Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

StackGuarded Red Hat 5.2 Released

From: Crispin Cowan <crispin () cse ogi edu>
Date: Tue, 12 Oct 1999 11:02:16 -0700 (PDT)
We have just released the (long-awaited :-) StackGuarded Red Hat 5.2 Linux
distribution.  We have also moved.  The new home page for StackGuard in
particular, and Immunix in general, is now:

    http://immunix.org/

About WireX StackGuard:
    StackGuard is a compiler for producing programs that are resistant to
    the "stack smashing" variety of buffer overflow attacks.  StackGuard
    does this by emitting code to do integrity checks on the stack for
    every function call.  If the activation record has been corrupted
    when a function tries to return, instead of handing control to the
    attacker by jumping to the attacker's code, StackGuard syslog's the
    intrusion attempt and halts the program.

    StackGuard is implemented as a small patch to gcc.  Programs should
    transparently recompile with StackGuard protection without difficulty.

    This new release includes an improved StackGuard compiler with the
    following enhancements:
        Faster:  the integrity checking procedure has been improved to
            use fewer instructions.
        General Random Canary Support:  StackGuard now provides for both
            the "Terminator" and "Random" styles of integrity checking
            in both normal code and in shared libraries.

About the StackGuarded Red Hat 5.2 Linux Distribution:
    We have re-compiled all of the C programs that come with a Red Hat
    5.2 Linux distribution with StackGuard.  The result is a system
    that is generally impervious to stack smashing.  We have had this
    system running in production on our workstations for over two months,
    with no difficulties encountered.

    Previously, we built Red Hat 5.1 with an older StackGuard.
    That version has been running in production for over a year without
    difficulties.  We have had hundreds of downloads, with no bugs found.

    We have benchmarked StackGuard protection overhead using the WebStone
    benchmark against a StackGuarded Apache server, and a SSH throughput
    experiment through the loopback interface.  In both cases, StackGuard
    protection for these security-critical network services imposed no
    noticable overhead.

About Immunix.org:
    Immunix.org is the freeware security portal of WireX Communications,
    Inc.  Immunix.org will provide a variety of security enhancing
    tools, and secured Linux systems.  This distribution will be known as
    "WireX Immunix".  Presently the Immunix Linux distribution is Red
    Hat 5.2 protected with StackGuard, but it will grow to include a
    variety of security enhancing tools.  Details are available on line
    at http://immunix.org/

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.          http://wirex.com
Previous By Date Next
Previous By Thread Next

Current thread: