diff options
author | Ned Ludd <solar@gentoo.org> | 2005-02-08 21:21:32 +0000 |
---|---|---|
committer | Ned Ludd <solar@gentoo.org> | 2005-02-08 21:21:32 +0000 |
commit | bec9bd410826a3fcec9c8907fa85cae62cc800f8 (patch) | |
tree | de03f420ae9a046d90cb556d92734dab13a0cb93 /extra | |
parent | 8be6b41965c8853b56a34130be17d582890816ee (diff) |
- 3/NN patches for ssp. Doc updates from Peter S. Mazinger and Robert Connolly
Diffstat (limited to 'extra')
-rw-r--r-- | extra/Configs/Config.in | 29 |
1 files changed, 17 insertions, 12 deletions
diff --git a/extra/Configs/Config.in b/extra/Configs/Config.in index abc1856ad..c2e7a418c 100644 --- a/extra/Configs/Config.in +++ b/extra/Configs/Config.in @@ -1110,34 +1110,39 @@ config UCLIBC_BUILD_PIE functions must be written as position independent code (PIC). config UCLIBC_HAS_SSP - bool "Support for propolice stack protection" + bool "Support for propolice smashing stack protector" depends on UCLIBC_SECURITY default n help - Adds propolice protection to libc (__guard and __stack_smash_handler). - More about it on <http://www.research.ibm.com/trl/projects/security/ssp> . - To be able to use it, you'll also need a propolice patched gcc, - supporting the -fstack-protector[-all] options. It is a specially patched - gcc version, where __guard and __stack_smash_handler are removed from libgcc. + Add propolice smashing stack protector to the library. + This requires a patched version of GCC, supporting the + -fstack-protector[-all] options, with the __guard and + __stack_smash_handler functions removed from libgcc. + These functions are added to libc instead. + More information at: + <http://www.research.ibm.com/trl/projects/security/ssp/> Most people will answer N. config SSP_QUICK_CANARY - bool "Simple propolice canary w/o accessing /dev/*random" + bool "Use simple guard values without accessing /dev/urandom" depends on UCLIBC_HAS_SSP default n help - Propolice uses a simplified version of the canary, without accessing - /dev/*random. + Use gettimeofday(2) to define the __guard without accessing + /dev/urandom. + WARNING: This makes smashing stack protector vulnerable to timing + attacks. Most people will answer N. config SSP_USE_ERANDOM - bool "Propolice uses /dev/erandom as canary source" + bool "Use erandom for setting guard value if /dev/urandom fails" depends on UCLIBC_HAS_SSP && !SSP_QUICK_CANARY default n help - Propolice uses /dev/erandom as canary source. + Use /dev/erandom to define the guard if /dev/urandom fails (chroot). This requires a modified kernel. - For more info see http://frandom.sourceforge.net/. + More information at: + <http://frandom.sourceforge.net/> Most people will answer N. choice |