I was wondering if there is any point in having IBMs Propolice stack protector enabled as well as having ETDYN and Pax enabled?
Because I would rather turn off Propolice because it does give another preformance problem.
BTW: I know there was a thread about this a while ago but it did not come to a conclusion.
Propolice and Pax
4 posts
• Page 1 of 1
Re: Propolice and Pax
by PaX Team » Sat Sep 13, 2003 12:19 pm
there is of course a point in having multiple layers of defense (which is what this case is about), the more important question to answer is what combination you need/can afford.siti wrote:I was wondering if there is any point in having IBMs Propolice stack protector enabled as well as having ETDYN and Pax enabled?
Propolice protects against linear stack overflow exploit methods that want to change data (typically pointers) beyond the random canary on the stack. PaX protects against a (much) more generic category of exploit methods but it does so at a later phase in the attack (PaX allows the use of attacker modified pointers while Propolice does not, also Propolice prevents the modification of certain local variables/function arguments that would otherwise be exposed) therefore in the particular case where Propolice prevents the exploit PaX alone may be defeated. so if you're concerned about this exploit method (as in you want more guarantees than what PaX gives you for this case) then you're better off by using Propolice as well.
personally my preferred compiler based approach will be the stack frame reorganization of Propolice coupled with my planned return-to-libc prevention technique (return location checking as described in http://pageexec.virtualave.net/docs/pax-future.txt).
what kind of performance problems do you see? maybe you should also talk to the propolice author.Because I would rather turn off Propolice because it does give another preformance problem.
- PaX Team
- Posts: 2310
- Joined: Mon Mar 18, 2002 4:35 pm
by siti » Sat Sep 13, 2003 4:56 pm
Thanks for the reply:)
heres the performance impact:
http://www.trl.ibm.com/projects/security/ssp/node5.html
heres the performance impact:
http://www.trl.ibm.com/projects/security/ssp/node5.html
- siti
- Posts: 18
- Joined: Fri Aug 08, 2003 6:30 pm
by PaX Team » Sat Sep 13, 2003 6:40 pm
ok, i thought it was something particularly bad in your own experience. as for the above report, it's quite outdated info, it would be interesting to see what the current version of propolice produces (also comparing the different propolice gcc versions to each other).siti wrote:heres the performance impact:
http://www.trl.ibm.com/projects/security/ssp/node5.html
- PaX Team
- Posts: 2310
- Joined: Mon Mar 18, 2002 4:35 pm
4 posts
• Page 1 of 1