Hi
bryn1u. I think that
SirDice is right writing about removing
CXX/CO/CFLAGS from
/etc/make.conf file. These settings/values can harm your system, really. Let's move on. You asked about FreeBSD, protector, buffer overflow etc. From my own experience, the FreeBSD has stack protected on some binaries etc.
Today I wanted to check for You a few binaries (
of course not all available in the FreeBSD!) with simple - let say - hardflag-check script. I checked a few binaries, such as, for example;
/usr/bin/su,
/usr/bin/ssh,
/usr/bin/password etc. I was pleasantly surprised, because most tested binaries have had a stack protector. Of course, not all, but... So, maybe some examples
# ./hardflag-check /usr/bin/ssh
Code:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: no, not found!
Read-only relocations: no, not found!
Immediate binding: no, not found!
# ./hardflag-check /usr/bin/passwd
Code:
Stack protected: yes
the rest of hardening features: no, not found etc.
# ./hardflag-check /usr/bin/su
Code:
Stack protected: no, not found!
the rest of hardening features: no, not found etc.
# ./hardflag-check /usr/sbin/wpa_supplicant
Code:
Stack protected: yes
the rest of hardening features: no, not found etc.
# ./hardflag-check /bin/chflags
Code:
Stack protected: no, not found!
the rest of hardening features: no, not found etc.
As you can see, not all binaries have stack protection, but most - I hope - have. In these examples, we can also see some drawbacks. The first checking binary
/usr/bin/ssh has full informations. I mean also notes -
no, not found etc. - about
Position Independent Executable (this can protects against "return-to-text" and generally frustrates memory corruption attacks),
Fortify Source functions (enable several compile-time and run-time protections in glibc),
Immediate binding etc.
These features are really important from the security point of view. Most of you probably know, how required they are
-- security features, which on all tested binaries have had the same output:
no, not found! and
no, normal executable! I hope, it will be changed as soon as possible, because I think it is a long-awaited improvements.
So Mr
bryn1u. As you can see, by default FreeBSD offers some stack smash protection. One more thing;
paranoid website is very interesting and contains informations about
PROPOLICE for FreeBSD, but described are only two old versions: 5.4 and 6.0, but there is still something to learn, right? I hope, that I helped you in some way.
By the way; I would like, to show you one more result of already mentioned script, called hardflag-check. However this time, checked will be
/sbin/unix_chkpwd binary from the Linux distribution, which I'm running from time to time.
# ./hardflag-check /sbin/unix_chkpwd
Code:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: no, not found!
Looks pretty nice. Best regards!