overhead? Or maybe we should use default
This seems insufficiently researched to me. I think we ought to
understand what's going on better before accepting a 5% penalty that
we may not need to, or conversely accepting the risk of doing without
SSP when the cost might be easily reduced. Not to mention having a
flamewar either way...
Main Index |
Thread Index |