The Stack-Smashing Protector (sometimes called SSP, formerly known as ProPolice) is an extension to the GNU Compiler Collection that helps mitigate the damage that can be done by buffer overflow-based attacks. In particular, it provides stack-smashing protection.
The Stack-Smashing Protector was originally written, and is still maintained, by Hiroaki Etoh of IBM.
So far it remains a patch external to GCC, and must be added to GCC by developers wishing to employ stack-smashing protection in their programs. At this time, only a small number of operating system developers utilize the Stack-Smashing Protector in their projects by default: OpenBSD and DragonFly BSD. GentooLinux also has a version of their software distribution (Hardened Gentoo) that contains the Stack-Smashing Protector patch, but as Gentoo is primarily a source-based meta-distribution, this cannot be considered "out of the box" support.
Typically, stack-smashing protection modifies the organization of data in the stack frame of a function call to include a "canary" value which, when destroyed, shows that a buffer preceding it in memory has been overflowed.
Under OpenBSD, ProPolice is enabled by default, and the -fno-stack-protector flag disables it.
Stack-smashing protection is a change to the compiler; and as such, it is possible for the protection to alter the structure of the data on the stack frame.
OpenBSD 3.1-release, 3.2-release, 3.3-current (20030508 snapshot), and 3.3-current (same snapshot) with a propolice enabled kernel (from 20030513 cvs) were installed on two machines: an Athlon XP and a Pentium 166.
The overall difference between 3.2 and 3.3 (sans propolice kernel) is 4.7% on the athlon and 9.3% on the pentium.
The overall difference between current with and without propolice kernels is 2% on the athlon and 0.7% on the pentium.
Feeds |
Contact